About the connector
The CrowdStrike Falcon® platform is pioneering cloud-delivered endpoint protection. It both delivers and unifies IT Hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence — all delivered via a single lightweight agent.
This document provides information about the CrowdStrike Falcon connector, which facilitates automated interactions with CrowdStrike Falcon using FortiSOAR™ playbooks. Add the CrowdStrike Falcon connector as a step in FortiSOAR™ playbooks and perform automated investigative operations on endpoints and manage IOC for CrowdStrike Falcon, operations include creating an IOC on falcon and hunting a file on Falcon using a specified filehash.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-crowd-strike-falcon
For the detailed procedure to install a connector, click here.
Configuring the connector
For the procedure to configure a connector, click here.
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Create IOC |
Creates an indicator on CrowdStrike Falcon. |
create_ioc
Investigation |
| Hunt File |
Hunts a file on CrowdStrike Falcon using a file hash that you have specified. |
hunt_file
Investigation |
| Hunt Domain |
Retrieves a list of device IDs from CrowdStrike Falco on which the domain was observed. |
hunt_domain
Investigation |
| Get Processes Related to IOC |
Retrieves a list of processes from CrowdStrike Falco which are associated with the specified IOC on given device. |
get_processes
Investigation |
| Get Process Details |
Retrieves a details of a specified process from CrowdStrike Falcon, based on the process ID you have specified. |
search_process
Investigation |
| Get Device Details |
Retrieves a details of a specified device from CrowdStrike Falcon, based on the device ID you have specified. |
search_endpoint
Investigation |
| Get IOCs |
Retrieves a list of IOCs from CrowdStrike Falco that match the search criterion you have specified. |
get_iocs
Investigation |
| Get IOC Details |
Retrieves a details of a specified IOC from CrowdStrike Falcon, based on the IOC value you have specified. |
get_ioc
Investigation |
| Get Endpoint List |
Retrieves a list of all the endpoints configured on the device. |
get_endpoints
Investigation |
| Set Detection State |
Sets the state of detection on CrowdStrike Falcon. |
set_state
Investigation |
| Update IOC |
Updates an indicator on CrowdStrike Falcon, based on the input parameters you have specified. |
update_ioc
Investigation |
| Delete IOC |
Deletes an indicator on CrowdStrike Falcon, based on the IOC value you have specified. |
delete_ioc
Remediation |
Included playbooks
The Sample - CrowdStrike Falcon - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
