×
CrowdStrike Falcon
CrowdStrike Falcon

Overview

The CrowdStrike Falcon Plugin provides the functionality to manage hosts, perform sandbox analysis, retrieve sandbox artifacts, and retrieve information on IoCs.

Functionality

The Security Flow CrowdStrike Falcon Plugin exposes the ability to

  • retrieve host IDs and host details
  • delete (hide) and restore (un-hide) hosts
  • contain and lift containment on hosts
  • perform sandboxing analysis on files and URLs
  • retrieve sandboxing analysis artifact files
  • retrieve information on Indicators of Compromise (IoCs)

Instance Configuration Parameters

Property
Description

Instance Name

Name for the CrowdStrike Falcon instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


API Host Name

Host name used to make Falcon API requests.


Client ID

Client ID used to request an OAuth2 access token.


Client Secret

Client Secret used to request an OAuth2 access token.

Flow Nodes

This node exposes CrowdStrike Falcon Host capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Get Hosts: Retrieves the filtered list of hosts in the environment based on the Hosts Filter configration.
  • Get Deleted (Hidden) Hosts: Retrieves the filtered list of deleted (hidden) hosts in the environment based on the Hosts Filter configration.
  • Get Host Details: Retrieves detailed information on the designated host agent IDs (AIDs) specified in Host(s).
  • Hosts Action: Performs the selected Host Action on the designated host agent IDs (AIDs) specified in Host(s).

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Hosts Filter

The Falcon Query Language (FQL) filter used to find matching hosts. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Host(s)

The Host(s) field may contain a single host string or an array of host agent IDs (AIDs).


Hosts Action

Performs the selected Host Action on the designated host agent IDs (AIDs) specified in Host(s). The following operations are supported.

  • Contain: This action contains the hosts, stopping any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
  • Lift Contain: This action lifts containment on the hosts, which returns its network communications to normal.
  • Delete (Hide) Host: This action will delete the hosts. After the hosts are deleted, no new detections for those hosts will be reported via UI or APIs.
  • Restore (Un-Hide) Host This action will restore the hosts. Detection reporting will resume after the hosts are restored.
This node exposes CrowdStrike Falcon Sandboxing capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Analyze File: Performs a file upload, which is marked as confidential, followed by a file analysis on the file selected by File Name.
  • Analyze URL: Performs an analysis on the URL selected by URL.
  • Get Analysis Artifacts: This action takes successful analysis report output of this node and returns most of the artifact files.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Username

When performing a file analysis, this is the username of the user being marked as the owner of the file. This is typically an email address.


File Name

When performing a file analysis, the name of a file associated with the message.


URL

When performing a URL analysis, the URL to be sent in for analysis.


Comment

When performing a file analysis, template area to enter in a description of the file. Leave blank to ignore. Visit the Template Engine and Formatters page to learn more about using the template engine.


Environment ID

An ID for the environment to run the analysis within. Options are:

  • 100 – Windows 7, 32-bit
  • 110 – Windows 7, 64-bit
  • 160 – Windows 10, 64-bit
  • 200 – Android (static analysis)
  • 300 – Linux Ubuntu 16.04, 64-bit

If the Environment ID is configured to come from the message and isn’t a valid Environment ID, Windows 10, 64-bit is used.


Action Script

Defines the runtime script for sandbox analysis.


Enable TOR

If checked, sandbox analysis routes network traffic via TOR.


Command Line

The Command Line is the script passed to the submitted file at runtime. This field is a template area and is limited to 2048 characters after template evaluation. Visit the Template Engine and Formatters page to learn more about using the template engine.


Document Password

For Adobe and Office files that are password protected, define the Document Password. Leave the Document Password field type set to string with an empty value if no password is needed. If the Document Password field type is set to msg and the value does not exist, the error is ignored and no password is used.


Report

When retrieving sandbox analysis artifacts, this field defines the location of the report. The initial setting uses the default location for a report within msg.payload.csfalcon.[uniqueId].response.


Artifact Files

When retrieving sandbox analysis artifacts, this multi-select field allows for the selection of artifact files to associate with the message traversing the flows.

CrowdStrike Falcon Threat Intelligence node to gather information about the supplied Indicators of Compromise (IoCs).
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Search Within: Dynamically search in the message and perform operations based on the IoC type found.
  • Domain Report: Request a report for the specified Domain.
  • File Hash Report: Request a report for the specified hash.
  • IP Address Report: Request a report for the specified IP Address.
  • URL Report: Request a report for the specified URL.

Search Within / URL / Domain / IP / Hash

These fields define the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA