×
CrowdStrike Falcon
CrowdStrike Falcon

Overview

The CrowdStrike Falcon Plugin provides the functionality to managing hosts, performing sandbox analysis, retrieve sandbox artifacts, retrieve information on IoCs, execute real time response (RTR) commands, and manage custom IoCs.

Functionality

The Security Flow CrowdStrike Falcon Plugin provides the ability to

  • retrieve host IDs and host details
  • delete (hide) and restore (un-hide) hosts
  • contain and lift containment on hosts
  • perform sandboxing analysis on files and URLs
  • retrieve sandboxing analysis artifact files
  • retrieve information on Indicators of Compromise (IoCs)
  • execute Real Time Response (RTR) commands
  • retrieve RTR get command files
  • retrieve custom IoCs
  • create custom IoCs
  • update custom IoCs
  • delete custom IoCs

Instance Configuration Parameters

Property
Description

Instance Name

Name for the CrowdStrike Falcon instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


API Host Name

Host name used to make Falcon API requests.


Client ID

Client ID used to request an OAuth2 access token.


Client Secret

Client Secret used to request an OAuth2 access token.

Flow Nodes

This node exposes CrowdStrike Falcon Host capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Get Hosts: Retrieves the filtered list of hosts in the environment based on the Hosts Filter configuration.
  • Get Deleted (Hidden) Hosts: Retrieves the filtered list of deleted (hidden) hosts in the environment based on the Hosts Filter configuration.
  • Get Host Details: Retrieves detailed information on the designated host agent IDs (AIDs) specified in Host(s).
  • Hosts Action: Performs the selected Host Action on the designated host agent IDs (AIDs) specified in Host(s).

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Hosts Filter

The Falcon Query Language (FQL) filter used to find matching hosts. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Host(s)

The Host(s) field may contain a single host string or an array of host agent IDs (AIDs).


Hosts Action

Performs the selected Host Action on the designated host agent IDs (AIDs) specified in Host(s). The following operations are supported.

  • Contain: This action contains the hosts, stopping any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
  • Lift Contain: This action lifts containment on the hosts, which returns its network communications to normal.
  • Delete (Hide) Host: This action will delete the hosts. After the hosts are deleted, no new detections for those hosts will be reported via UI or APIs.
  • Restore (Un-Hide) Host This action will restore the hosts. Detection reporting will resume after the hosts are restored.
This node exposes CrowdStrike Falcon custom IoC capabilities of the Detection and Prevention Policy APIs.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Find IoCs: Retrieves a filtered list of matching custom IoCs.
  • Get IoC Details: Retrieves the details of custom IoCs identified by their IDs.
  • Find IoCs & Get Details: Performs both the Find IoCs and Get IoC Details actions in one step.
  • Create IoC(s): Creates a new set of custom IoCs.
  • Update IoC(s): Updates an existing set of custom IoCs.
  • Create or Update IoC(s): Creates or updates a set of custom IoCs.
  • Delete IoC(s): Deletes a set of custom IoCs identified by their IDs.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


IoCs Filter

The Falcon Query Language (FQL) filter used to find matching custom IoCs. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Size Limit

Limits the number of returned results matching the IoCs Filter.


Sort By

The Sort By configuration option specifies the column to sort the results by.


IoC ID Source

For the Update IoC(s) action, this defines the source for IoC information. If via IoC IDs is selected, the IoC IDs and IoC Actions configuration options are shown. If via IoC Locations is selected, the IoC Locations configuration options is shown.


IoC IDs

The location for the IoC IDs array within the specified context. A value of Standard IoCs Location is a useful shortcut to specify the iocIds field within a previous response.


IoC Locations

The incoming message is searched for matching Indicators of Compromise (IoCs) using the configured IoC Locations list. This list consists of three columns. The IoC type, the IoC value context, and the CrowdStrike action.


IoC IDs

This only available when the Update IoC(s) action is selected and the IoC ID Source is set to via IoC IDs. This list defines the CrowdStrike action based on IoC type.


Comment

The Comment field is required and applied to the operation updating or creating IoCs. This field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.


Platforms

The Platforms defines the affected platforms. Valid Platforms values are any combination of mac, windows, and linux. If the evaluated Platforms is invalid, all platforms are selected.


Severity

The Severity defines the desired severity of the IoC. Valid Severity values are informational, low, medium, high, and critical. If the evaluated Severity is invalid, critical is assumed.


Retoractive Detections

The Retroactive Detections triggers the specified action for the IoC on historical data if the value evaluates to a JavaScript truthy value.


Apply Globally

The Apply Globally flag is set to true for the IoC if the value evaluates to a JavaScript truthy value.


Source

Defines the source of the custom IoC. If Nevelex Labs Security Flow is selected, the source is set to a Nevelex Labs Security Flow string.


Description

The Description field is optional and applies to an individual IoC. This field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.


Tag(s)

The Tags defines tags to apply to the IoC. Not Specified will not set or change the existing tags. A blank value will clear the tags. A JavaScript array will set the supplied array of tags. A string will be separated into an array using commas as the delimiter.


Host Group ID(s)

The Host Groups ID(s) defines host groups the IoC applies to. Not Specified will not set or change the existing host group IDs. A blank value will clear the host group IDs. A JavaScript array will set the supplied array of host group IDs. A string will be separated into an array using commas as the delimiter.


Expires In

The Expires In value determines when the domains, IP addresses, or hashes will set their action to No Action (no_action). If set to IoC Resets to Unknown per Settings, the IoC’s trust level is reset according to the Application Settings screen’s Indicators of Compromise settings for IP addresses and domains. For hashes, the Hash Expiration Settings configuration setting defines the expiration value to use when IoC Resets to Unknown per Settings is selected. If Expires In is set to Never Reset to Unknown, no initial expiration is set. If Expires In is set to Do Not Set/Update Expiration, no initial expiration is set and IoC updates will not change the expiration. If Expires In value evaluates to a number (days), that value is used to calculate the reset interval for all the IoC types. If the Expires In value does not evaluate to a number (days), the default Application Settings screen’s Indicators of Compromise settings are used.


Hash Expiration Settings

The Hash Expiration Settings configuration setting defines the expiration value to use when IoC Resets to Unknown per Settings is selected in the Expires In configuration setting.

This node exposes CrowdStrike Falcon Real Time Response (RTR) capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Execute Command(s): Executes a Real Time Response (RTR) command or set of commands specified by Command(s).
  • Execute Get Command: Similar to Execute Command(s), but specifically runs the get command to retrieve a file off of the designated Host(s).

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Host(s)

This field may contain a single host agent ID (AIDs) string or an array of host agent ID (AIDs).


Command(s)

The command or set of commands to execute on the designated Host(s). The Command(s) field, if specified directly as a string, is a single command to be executed. However, if passed in via a message context as an array, an array of Parameters of equal length must also be passed in with the message. The Command(s) field has a drop down of the available commands names to assist in selection. The list of available commands and required RTR roles can be found within the CrowdStrike Real Time Response and Platforms page.


Parameters

The Parameters are the parameters to pass to the designated Command(s). If the Command(s) evaluates to an array, the Parameters must also evaluate to an array with an equal number of elements. If the command does not require any parameters, the parameter value must be supplied as a JavaScript falsy value, such as an empty string.


File Path

The fully specified path of the file to get from the Host(s).


Download

If this value evaluates to true, the file is downloaded and associated with the message.

If true, the response contains an array of downloadedFiles file names. Files created and associated with the message can be sent via email using the NL-Add-Email-Attachments node and viewed in the Incident timeline. The name of the file is [fileName]_[hostId].7z, where the content is compressed using 7-Zip and is encrypted. The encryption key is supplied in the Real Time Response and Platforms page within the GET command reference.


Timeout

The Timeout is passed as a parameter to all CrowdStrike RTR API methods and is used as the timeout for establishing a batch session to the Host(s).

This node exposes CrowdStrike Falcon Sandboxing capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Analyze File: Performs a file upload, which is marked as confidential, followed by a file analysis on the file selected by File Name.
  • Analyze URL: Performs an analysis on the URL selected by URL.
  • Get Analysis Artifacts: This action takes successful analysis report output of this node and returns most of the artifact files.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Username

When performing a file analysis, this is the username of the user being marked as the owner of the file. This is typically an email address.


File Name

When performing a file analysis, the name of a file associated with the message.


URL

When performing a URL analysis, the URL to be sent in for analysis.


Comment

When performing a file analysis, template area to enter in a description of the file. Leave blank to ignore. Visit the Template Engine and Formatters page to learn more about using the template engine.


Environment ID

An ID for the environment to run the analysis within. Options are:

  • 100 – Windows 7, 32-bit
  • 110 – Windows 7, 64-bit
  • 160 – Windows 10, 64-bit
  • 200 – Android (static analysis)
  • 300 – Linux Ubuntu 16.04, 64-bit

If the Environment ID is configured to come from the message and isn’t a valid Environment ID, Windows 10, 64-bit is used.


Action Script

Defines the runtime script for sandbox analysis.


Enable TOR

If checked, sandbox analysis routes network traffic via TOR.


Command Line

The Command Line is the script passed to the submitted file at runtime. This field is a template area and is limited to 2048 characters after template evaluation. Visit the Template Engine and Formatters page to learn more about using the template engine.


Document Password

For Adobe and Office files that are password protected, define the Document Password. Leave the Document Password field type set to string with an empty value if no password is needed. If the Document Password field type is set to msg and the value does not exist, the error is ignored and no password is used.


Report

When retrieving sandbox analysis artifacts, this field defines the location of the report. The initial setting uses the default location for a report within msg.payload.csfalcon.[uniqueId].response.


Artifact Files

When retrieving sandbox analysis artifacts, this multi-select field allows for the selection of artifact files to associate with the message traversing the flows.

CrowdStrike Falcon Threat Intelligence node to gather information about the supplied Indicators of Compromise (IoCs).
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Search Within: Dynamically search in the message and perform operations based on the IoC type found.
  • Domain Report: Request a report for the specified Domain.
  • File Hash Report: Request a report for the specified hash.
  • IP Address Report: Request a report for the specified IP Address.
  • URL Report: Request a report for the specified URL.

Search Within / URL / Domain / IP / Hash

These fields define the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA