CrowdStrike Falcon
CrowdStrike Falcon is a comprehensive cybersecurity platform that provides advanced threat protection, endpoint security, and threat intelligence to defend against cyberattacks and secure organizations' digital assets. It utilizes cloud-native technology and artificial intelligence to deliver real-time threat detection and response capabilities.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Example |
|---|---|---|
Contain a Host | This action contains a potentially compromised host from communicating using its ID. For more information, see Action: Contain a Host. | Contain the host with the ID cdc40c8ad8314cf296016a507460c563. |
Delete Indicator ID | The action deletes indicators in CrowdStrike Falcon. For more information, see Action: Delete Indicator ID. | Delete the indicator with the ID16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d. |
Fetch Detection Details | The action retrieves a particular detection's details. For more information, see Action: Fetch Detection Details. | Fetch the details of the detection with the ID ldt:3752xxxxxxxx9964:8175xxxx2029. |
Fetch Detection IDs | The action searches for detections in order to learn more about activity in your environment. For more information, see Action: Fetch Detection IDs. | Get the list of detection IDs using Crowdstrike Falcon. |
Fetch Incident Detail | The action retrieves a particular incident's details. For more information, see Action: Fetch Incident Detail. | Fetch the details of the incident with ID inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx. |
Get Incident IDs | The action searches for incidents. For more information, see Action: Get Incident IDs. | Get the list of incident IDs using Crowdstrike Falcon. |
Get Host Details for Observed Indicator | The action searches the host for an observed indicator. For more information, see Action: Get Host Details for Observed Indicator. | Search the host for the IP 192.168.1.1 of the type IPv4. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the CrowdStrike Falcon app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select CrowStrike Falcon and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Base URL: Enter the base URL to access the CrowdStrike Falcon app. For example, https://api.crowdstrike.com.
Client ID: Enter the client ID.
Client Secret Key: Enter the client secret key to authenticate with CrowdStrike Falcon.
Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CrowdStrike Falcon. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Contain a Host
This action contains a potentially compromised host from communicating using its ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the ID (agent ID) of the host you want to contain. Example: ["cdc40c8ad8314cf296016a507460c563"] | List | Required | You can get the agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon. |
Example Request
[
{
"host_id": [
"cdc40c8ad8314cf296016a507460c563"
]
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Name of the service powering the response |
| String | Trace ID for the request |
| Array | Errors in the response, if any |
| Array | List of hosts contained |
| String | Unique identifier for the host |
| String | Endpoint to access the host |
Action: Delete Indicator ID
This action deletes indicators in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator ID | Enter the list of indicator IDs. Example: $list[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d] For single indicators: 16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d | List | Optional | You can retrieve this using the action Find Indicator IDs. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of indicator IDs deleted |
Action: Fetch Detection Details
The action retrieves detection details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detection IDs | Enter the detection ID list. Example: ["ldt:3752xxxxxxxx9964:8175xxxx2029"] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | JSON Object | Includes the response received from the app action. |
app_instance.response.meta | Object | Metadata about the response |
app_instance.response.meta.query_time | Number | Time taken to process the query |
app_instance.response.meta.powered_by | String | Indicates the service powering the API |
app_instance.response.meta.trace_id | String | Trace ID for the query |
app_instance.response.resources | Array | List of detection resources |
app_instance.response.resources.cid | String | Customer ID associated with the detection |
app_instance.response.resources.detection_id | String | Unique identifier for the detection |
app_instance.response.resources.device | Object | Details of the device associated with the detection |
app_instance.response.resources.device.device_id | String | Unique identifier for the device |
app_instance.response.resources.device.cid | String | Customer ID of the device |
app_instance.response.resources.device.agent_load_flag | String | Flags set when the agent was loaded |
app_instance.response.resources.device.agent_local_time | String | Local time on the agent |
app_instance.response.resources.device.agent_version | String | Version of the agent |
app_instance.response.resources.device.bios_manufacturer | String | BIOS manufacturer |
app_instance.response.resources.device.bios_version | String | BIOS version |
app_instance.response.resources.device.config_id_base | String | Base configuration ID |
app_instance.response.resources.device.config_id_build | String | Build configuration ID |
app_instance.response.resources.device.config_id_platform | String | Platform configuration ID |
app_instance.response.resources.device.external_ip | String | External IP address of the device |
app_instance.response.resources.device.hostname | String | Hostname of the device |
app_instance.response.resources.device.first_seen | String | Timestamp of when the device was first seen |
app_instance.response.resources.device.last_seen | String | Timestamp of when the device was last seen |
app_instance.response.resources.device.local_ip | String | Local IP address of the device |
app_instance.response.resources.device.mac_address | String | MAC address of the device |
app_instance.response.resources.device.major_version | String | Major version of the device OS |
app_instance.response.resources.device.minor_version | String | Minor version of the device OS |
app_instance.response.resources.device.os_version | String | Operating system version |
app_instance.response.resources.device.platform_id | String | Platform ID of the device |
app_instance.response.resources.device.platform_name | String | Platform name of the device |
app_instance.response.resources.device.product_type | String | Product type of the device |
app_instance.response.resources.device.product_type_desc | String | Description of the product type |
app_instance.response.resources.device.status | String | Status of the device |
app_instance.response.resources.device.system_manufacturer | String | System manufacturer of the device |
app_instance.response.resources.device.system_product_name | String | System product name of the device |
app_instance.response.resources.device.modified_timestamp | String | Timestamp of when the device was last modified |
app_instance.response.resources.behaviors | Array | List of behaviors associated with the detection |
app_instance.response.resources.behaviors.device_id | String | Unique identifier for the device associated with the behavior |
app_instance.response.resources.behaviors.timestamp | String | Timestamp of the behavior |
app_instance.response.resources.behaviors.behavior_id | String | Unique identifier for the behavior |
app_instance.response.resources.behaviors.filename | String | Name of the file associated with the behavior |
app_instance.response.resources.behaviors.alleged_filetype | String | Alleged filetype associated with the behavior |
app_instance.response.resources.behaviors.cmdline | String | Command line executed for the behavior |
app_instance.response.resources.behaviors.scenario | String | Scenario under which the behavior was identified |
app_instance.response.resources.behaviors.severity | Integer | Severity of the behavior |
app_instance.response.resources.behaviors.confidence | Integer | Confidence level of the behavior |
app_instance.response.resources.behaviors.ioc_type | String | Type of indicator of compromise |
app_instance.response.resources.behaviors.ioc_value | String | Value of the indicator of compromise |
app_instance.response.resources.behaviors.ioc_source | String | Source of the indicator of compromise |
app_instance.response.resources.behaviors.ioc_description | String | Description of the indicator of compromise |
app_instance.response.resources.behaviors.user_name | String | Username associated with the behavior |
app_instance.response.resources.behaviors.user_id | String | User ID associated with the behavior |
app_instance.response.resources.behaviors.control_graph_id | String | Control graph ID associated with the behavior |
app_instance.response.resources.behaviors.triggering_process_graph_id | String | Triggering process graph ID |
app_instance.response.resources.behaviors.sha256 | String | SHA-256 hash of the file |
app_instance.response.resources.behaviors.md5 | String | MD5 hash of the file |
app_instance.response.resources.behaviors.parent_details | Object | Details of the parent process |
app_instance.response.resources.behaviors.parent_details.parent_sha256 | String | SHA-256 hash of the parent file |
app_instance.response.resources.behaviors.parent_details.parent_md5 | String | MD5 hash of the parent file |
app_instance.response.resources.behaviors.parent_details.parent_cmdline | String | Command line executed by the parent process |
app_instance.response.resources.behaviors.parent_details.parent_process_graph_id | String | Graph ID of the parent process |
app_instance.response.resources.behaviors.pattern_disposition | Integer | Pattern disposition of the behavior |
app_instance.response.resources.email_sent | Boolean | Indicates if an email was sent |
app_instance.response.resources.first_behavior | String | Timestamp of the first behavior |
app_instance.response.resources.last_behavior | String | Timestamp of the last behavior |
app_instance.response.resources.max_confidence | Integer | Maximum confidence level of the detection |
app_instance.response.resources.max_severity | Integer | Maximum severity level of the detection |
app_instance.response.resources.max_severity_displayname | String | Display name of the maximum severity |
app_instance.response.resources.show_in_ui | Boolean | Indicates if the detection should be shown in the UI |
app_instance.response.resources.status | String | Status of the detection |
app_instance.response.resources.adversary_ids | Null | List of adversary IDs associated with the detection |
app_instance.response.resources.hostinfo | Object | Host information |
app_instance.response.resources.hostinfo.active_directory_dn_display | Null | Active Directory distinguished name display |
app_instance.response.resources.hostinfo.domain | String | Domain of the host |
app_instance.response.resources.seconds_to_triaged | Integer | Seconds taken to triage the detection |
app_instance.response.resources.seconds_to_resolved | Integer | Seconds taken to resolve the detection |
app_instance.response.errors | Array | List of errors, if any |
Action: Fetch Detection IDs
The action searches for detections to learn more about activity in your environment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter any additional parameters to narrow the result. | Key Value | Optional | You can fetch detection IDs using FQL filters. For more information, see Falcon Query Language reference. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | Indicates the service powering the API |
| String | Trace ID for the query |
| Array | List of detection IDs |
Action: Fetch Incident Detail
The action retrieves a particular incident's details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident IDs | Enter the incident ID list. Example: [inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | Indicates the service powering the API |
| String | Trace ID for the query |
| Array of JSON Objects | List of incidents with details |
Action: Get Host Details for Observed Indicator
This action retrieves the host details using observed indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC Type | Enter the IOC type. | Text | Required | Allowed values: sha1, sha512, sha224, sha384, sha256, md5, domain, ipv4, ipv6, url |
IOC Value | Enter the IOC value. Example: 8bbdead7357af7bf0efe397f9fd7e0ec578755eb8bdbaa65ae4f28ef00087ad5 | Text | Required | |
Extra Parameters | Enter the extra parameters to pass to the API. | Key Value | Optional |
Example Request
[
{
"ioc_type": "ipv4",
"ioc_value": "1.1.2.2",
"extra_params": {}
}
]Action: Get Incident IDs
This action gets incident IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter any FQL filter or sort parameters while fetching incident IDs. Example: host_ids: '9a07d39f8c9f430eb3e474d1a0c16ce9' | Key Value | Optional | For filtering options, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | Indicates the service powering the API |
| String | Trace ID for the query |
| Array of JSON Objects | List of incidents with details |