Crowdstrike Detect

Updated 1 week ago by Elvis Hovor

This document provides a description how paying customers of Crowdstrike can correlate reports in their TruSTAR enclaves with their Crowdstrike falcon detection in the TruSTAR platform. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Detection. User will also need access to their Crowdstrike Detect API ID and API key for the reports API.

Configure Integration

After you have retrieved your Crowdstrike Detect API ID and API Secret Key follow these steps:

Note: Only TruSTAR admins can activate closed source integrations.

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on subscribe button on the Crowdstrike Falcon Detection logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable the Crowdstrike Detect integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration in enabled you should see it reports from Crowdstrike being submitted into an enclave you control on TruSTAR.

How it works

After a user has activated the Crowdstrike Detection Integration, TruSTAR queries the Detection Search API and returns a list of detection IDs based on one or more parameters. Those IDs are then passed to the Detection Details API to get details more details on that specific detection

Use the detection search api to find detection ID's with priority High and Critical every 15 mins

Using the detection ID's for high and critical events query the detection details api.

The Detection details will be submitted as a report to TruSTAR

FAQ

What data do you currently pull from Crowdstrike? 

Our integration queries newly created  reports from Crowdstrike and submits it to the users  enclave in TruSTAR where indicators from the report are correlated against other intelligence sources and the users data in their enclaves.

How often is the data pulled?

Our integration retrieves data from the Crowdstrike every 15mins.

Technical Details

Detection Search Request Sample:
$ curl -X GET -u "youruser:yourkey" -H "Content-Type: application/json" "'2017-01-'>https://falconapi.crowdstrike.com/detects/queries/detects/v1?filter=max_severity_displayname:'Critical'%2Bfirst_behavior:>'2017-01- 01'&sort=first_behavior.desc"

Filter by max_severity_displayname: High and Critical only

Sample Response - Detection Search:

{

"errors": [],

"meta": {

"pagination": {

"limit": 4,

"offset": 0,

"total": 1130

},

"powered_by": "msa-api",

"query_time": 0.020452436,

"trace_id": "77710051-9d0b-46ba-af55-cbeb3983da4e"

},

"resources": [

"ldt:3752a1cc489964:817585689360212029",

"ldt:e137098aa9eaaf02d7:817585689360212022",

"ldt:9e27007645d94e4a:148396684788734",

"ldt:ba634d05764c05f87dc:148395676791867"

]

}

Detection Details Request Sample:

Ue the Detection Ids (Idt) to query the detection details

$ curl -X POST -u "youruser:yourkey" -H "Content-Type: application/json" "https://falconapi.crowdstrike.com/detects/entities/summaries/GET/v1" -d '{"ids": ["ldt:ddaab9931f4a4b90450585d1e748b324:148124137618026"]}'

Sample Detection Details Response (Using IDs from detection search) -

{

"meta": {

"query_time": 0.002420999,

"powered_by": "msa-api",

"trace_id": "2b97520e-bbghoweh-ty2-71d97d5e5b21"

},

"resources": [

{

"cid": "5ddb0407bef249c19c7a975f17979a1f",

"detection_id": "ldt:aaabbbcccdddd:aaabbbcccdddd",

"device": {

"device_id": "aaabbbcccdddd",

"cid": "aaabbbcccdddd",

"agent_load_flags": "0",

"agent_local_time": "2017-09-07T13:19:20.642Z",

"agent_version": "3.5.5606.0",

"bios_manufacturer": "ACME Technologies LTD",

"bios_version": "6.00",

"config_id_base": "65994753",

"config_id_build": "5606",

"config_id_platform": "3",

"external_ip": "73.151.93.253",

"hostname": "TEST",

"first_seen": "2017-08-16T22:41:12Z",

"last_seen": "2017-09-07T18:55:12Z",

"local_ip": "192.168.186.139",

"mac_address": "00-0c-29-3e-95-ac",

"major_version": "6",

"minor_version": "1",

"os_version": "Windows 7",

"platform_id": "0",

"platform_name": "Windows",

"product_type": "1",

"product_type_desc": "Workstation",

"status": "contained",

"system_manufacturer": "VMware, Inc.",

"system_product_name": "VMware Virtual Platform",

"modified_timestamp": "2017-09-07T18:55:25Z"

},

"behaviors": [

{

"device_id": "aaabbbcccdddd",

"timestamp": "2017-09-07T20:01:00Z",

"behavior_id": "10106",

"filename": "powershell.exe",

"alleged_filetype": "exe",

"cmdline": "powershell -ExecutionPolicy Bypass -encodedCommand

SQBFAFgAIAAoAE4AFGKIAFADFGHJSIABOAGUA==",

"scenario": "credential_theft",

"severity": 90,

"confidence": 80,

"ioc_type": "",

"ioc_value": "",

"ioc_source": "",

"ioc_description": "",

"user_name": "TEST",

"user_id": "S-1-5-18",

"control_graph_id": "ctg:d0836e182ecc49c07c2d40dffXXXXXXXXXXXX",

"triggering_process_graph_id": "pid:d0836e182ecXXXXXXXXXXXXX",

"sha256": "XXXXXXXXXXXXXXXXe7018a371600b866867dab8",

"md5": "85XXXXXXXXXXXcbe23f",

"parent_details": {

"parent_sha256": "XXXXXXXXXXXXXX

"parent_md5": "5746bXXXXXXX

"parent_cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ",

"parent_process_graph_id": "pid:d0836e182ecc49c4ce:17354654389"

},

"pattern_disposition": 282

}

],

"email_sent": false,

"first_behavior": "2017-09-07T18:55:49Z",

"last_behavior": "2017-09-07T20:06:36Z",

"max_confidence": 90,

"max_severity": 90,

"max_severity_displayname": "Critical",

"show_in_ui": true,

"status": "new",

"adversary_ids": null,

"hostinfo": {

"active_directory_dn_display": null,

"domain": ""

},

"seconds_to_triaged": 0,

"seconds_to_resolved": 0

}

],

"errors": []

}

TruSTAR Report Mapping

Report Title - <.......>-<detection_id> (e.g - DetectionSummaryEvent-Idtssss9330-1178908435)

Report Body - Entire JSON response

External ID - <detection_id>(e.g - Idt2789020-11628435)

Report Tag - "max_severity_displayname" (e.g. severity:Critical), "status" (e.g. Status:contained)

Report Deep Link - FalconHostLink with detection id (e.g - https://falcon.crowdstrike.com/activity/detections/detail/05c0273d48f2432271b2f1d1b49264b5/42976929)

TimeBegan - "first_seen": "2017-08-16T22:41:12Z",


How Did We Do?