Crowdstrike Falcon Detect

Updated 3 days ago by Elvis Hovor

This document explains how to set up and use Crowdstrike Falcon Detect with TruSTAR Station.

Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon delivers real-time protection and actionable intelligence from Day One.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Data Types

This integration pulls the following observables from Crowdstrike:

  • IP
  • URL
  • Domain

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Detection.
  • Crowdstike API ID and API key for the Reports API
TruSTAR Admin rights are required to activate this Premium Intel feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the Crowdstrike Falcon Detection box.
  5. Enter your API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

TruSTAR Report Mapping

Field 

Explanation

Example

Report Title

<.......>-<detection_id>

DetectionSummaryEvent-IdtssssXXXX-117890XXXX

External ID

<detection_id>

IdtXXXX020-1162XXXX

Report Body

Entire JSON response

Report Tags

max_severity_displayname

status

severity:Critical

Stats:contained

Report DeepLink

FalconHostLink with detection id

https://falcon.crowdstrike.com/activity/detections/detail/..../...

TimeBegan

"first_seen"

2019-08-16T22:41:12Z

Technical Details

TruSTAR queries the Detection Search API and returns a list of detection IDs based on one or more parameters, including Critical and High priority items. Those IDs are then passed to the Detection Details API to get details more details on that specific detection.Results from the Detection details are submitted as a report to TruSTAR.

Detection Search Request Sample

This sample filters by max_severity_displayname: High and Critical only

$ curl -X GET -u "youruser:yourkey" -H "Content-Type: application/json" "'2017-01-'>https://falconapi.crowdstrike.com/detects/queries/detects/v1?filter=max_severity_displayname:'Critical'%2Bfirst_behavior:>'2017-01- 01'&sort=first_behavior.desc"

Sample Response - Detection Search

{
"errors": [],
"meta": {
"pagination": {
"limit": 4,
"offset": 0,
"total": 1130
},
"powered_by": "msa-api",
"query_time": 0.020452436,
"trace_id": "77710051-9d0b-46ba-af55-cbeb3983da4e"
},
"resources": [
"ldt:3752a1cc489964:817585689360212029",
"ldt:e137098aa9eaaf02d7:817585689360212022",
"ldt:9e27007645d94e4a:148396684788734",
"ldt:ba634d05764c05f87dc:148395676791867"
]
}
Detection Details Request Sample:

Ue the Detection Ids ("ldt" in the above example) to query the detection details

$ curl -X POST -u "youruser:yourkey" -H "Content-Type: application/json" "https://falconapi.crowdstrike.com/detects/entities/summaries/GET/v1" -d '{"ids": ["ldt:ddaab9931f4a4b90450585d1e748b324:148124137618026"]}'

Sample Detection Details Response

{
"meta": {
"query_time": 0.002420999,
"powered_by": "msa-api",
"trace_id": "XXXXXXXX-bbghoweh-XXX-71d97d5XXXXX"
},
"resources": [
{
"cid": "9XXX9999XXX999X99X9X999X99999XXX",
"detection_id": "ldt:aaabbbcccdddd:aaabbbcccdddd",
"device": {
"device_id": "aaabbbcccdddd",
"cid": "aaabbbcccdddd",
"agent_load_flags": "0",
"agent_local_time": "2019-09-07T13:19:20.642Z",
"agent_version": "3.5.5606.0",
"bios_manufacturer": "ACME Technologies LTD",
"bios_version": "6.00",
"config_id_base": "65994753",
"config_id_build": "5606",
"config_id_platform": "3",
"external_ip": "XX.XXX.XX.XXX",
"hostname": "TEST",
"first_seen": "2019-08-16T22:41:12Z",
"last_seen": "2019-09-07T18:55:12Z",
"local_ip": "XXX.XXX.XXX.XXX",
"mac_address": "XX-XX-XX-XX-XX-XX",
"major_version": "6",
"minor_version": "1",
"os_version": "Windows 7",
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"status": "contained",
"system_manufacturer": "VMware, Inc.",
"system_product_name": "VMware Virtual Platform",
"modified_timestamp": "2019-09-07T18:55:25Z"
},
"behaviors": [
{
"device_id": "XXXXXXXXXX",
"timestamp": "2019-09-07T20:01:00Z",
"behavior_id": "10106",
"filename": "powershell.exe",
"alleged_filetype": "exe",
"cmdline": "powershell -ExecutionPolicy Bypass -encodedCommand
XXXXXXXXXXXXXX==",
"scenario": "credential_theft",
"severity": 90,
"confidence": 80,
"ioc_type": "",
"ioc_value": "",
"ioc_source": "",
"ioc_description": "",
"user_name": "TEST",
"user_id": "S-1-5-18",
"control_graph_id": "ctg:XXXXXXXXXXXX",
"triggering_process_graph_id": "pid:XXXXXXXXXXXXX",
"sha256": "XXXXXXXXXXXXXXXX",
"md5": "85XXXXXXXXXXX",\
"parent_details": {
"parent_sha256": "XXXXXXXXXXXXXX
"parent_md5": "XXXXXXX
"parent_cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ",
"parent_process_graph_id": "pid:XXXXXXX"
},
"pattern_disposition": 282
}
],
"email_sent": false,
"first_behavior": "2019-09-07T18:55:49Z",
"last_behavior": "2019-09-07T20:06:36Z",
"max_confidence": 90,
"max_severity": 90,
"max_severity_displayname": "Critical",
"show_in_ui": true,
"status": "new",
"adversary_ids": null,
"hostinfo": {
"active_directory_dn_display": null,
"domain": ""
},
"seconds_to_triaged": 0,
"seconds_to_resolved": 0
}
],
"errors": []
}

FAQ

Q: How do I find my Crowdstrike Falcon Detect API keys?
  1. Navigate to API Clients and Keys in the Crowdstrike portal
  2. If your keys have not already been created for the Indicators API scope then "Add new API client"
  3. From here select a Client Name and select the following API scope under the Read column
    1. Detections
  4. Copy the keys and subscribe to the Crowdstrike Falcon Detect Marketplace source


How Did We Do?