Crowdstrike Falcon Stream

Updated 1 week ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of Crowdstrike can correlate reports in their TruSTAR enclaves with their Crowdstrike falcon intelligence stream  in the TruSTAR platform. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Reports. User will also need access to their Crowdstrike API ID and API key for the reports API.

Configure Integration

After you have retrieved your Crowdstrike API ID and API Secret Key follow these steps:

Note: Only TruSTAR admins can activate closed source integrations.

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on subscribe button on the Crowdstrike Falcon Stream logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable the Crowdstrike integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.


After the integration in enabled you should see it reports from Crowdstrike being submitted into an enclave you control on TruSTAR.

How it works

After a user has activated the Crowdstrike Integration, any new report submitted into the users enclave in TruSTAR will have all indicators in that report extracted and queried against the Crowdstrike falcon intel database. The associated responses will be shown as reports correlated to the users original report through the associated indicators

    FAQ

    What data do you currently pull from Crowdstrike? 

    Our integration queries newly created  reports from Crowdstrike and submits it to the users  enclave in TruSTAR where indicators from the report are correlated against other intelligence sources and the users data in their enclaves.

    How often is the data pulled?

    Our integration retrieves data from the Crowdstrike every 15mins.

    Technical Details 

    Crowdstrike Stream API 

    Credentials:

    API ID

    API Key
    Returns Full JSON Response

    Stream Query Details 

      This establishes a long-lived HTTP connection to receive event data. After you establish a connection to the client, you will begin receiving a stream of data.

      Subscribe to streaming API for 5 minutes during each invocation and ingest all the filtered events(Critical and High) to TruSTAR. Consider the maximum reports to submit limit (Default - 100 events per stream ).

      Consider all the events with priority High and Critical.



      Request Example: 
      https://firehose.crowdstrike.com/sensors/entities/datafeed/v1/partition?appId=myAppId&offset=myOffset

      Sample Response:

      {"metadata": {"offset": 19001}, "event": {"UserName":"peter.jacobs","FileName":"malware.exe","FilePath":"C:\Windows\System32\fd32578865"}}

      {"metadata": {"offset": 19002}, "event":

      {"UserName":"rodney.smith","FileName":"clean_file.pdf","FilePath":"C:\Users\rodney\.userdata\outlook_temp\"}}

      {"metadata": {"offset": 19003}, "event": {"UserName":"brad.westmore","FileName":"pandora.exe","FilePath":"C:\Program Files\pandora"}}

      ....blank line (\r\n)....

      ....blank line (\r\n)....

      ....blank line (\r\n)....

      {"metadata": {"offset": 19004}, "event": {"UserName":"george.bender","FileName":"avira.exe","FilePath":"C:\Program Files\avira"}}

      ....blank line (\r\n)....

      Sample DetectionSummaryEvent Response

      {

      "metadata": {

      "customerIDString": "5ddb0407bef249c19c7a975f17979a1f",

      "offset": 11628435,

      "eventType": "DetectionSummaryEvent",

      "eventCreationTime": 1483480564

      },

      "event": {

      "ProcessStartTime": 1483480376,

      "ProcessEndTime": 0,

      "ProcessId": 4355677721,

      "ParentProcessId": 4301410375,

      "ComputerName": "CS-SE-SS-GI",

      "UserName": "Cisolaptop",

      "DetectName": "Intel Detection",

      "DetectDescription": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.",

      "Severity": 4,

      "SeverityName": "High",

      "FileName": "v4v5g45hg.exe",

      "FilePath": "\\Device\\HarddiskVolume1\\Users\\Cisolaptop\\Desktop\\Packages",

      "CommandLine": "\"C:\\Users\\Cisolaptop\\Desktop\\Packages\\v4v5g45hg.exe\" ",

      "SHA256String": "c001fccbb274a2e8fda7f394ed5834c7841760ccd886e07046b1de545b2c36a0",

      "MD5String": "b1a158112b510d4a600ea3ccceae0dc5",

      "SHA1String": "5095698ad284ae0054e58c8e8dabc6c4e121a48d",

      "ScanResults": [

      {

      "Engine": "Comodo",

      "ResultName": "TrojWare.Win32.Kryptik.WQ",

      "Version": "26357",

      "Detected": true

      },

      {

      "Engine": "TrendMicro",

      "ResultName": "Ransom_HPLOCKY.SM1",

      "Version": "9.740.0.1012",

      "Detected": true

      },

      {

      "Engine": "Microsoft",

      "ResultName": "TrojanDownloader:JS/Locky!rfn",

      "Version": "1.1.13303.0",

      "Detected": true

      },

      {

      "Engine": "Tencent",

      "ResultName": "Win32.Trojan.Locky.Pepd",

      "Version": "1.0.0.1",

      "Detected": true

      }

      ],

      "MachineDomain": "CS-SE-SS-GI",

      "NetworkAccesses": [

      {

      "AccessType": 0,

      "AccessTimestamp": 1483480416,

      "Protocol": "TCP",

      "LocalAddress": "172.16.130.131",

      "LocalPort": 49196,

      "RemoteAddress": "51.254.181.122",

      "RemotePort": 80,

      "ConnectionDirection": 0,

      "IsIPV6": false

      },

      {

      "AccessType": 0,

      "AccessTimestamp": 1483480416,

      "Protocol": "TCP",

      "LocalAddress": "172.16.130.131",

      "LocalPort": 49196,

      "RemoteAddress": "51.254.181.122",

      "RemotePort": 80,

      "ConnectionDirection": 0,

      "IsIPV6": false

      }

      ],

      "DocumentsAccessed": [

      {

      "Timestamp": 1478829021,

      "FileName": "e-cpgbnf.0.cs",

      "FilePath": "\\Device\\HarddiskVolume1\\Windows\\Temp"

      }

      ],

      "ExecutablesWritten": [

      {

      "Timestamp": 1478829021,

      "FileName": "e-cpgbnf.dll",

      "FilePath": "\\Device\\HarddiskVolume1\\Windows\\Temp"

      },

      {

      "Timestamp": 1478829021,

      "FileName": "e-cpgbnf.dll",

      "FilePath": "\\Device\\HarddiskVolume1\\Windows\\Temp"

      }

      ],

      "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/05c0273d48f2432271b2f1d1b49264b5/4297692922",

      "SensorId": "05c0273d48f2432271b2f1d1b49264b5",

      "DnsRequests": [

      {

      "DomainName": "lhienvvomlm.pw",

      "RequestType": "A",

      "LoadTime": 1483480502,

      "InterfaceIndex": 0,

      "CausedDetect": false

      },

      {

      "DomainName": "qtgxaqdx.it",

      "RequestType": "A",

      "LoadTime": 1483480534,

      "InterfaceIndex": 0,

      "CausedDetect": false

      }

      ],

      "IOCType": "domain",

      "IOCValue": "cjnatubvumaao.pm",

      "DetectId": "ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922"

      }

      }

      TruSTAR Report mapping
      1. Report Title - <eventType>-<offset> (e.g - DetectionSummaryEvent-11628435)
      2. Report Body - Entire JSON response
      3. External ID - <eventType>-<offset> (e.g - DetectionSummaryEvent-11628435)
      4. Report Tag - NA
      5. Report Deep Link - FalconHostLink (e.g - https://falcon.crowdstrike.com/activity/detections/detail/05c0273d48f2432271b2f1d1b49264b5/42976929)
      6. TimeBegan - <reportCreationTime> (e.g - 1483480564)


      How Did We Do?