The CrowdStrike Falcon® platform is pioneering cloud-delivered endpoint protection. It both delivers and unifies IT Hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence — all delivered via a single lightweight agent.
This document provides information about the CrowdStrike Falcon connector, which facilitates automated interactions with CrowdStrike Falcon using FortiSOAR™ playbooks. Add the CrowdStrike Falcon connector as a step in FortiSOAR™ playbooks and perform automated investigative operations on endpoints and manage IOC for CrowdStrike Falcon, operations include creating an IOC on falcon and hunting a file on Falcon using a specified filehash.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-crowd-strike-falcon
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create IOC | Creates an indicator on CrowdStrike Falcon. | create_ioc Investigation |
Hunt File | Hunts a file on CrowdStrike Falcon using a file hash that you have specified. | hunt_file Investigation |
Hunt Domain | Retrieves a list of device IDs from CrowdStrike Falco on which the domain was observed. | hunt_domain Investigation |
Get Processes Related to IOC | Retrieves a list of processes from CrowdStrike Falco which are associated with the specified IOC on given device. | get_processes Investigation |
Get Process Details | Retrieves a details of a specified process from CrowdStrike Falcon, based on the process ID you have specified. | search_process Investigation |
Get Device Details | Retrieves a details of a specified device from CrowdStrike Falcon, based on the device ID you have specified. | search_endpoint Investigation |
Get IOCs | Retrieves a list of IOCs from CrowdStrike Falco that match the search criterion you have specified. | get_iocs Investigation |
Get IOC Details | Retrieves a details of a specified IOC from CrowdStrike Falcon, based on the IOC value you have specified. | get_ioc Investigation |
Get Endpoint List | Retrieves a list of all the endpoints configured on the device. | get_endpoints Investigation |
Set Detection State | Sets the state of detection on CrowdStrike Falcon. | set_state Investigation |
Update IOC | Updates an indicator on CrowdStrike Falcon, based on the input parameters you have specified. | update_ioc Investigation |
Delete IOC | Deletes an indicator on CrowdStrike Falcon, based on the IOC value you have specified. | delete_ioc Remediation |
The Sample - CrowdStrike Falcon - 1.0.0
playbook collection comes bundled with the CrowdStrike Falcon connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
The CrowdStrike Falcon® platform is pioneering cloud-delivered endpoint protection. It both delivers and unifies IT Hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence — all delivered via a single lightweight agent.
This document provides information about the CrowdStrike Falcon connector, which facilitates automated interactions with CrowdStrike Falcon using FortiSOAR™ playbooks. Add the CrowdStrike Falcon connector as a step in FortiSOAR™ playbooks and perform automated investigative operations on endpoints and manage IOC for CrowdStrike Falcon, operations include creating an IOC on falcon and hunting a file on Falcon using a specified filehash.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-crowd-strike-falcon
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create IOC | Creates an indicator on CrowdStrike Falcon. | create_ioc Investigation |
Hunt File | Hunts a file on CrowdStrike Falcon using a file hash that you have specified. | hunt_file Investigation |
Hunt Domain | Retrieves a list of device IDs from CrowdStrike Falco on which the domain was observed. | hunt_domain Investigation |
Get Processes Related to IOC | Retrieves a list of processes from CrowdStrike Falco which are associated with the specified IOC on given device. | get_processes Investigation |
Get Process Details | Retrieves a details of a specified process from CrowdStrike Falcon, based on the process ID you have specified. | search_process Investigation |
Get Device Details | Retrieves a details of a specified device from CrowdStrike Falcon, based on the device ID you have specified. | search_endpoint Investigation |
Get IOCs | Retrieves a list of IOCs from CrowdStrike Falco that match the search criterion you have specified. | get_iocs Investigation |
Get IOC Details | Retrieves a details of a specified IOC from CrowdStrike Falcon, based on the IOC value you have specified. | get_ioc Investigation |
Get Endpoint List | Retrieves a list of all the endpoints configured on the device. | get_endpoints Investigation |
Set Detection State | Sets the state of detection on CrowdStrike Falcon. | set_state Investigation |
Update IOC | Updates an indicator on CrowdStrike Falcon, based on the input parameters you have specified. | update_ioc Investigation |
Delete IOC | Deletes an indicator on CrowdStrike Falcon, based on the IOC value you have specified. | delete_ioc Remediation |
The Sample - CrowdStrike Falcon - 1.0.0
playbook collection comes bundled with the CrowdStrike Falcon connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.