CrowdStrike Falcon
Integrates with CrowdStrike Falcon EDR
Configuration
Name | Type | Description |
---|---|---|
client_id |
string |
Client Identifier |
client_secret |
string |
Client Secret |
base_url |
string |
Base URL of the API |
Actions
Add new comment to alert
Appends a new comment to any existing comments for the specified alerts.
Arguments
Name | Type | Description |
---|---|---|
ids |
array |
List of alert IDs to apply action to. |
comment |
string |
New comment to add to the alert. |
Update alert status
Update the status for the specified alerts..
Arguments
Name | Type | Description |
---|---|---|
ids |
array |
List of alert IDs to apply action to. |
new_status |
string |
The new status to apply to the alerts. |
Block IOC
Block the provided IOC
Arguments
Name | Type | Description |
---|---|---|
value |
string |
The value of the IOC to block |
type |
string |
Type of the IOC to block: md5, sha256 |
Deisolate hosts
Lifts containment on the host and returns its network communications to normal.
Arguments
Name | Type | Description |
---|---|---|
ids |
array |
List of host agent IDs to apply action to. |
Isolate hosts
Contains the host and stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
Arguments
Name | Type | Description |
---|---|---|
ids |
array |
List of host agent IDs to apply action to. |
Monitor IOC
Enable detection for the provided IOC
Arguments
Name | Type | Description |
---|---|---|
value |
string |
The value of the IOC to monitor |
type |
string |
Type of the IOC to monitor: md5, sha256, domain, ipv4, ipv6 |
Push IOCs for prevention
Block the provided IOCs: md5 / sha256 file hashes
Arguments
Name | Type | Description |
---|---|---|
stix_objects_path |
string |
Filepath of the STIX objects fetched from the collection |
sekoia_base_url |
string |
[Optional] Sekoia base url, used to generate direct links to IOCs |
Push IOCs for detection
Enable detections on the provided IOCs: md5 / sha256 file hashes, IPv4/v6 address, domains
Arguments
Name | Type | Description |
---|---|---|
stix_objects_path |
string |
Filepath of the STIX objects fetched from the collection |
sekoia_base_url |
string |
[Optional] Sekoia base url, used to generate direct links to IOCs |
valid_for |
integer |
If set, the playbook will remove IOCs that are older than valid_for days based on the Last modified date in CrowdStrike |
Extra
Module CrowdStrike Falcon
v1.22.0