Overview
The CrowdStrike Falcon Plugin provides the functionality for managing hosts, performing sandbox analysis, retrieving sandbox artifacts, retrieving information on IoCs, executing real time response (RTR) commands, managing RTR custom scripts, managing custom IoCs, managing detections, and managing incidents.
Functionality
The Security Flow CrowdStrike Falcon Plugin provides the ability to
- retrieve host IDs and host details
- delete (hide) and restore (un-hide) hosts
- contain and lift containment on hosts
- perform sandboxing analysis on files and URLs
- retrieve sandboxing analysis artifact files
- retrieve information on Indicators of Compromise (IoCs)
- execute Real Time Response (RTR) commands
- retrieve Real Time Response (RTR) scripts
- create Real Time Response (RTR) scripts
- update Real Time Response (RTR) scripts
- delete Real Time Response (RTR) scripts
- retrieve RTR get command files
- retrieve custom IoCs
- create custom IoCs
- update custom IoCs
- delete custom IoCs
- retrieve filtered detections periodically or when manually triggered
- retrieve information on detections
- update detections
- retrieve information on incidents
- update incidents
Instance Configuration Parameters
Name for the CrowdStrike Falcon instance.
A system-wide unique identifier for this plugin instance used to locate the service.
Host name used to make Falcon API requests.
Client ID used to request an OAuth2 access token.
Client Secret used to request an OAuth2 access token.
Flow Nodes
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Configuration option determining the type of operation to perform:
- Find Detections: Retrieves matching detection IDs based on the specified Detections Filter and Search String.
- Get Detection Details: Retrieves the details of detections in your environment based on the Detection IDs supplied.
- Find Detections & Get Details: Performs both the Find Detections and Get Detection Details actions in a single request.
- Update Detections: Updates a subset of fields for the specified Detection IDs.
Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response
.
The Falcon Query Language (FQL) filter used to find matching detections. Set this field to Not Specified
to disable filtering. The fields available for filtering are detailed within the Find detections page section. Learn more about filtering using the Falcon Query Language (FQL) page.
In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more.
Searches the metadata of the descriptions for the specified string. Set Search String to Not Specified
to disable searching the detection metadata for the search string.
The Search String uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more.
This field sets the maximum number of returned detections.
If specified, the Sort By configuration option specifies the column to sort the results by. Valid sort by values are first_behavior
, last_behavior
, max_severity
, max_confidence
, adversary_id
, and devices.hostname
. Invalid Sort By values are silently ignored.
If specified, sorts the results in ascending or descending order. If not specified, the sort order is assumed to be ascending.
The detection IDs being retrieved or updated. A value of Standard Detections Location
is a useful shortcut to specify the detectionIds
field within previously returned results. Detection IDs may be an array of detection ID strings or a single detection ID string.
If specified, the Assignee field defines the assignee using the user’s username, usually an email address.
If specified, the Status defines the new desired status. Valid Status values are new
, in_progress
, true_positive
, false_positive
, and ignored
. If the evaluated Status is invalid, no update is performed and the request errors out.
If specified, the Comment field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.
If supplied, the Show in UI flag is set to true if the value evaluates to a JavaScript truthy value. Not Specified
will not set or change the existing value. Most commonly, this would be set to false when the Status is set to false_positive
.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Use Repeat to define how often a query for detections is triggered. The left inject button on this node is used to immediately trigger the retrieval of detections. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.
The Falcon Query Language (FQL) filter used to find matching detections. Clear out this field to avoid filtering. The fields available for filtering are detailed within the Find detections page section. Learn more about filtering using the Falcon Query Language (FQL) page.
In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp
.
Searches the metadata of the descriptions for the specified string. Leave this field blank to disable searching the detection metadata for the search string.
This field sets the maximum number of returned detections.
If specified, the Sort By configuration option specifies the column to sort the results by.
Sorts the results in ascending or descending order.
This node supports five modes for aggregating incidents.
- None: Never aggregate any incidents (default).
- Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
- Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
- Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
- Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Configuration option determining the type of operation to perform:
- Get Hosts: Retrieves the filtered list of hosts in the environment based on the
Hosts Filter
configuration. - Get Deleted (Hidden) Hosts: Retrieves the filtered list of deleted (hidden) hosts in the environment based on the
Hosts Filter
configuration. - Get Host Details: Retrieves detailed information on the designated host agent IDs (AIDs) specified in
Host(s)
. - Hosts Action: Performs the selected
Host Action
on the designated host agent IDs (AIDs) specified inHost(s)
.
Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response
.
The Falcon Query Language (FQL) filter used to find matching hosts. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.
In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more.
The Host(s)
field may contain a single host string or an array of host agent IDs (AIDs).
Performs the selected Host Action
on the designated host agent IDs (AIDs) specified in Host(s)
. The following operations are supported.
- Contain: This action contains the hosts, stopping any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
- Lift Contain: This action lifts containment on the hosts, which returns its network communications to normal.
- Delete (Hide) Host: This action will delete the hosts. After the hosts are deleted, no new detections for those hosts will be reported via UI or APIs.
- Restore (Un-Hide) Host This action will restore the hosts. Detection reporting will resume after the hosts are restored.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Configuration option determining the type of operation to perform:
- Find Incidents: Retrieves matching detection IDs based on the specified Incidents Filter and Search String.
- Get Incident Details: Retrieves the details of incidents in your environment based on the Detection IDs supplied.
- Find Incidents & Get Details: Performs both the Find Incidents and Get Incident Details actions in a single request.
- Update Incidents: Updates a subset of fields for the specified Incident IDs.
Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response
.
The Falcon Query Language (FQL) filter used to find matching incidents. Set this field to Not Specified
to disable filtering. The fields available for filtering are detailed within the Find incidents page section. Learn more about filtering using the Falcon Query Language (FQL) page.
In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more.
This field sets the maximum number of returned incidents.
If specified, the Sort By configuration option specifies the column to sort the results by. Valid sort by values are assigned_to
, assigned_to_name
, end
, modified_timestamp
, name
, sort_score
, start
, state
, and status
. Invalid Sort By values are silently ignored.
If specified, sorts the results in ascending or descending order. If not specified, the sort order is assumed to be ascending.
The incident IDs being retrieved or updated. A value of Standard Incidents Location
is a useful shortcut to specify the incidentIds
field within previously returned results. Incident IDs may be an array of incident ID strings or a single incident ID string.
The Name field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more. The Name field is optional and applied to all the updated incidents.
The Description field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more. The Description field is optional and applied to all the updated incidents.
The Status defines the new desired status. Valid Status values are 20
, 25
, 30
, and 40
, where 20
is New, 25
is Reopened, 30
is In Progress, and 40
is Closed. If the evaluated Status is not valid, no update is performed and the request errors out.
If Update Detection Statuses evaluates to JavaScript truthy value and a Status change is performed, the statuses of the incidents’ involved detections is performed. The following rules determine the behavior:
Update Detection Statuses | Overwrite Detection Statuses | Behavior |
---|---|---|
false | true | false | No changes to any involved detections. |
true | false |
The involved detections’ status parameters that have a value of new are updated to match the incident’s status. |
true | true |
The all involved detections’ status parameters are updated to match the incident’s status. |
500
being returned by the CrowdStrike API. The cause is unknown, but it may be because there are no involved detections.
Because this option is tightly coupled to the value of Update Detection Statuses, see that node property for details.
Add Tags may be an array of tag strings or a comma separated list of tags. Each tag is added to the incidents.
Delete Tags may be an array of tag strings or a comma separated list of tags. Each tag is deleted from the incidents.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Use Repeat to define how often a query for incidents is triggered. The left inject button on this node is used to immediately trigger the retrieval of incidents. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.
The Falcon Query Language (FQL) filter used to find matching incidents. Clear out this field to avoid filtering. The fields available for filtering are detailed within the Find incidents page section. Learn more about filtering using the Falcon Query Language (FQL) page.
In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp
.
This field sets the maximum number of returned incidents.
If specified, the Sort By configuration option specifies the column to sort the results by.
Sorts the results in ascending or descending order.
This node supports five modes for aggregating incidents.
- None: Never aggregate any incidents (default).
- Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
- Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
- Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
- Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
The desired operation for this node:
- Find IoCs: Retrieves a filtered list of matching custom IoCs.
- Get IoC Details: Retrieves the details of custom IoCs identified by their IDs.
- Find IoCs & Get Details: Performs both the Find IoCs and Get IoC Details actions in one step.
- Create IoC(s): Creates a new set of custom IoCs.
- Update IoC(s): Updates an existing set of custom IoCs.
- Create or Update IoC(s): Creates or updates a set of custom IoCs.
- Delete IoC(s): Deletes a set of custom IoCs identified by their IDs.
Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response
.
The Falcon Query Language (FQL) filter used to find matching custom IoCs. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.
In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more.
Limits the number of returned results matching the IoCs Filter.
The Sort By configuration option specifies the column to sort the results by.
For the Update IoC(s) action, this defines the source for IoC information. If via IoC IDs
is selected, the IoC IDs and IoC Actions configuration options are shown. If via IoC Locations
is selected, the IoC Locations configuration options is shown.
The location for the IoC IDs array within the specified context. A value of Standard IoCs Location
is a useful shortcut to specify the iocIds
field within a previous response.
The incoming message is searched for matching Indicators of Compromise (IoCs) using the configured IoC Locations list. This list consists of three columns. The IoC type, the IoC value context, and the CrowdStrike action.
This only available when the Update IoC(s) action is selected and the IoC ID Source is set to via IoC IDs
. This list defines the CrowdStrike action based on IoC type.
The Comment field is required and applied to the operation updating or creating IoCs. This field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.
The Platforms defines the affected platforms. Valid Platforms values are any combination of mac
, windows
, and linux
. If the evaluated Platforms is invalid, all platforms are selected.
The Severity defines the desired severity of the IoC. Valid Severity values are informational
, low
, medium
, high
, and critical
. If the evaluated Severity is invalid, critical
is assumed.
The Retroactive Detections triggers the specified action for the IoC on historical data if the value evaluates to a JavaScript truthy value.
The Apply Globally flag is set to true for the IoC if the value evaluates to a JavaScript truthy value.
Defines the source of the custom IoC. If Nevelex Labs Security Flow
is selected, the source is set to a Nevelex Labs Security Flow
string.
The Description field is optional and applies to an individual IoC. This field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.
The Tags defines tags to apply to the IoC. Not Specified
will not set or change the existing tags. A blank value will clear the tags. A JavaScript array will set the supplied array of tags. A string will be separated into an array using commas as the delimiter.
The Host Groups ID(s) defines host groups the IoC applies to. Not Specified
will not set or change the existing host group IDs. A blank value will clear the host group IDs. A JavaScript array will set the supplied array of host group IDs. A string will be separated into an array using commas as the delimiter.
The Expires In value determines when the domains, IP addresses, or hashes will set their action to No Action
(no_action
). If set to IoC Resets to Unknown per Settings
, the IoC’s trust level is reset according to the Application Settings screen’s Indicators of Compromise settings for IP addresses and domains. For hashes, the Hash Expiration Settings configuration setting defines the expiration value to use when IoC Resets to Unknown per Settings
is selected. If Expires In is set to Never Reset to Unknown
, no initial expiration is set. If Expires In is set to Do Not Set/Update Expiration
, no initial expiration is set and IoC updates will not change the expiration. If Expires In value evaluates to a number (days), that value is used to calculate the reset interval for all the IoC types. If the Expires In value does not evaluate to a number (days), the default Application Settings screen’s Indicators of Compromise settings are used.
The Hash Expiration Settings configuration setting defines the expiration value to use when IoC Resets to Unknown per Settings
is selected in the Expires In configuration setting.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
The desired operation for this node:
- Execute Command(s): Executes a Real Time Response (RTR) command or set of commands specified by
Command(s)
. - Execute Get Command: Similar to
Execute Command(s)
, but specifically runs theget
command to retrieve a file off of the designatedHost(s)
. - Create Script: Creates a new custom script executable by the
runscript
command. - Delete Script: Deletes a custom script identified by its Script ID.
- Find Script: Finds custom scripts matching the Scripts Filter criteria.
- Get Script(s): Loads the custom script(s) identified by their Script IDs.
- Create Script: Updates a custom script identified by its Script ID.
Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response
.
This field may contain a single host agent ID (AIDs) string or an array of host agent ID (AIDs).
The command or set of commands to execute on the designated Host(s)
. The Command(s)
field, if specified directly as a string, is a single command to be executed. However, if passed in via a message context as an array, an array of Parameters
of equal length must also be passed in with the message. The Command(s)
field has a drop down of the available commands names to assist in selection. The list of available commands and required RTR roles can be found within the CrowdStrike Real Time Response and Platforms page.
The Parameters
are the parameters to pass to the designated Command(s)
. If the Command(s)
evaluates to an array, the Parameters
must also evaluate to an array with an equal number of elements. If the command does not require any parameters, the parameter value must be supplied as a JavaScript falsy value, such as an empty string.
The fully specified path of the file to get from the Host(s)
.
File Path
contains spaces, it should be escaped or wrapped in double quotes to prevent parsing errors in the CrowdStrike API.
File Path
must be smaller than 4GB. If the file is larger than 4GB, the Get Command API call does not immediately error out. Instead the request will error out after the RTR session times out, which will likely be after a few hours.
If this value evaluates to true
, the file is downloaded and associated with the message.
If true, the response contains an array of downloadedFiles
file names. Files created and associated with the message can be sent via email using the NL-Add-Email-Attachments
node and viewed in the Incident timeline. The name of the file is [fileName]_[hostId].7z
, where the content is compressed using 7-Zip and is encrypted. The encryption key is supplied in the Real Time Response and Platforms page within the GET command reference.
The Timeout
is passed as a parameter to all CrowdStrike RTR API methods and is used as the timeout for establishing a batch session to the Host(s)
.
The ID string for a custom script. Custom scripts are those executed by the runscript
command. If the Script ID is set to Standard First Script ID Location
the ID is obtained within the standard response location at scriptIds[0]
. The location is set by successful results from the Find Scripts
action that return one or more matches.
A comma separated string or array of custom script IDs strings. Custom scripts are those executed by the runscript
command. If Script IDs is set to Standard Script IDs Location
, the IDs are obtained within the standard response location at scriptIds
. The location is set by successful results from the Find Scripts
action.
The description assigned to a custom script when creating or updating a script. This field use variable substitution from the incoming message using a mustache format when the input context is string
. Visit the Template Engine and Formatters page to learn more.
The name assigned to a custom script when creating or updating a script. This field use variable substitution from the incoming message using a mustache format when the input context is string
. Visit the Template Engine and Formatters page to learn more.
If the
Script Name
is not specified on an update, the script’s name is automatically changed by the CrowdStrike API to UnknownFileName_[ISO-timestamp].txt
.
The audit log comment associated with the custom script. This field use variable substitution from the incoming message using a mustache format when the input context is string
. Visit the Template Engine and Formatters page to learn more.
The Permission Type types define who is allowed to run the script. The Permission Type must evaluate to one of private
, group
, or public
. For more details, on the permission types check out the API reference.
The Platforms defines the supported platforms. Valid Platforms values are any combination of mac
, windows
, and linux
. If the evaluated Platforms is invalid or not supplied, windows
is selected.
This fields defines the content of the custom script.
The filter to use when finding custom scripts. Clear the content of the Scripts Filter field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page. In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}
. For example, {{payload.data}}
would substitute in the value of payload.data
found in the incoming message. Visit the Template Engine and Formatters page to learn more.
The maximum number of custom script IDs to return.
The optional Order By configuration option specifies the column to sort the results by.
If an Order By column is specified, the Sort Order configuration option is used to sort the results in ascending or descending order.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Configuration option determining the type of operation to perform:
- Analyze File: Performs a file upload, which is marked as confidential, followed by a file analysis on the file selected by
File Name
. - Analyze URL: Performs an analysis on the URL selected by
URL
. - Get Analysis Artifacts: This action takes successful analysis report output of this node and returns most of the artifact files.
Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response
.
When performing a file analysis, this is the username of the user being marked as the owner of the file. This is typically an email address.
When performing a file analysis, the name of a file associated with the message.
When performing a URL analysis, the URL to be sent in for analysis.
When performing a file analysis, template area to enter in a description of the file. Leave blank to ignore. Visit the Template Engine and Formatters page to learn more about using the template engine.
An ID for the environment to run the analysis within. Options are:
- 100 – Windows 7, 32-bit
- 110 – Windows 7, 64-bit
- 160 – Windows 10, 64-bit
- 200 – Android (static analysis)
- 300 – Linux Ubuntu 16.04, 64-bit
If the Environment ID
is configured to come from the message and isn’t a valid Environment ID, Windows 10, 64-bit is used.
Defines the runtime script for sandbox analysis.
If checked, sandbox analysis routes network traffic via TOR.
The Command Line
is the script passed to the submitted file at runtime. This field is a template area and is limited to 2048 characters after template evaluation. Visit the Template Engine and Formatters page to learn more about using the template engine.
For Adobe and Office files that are password protected, define the Document Password
. Leave the Document Password
field type set to string
with an empty value if no password is needed. If the Document Password
field type is set to msg
and the value does not exist, the error is ignored and no password is used.
When retrieving sandbox analysis artifacts, this field defines the location of the report. The initial setting uses the default location for a report within msg.payload.csfalcon.[uniqueId].response
.
When retrieving sandbox analysis artifacts, this multi-select field allows for the selection of artifact files to associate with the message traversing the flows.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
The desired operation for this node:
- Search Within: Dynamically search in the message and perform operations based on the IoC type found.
- Domain Report: Request a report for the specified Domain.
- File Hash Report: Request a report for the specified hash.
- IP Address Report: Request a report for the specified IP Address.
- URL Report: Request a report for the specified URL.
These fields define the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report.
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.
EULA