FalconHost

Use the CrowdStrike Falcon Host integration to detect and block malicious activity.

Configure CrowdStrike Falcon Host Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for FalconHost.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • API ID
    • API Key
    • Use system proxy settings
    • Allow self-signed SSL certificates
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Upload indicators for CS to monitor: cs-upload-ioc
  2. Get definitions of monitored indicators: cs-get-ioc
  3. Update indicators: cs-update-ioc
  4. Delete an indicator: cs-delete-ioc
  5. Get a list of uploaded IOCs: cs-search-iocs
  6. Search for devices: cs-device-search
  7. Get device details: cs-device-details
  8. Get the number of devices an IOC ran on: cs-device-count-ioc
  9. Get a list of device IDs that an indicator ran on: cs-device-ran-on
  10. Get the process ID of an indicator for a device: cs-processes-ran-on
  11. Get process details: cs-process-details
  12. Set resolution status: cs-resolve-detection
  13. Search all detection fields: cs-detection-search
  14. Get detection details: cs-detection-details

1. Upload indicators for CS to monitor


Uploads one or more indicators for CrowdStrike to monitor.

Base Command

cs-upload-ioc

Input
Argument Name Description Required
type The type of the indicator Required
value The string representation of the indicator Required
policy The policy to enact when the value is detected on a host. A value of none is equivalent to turning the indicator off. Optional
share_level The level at which the indicator will be shared. Only red share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. Optional
expiration_days The days the indicator is be valid for. This only applies to domain, IPv4, and IPv6 types. Default is 30. Optional
source The source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters. Optional
description A meaningful description of the indicator. Limit 200 characters. Optional
Context Output

There is no context output for this command.

Command Example

!cs-upload-ioc type=ipv4 value=8.8.8.8

Human Readable Output

screen shot 2018-08-22 at 11 44 48

2. Get definitions of monitored indicators


Get the full definition of one or more indicators that you are watching

Base Command

cs-get-ioc

Input
Argument Name Description Required
type The IOC type to retrieve Required
value The IOC value to retrieve Required
Context Output

There is no context output for this command.

Command Example

!cs-get-ioc type=ipv4 value=8.8.8.8

Human Readable Output

screen shot 2018-08-22 at 11 47 20

3. Update indicators


Updates one or more of the uploaded indicators.

Base Command

cs-update-ioc

Input
Argument Name Description Required
type The IOC type to update Required
value The IOC value to update Required
policy The policy to enact when the value is detected on a host. A value of none is equivalent to turning the indicator off. Optional
share_level The level at which the indicator will be shared. Only red share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. Optional
expiration_days The days the indicator is be valid for. This only applies to domain, IPv4, and IPv6 types. Default is 30. Optional
source The source where this indicator originated. This can be used to track where this indicator was defined. Limit 200 characters. Optional
description A meaningful description of the indicator. Limit 200 characters. Optional
Context Output

There is no context output for this command.

Command Example

!cs-update-ioc type=ipv4 value=8.8.8.8 policy=none

Human Readable Output

screen shot 2018-08-22 at 11 59 00

4. Delete an indicator


Deletes an indicator that you are monitoring.

Base Command

cs-delete-ioc

Input
Argument Name Description Required
type The IOC type to delete Required
value The IOC value to delete Optional
Context Output

There is no context output for this command.

Command Example

!cs-delete-ioc type=ipv4 value=8.8.8.8

Human Readable Output

screen shot 2018-08-22 at 12 00 41

5. Get a list of uploaded IOCs


Returns a list of your uploaded IOCs that match the search criteria.

Base Command

cs-search-iocs

Input
Argument Name Description Required
types A list of indicator types. Separate multiple types by comma. Valid types are sha256, sha1, md5, domain, ipv4, ipv6. Optional
values Comma-separated list of indicator values Optional
policies Comma-separated list of indicator policies Optional
share_levels A list of share levels. Only red is supported. Optional
sources Comma-separated list of IOC sources Optional
from_expiration_date Start of date range to search (YYYY-MM-DD format) Optional
to_expiration_date End of date range to search (YYYY-MM-DD format) Optional
sort The order of the results. Format is field.asc or field.desc . Optional
limit The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100. Optional
offset The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. Optional
Context Output

There is no context output for this command.

Command Example

!cs-search-iocs types=domain
!cs-search-iocs types=ipv4

Human Readable Output

screen shot 2018-08-22 at 14 17 18

6. Search for devices


Search for devices in your environment by platform, host name, IP, or various other parameters.

Base Command

cs-device-search

Input
Argument Name Description Required
query Search for a value across all fields Optional
filter Filter devices using query syntax of "field:value+field:value" where string values are enclosed in single quotes or as arrays in single quotes (['x', 'y']). Numerical fields and dates also support operators like field:>value. For a list of relevant fields, see the CrowdStrike documentation. Optional
limit Number of results to return Optional
offset The result to start from Optional
Context Output
Path Description
FalconHostDevices Device IDs found by device search
Command Example

!cs-device-search limit=2
!cs-device-search

Human Readable Output

screen shot 2018-08-22 at 14 19 27

7. Get device details


Get details for one or more devices, according to device ID.

Base Command

cs-device-details

Input
Argument Name Description Required
ids The ID of the process. Allows multiple values separated by comma. Required
Context Output
Path Type Description
FalconHostDetails string The ID to retrieve details for. Supports comma-separated list of IDs.
Endpoint.ID string Unique ID of the endpoint in FalconHost
Endpoint.IPAddress string IPAddress of the endpoint
Endpoint.Domain string Domain of the endpoint
Endpoint.MACAddress string MAC address of the endpoint
Endpoint.OS string OS of the endpoint
Endpoint.OSVersion string OS version of the endpoint
Endpoint.BIOSVersion string BIOS version of the endpoint
Endpoint.HostName string The host of the endpoint
Command Example

!cs-device-details ids=1e371d976b4549186ed5f09e49e49c12
!cs-device-details ids=${FalconHostDevices}

Context Example

screen shot 2018-08-22 at 14 24 03

Human Readable Output

screen shot 2018-08-22 at 14 22 11

8. Get the number of devices an IOC ran on


Returns the number of devices on which an IOC ran, according to type and value of an IOC

Base Command

cs-device-count-ioc

Input
Argument Name Description Required
type The type of indicator Required
value The actual string representation of the indicator Required
Context Output

There is no context output for this command.

Command Example

!cs-device-count-ioc type=sha1 value=f28c592833f234c619917b5c7d8974840a810247
!cs-device-count-ioc type=domain value=7.tw

9. Get a list of device IDs that an indicator ran on


Returns a list of device IDs on which an indicator ran

Base Command

cs-device-ran-on

Input
Argument Name Description Required
type The type of indicator from the list of supported indicator types. Required
value The actual string representation of the indicator Required
Context Output
Path Description
FalconHostDevices Device IDs found by device IOC search
Command Example

!cs-device-ran-on type=sha1 value=f28c592833f234c619917b5c7d8974840a810247
!cs-device-ran-on type=domain value=7.tw

10. Get the process ID of an indicator for a device


Returns the process ID of the indicator if it ran on given device recently

Base Command

cs-processes-ran-on

Input
Argument Name Description Required
type The type of indicator from the list of supported indicator types. Required
value The actual string representation of the indicator Required
device_id The device ID you want to check against Required
Context Output
Path Description
FalconHostProcesses List of processes of the searched indicators

11. Get process details


Retrieves the details of a process, according to process ID, that is running or that previously ran.

Base Command

cs-process-details

Input
Argument Name Description Required
ids The ID of the process. Allows multiple values separated by comma. Required
Context Output

There is no context output for this command.

12. Set resolution status


Sets the state of a detection in Falcon Host. You can obtain detection IDs from the Falcon Host UI or from the Falcon Streaming API.

Base Command

cs-resolve-detection

Input
Argument Name Description Required
ids The IDs of the detections you want to resolve. Falcon Host API v2: detection ids are in the following format: ldt:[first field]:[second field],  for example, ldt:cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142. Required
status The status to which you want to transition a detection Required
Context Output
Path Type Description
CrowdStrikeHost.Detections.cid string cid of the detection
CrowdStrikeHost.Detections.detection_id string ID of the detection
CrowdStrikeHost.Detections.first_behavior string First behavior of the detection
CrowdStrikeHost.Detections.last_behavior string Last behavior of the detection
CrowdStrikeHost.Detections.max_confidence number Max confidence of the detection
CrowdStrikeHost.Detections.max_severity number Max severity of the detection
CrowdStrikeHost.Detections.max_severity_display_name string Displayname of the max severity
CrowdStrikeHost.Detections.behaviors.alleged_file_type string Alleged filetype of the behavior
CrowdStrikeHost.Detections.behaviors.behavior_id string ID of the behavior
CrowdStrikeHost.Detections.behaviors.device_id string ID of the device of the behavior
CrowdStrikeHost.Detections.behaviors.user_id string ID of the user of the behavior
CrowdStrikeHost.Detections.behaviors.control_graph_id string ID of the control graph of the behavior
CrowdStrikeHost.Detections.behaviors.cmdline string Commandline of the behavior
CrowdStrikeHost.Detections.behaviors.confidence number Confidence of the behavior
CrowdStrikeHost.Detections.behaviors.severity number Severity of the behavior
CrowdStrikeHost.Detections.behaviors.filename string Filename of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_description string IOC description of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_source string IOC source of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_type string IOC type of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_value string IOC value of the behavior
CrowdStrikeHost.Detections.behaviors.md5 string MD5 of the behavior
CrowdStrikeHost.Detections.behaviors.sha256 string SHA256 of the behavior
CrowdStrikeHost.Detections.behaviors.timestamp string Timestamp of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_cmdline string Commandline of the parent of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_md5 string MD5 of the parent of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_sha256 string SHA256 of the parent of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_control_graph_id string Control graph ID of the parent of the behavior
CrowdStrikeHost.Detections.device.agent_version string Agent version of the device
CrowdStrikeHost.Detections.device.bios_version string Bios version of the device
CrowdStrikeHost.Detections.device.os_version string OS version of the device
CrowdStrikeHost.Detections.device.mac_address string MACAddress of the device
CrowdStrikeHost.Detections.device.local_ip string Local IP of the device
CrowdStrikeHost.Detections.device.external_ip string External IP of the device
CrowdStrikeHost.Detections.device.hostname string Hostname of the device
CrowdStrikeHost.Detections.behaviors.technique string Technique of the behavior
Command Example

!cs-resolve-detection ids=cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142 status=in_progress

13. Search all detection fields


Performs a string search through all CrowdStrike Detection fields. For example, provide a sensor ID to search for all detections that contain that sensor ID.

Base Command
cs-detection-search
Input
Argument Name Description Required
query Free text search filter Optional
first_behavior First Behavior of the detection, e.g., 2017-01-31T22:36:11Z Optional
Context Output
Path Type Description
CrowdStrikeHost.Detections.detection_id string IDs of the related detections

Command Example
!cs-detection-search query=".exe"
Human Readable Output

screen shot 2018-10-08 at 12 12 56

14. Get detection details


Fetches details of a CrowdStrike Detection using the detection ID.

Base Command
cs-detection-details
Input
Argument Name Description Required
detection_id ID of the detections Required
Context Output
Path Type Description
CrowdStrikeHost.Detections.cid string cid of the detection
CrowdStrikeHost.Detections.detection_id string ID of the detection
CrowdStrikeHost.Detections.first_behavior string First behavior of the detection
CrowdStrikeHost.Detections.last_behavior string Last behavior of the detection
CrowdStrikeHost.Detections.max_confidence number Max confidence of the detection
CrowdStrikeHost.Detections.max_severity number Max severity of the detection
CrowdStrikeHost.Detections.max_severity_display_name string Displayname of the max severity
CrowdStrikeHost.Detections.behaviors.alleged_file_type string Alleged filetype of the behavior
CrowdStrikeHost.Detections.behaviors.behavior_id string ID of the behavior
CrowdStrikeHost.Detections.behaviors.device_id string ID of the device of the behavior
CrowdStrikeHost.Detections.behaviors.user_id string ID of the user of the behavior
CrowdStrikeHost.Detections.behaviors.control_graph_id string ID of the control graph of the behavior
CrowdStrikeHost.Detections.behaviors.cmdline string Commandline of the behavior
CrowdStrikeHost.Detections.behaviors.confidence number Confidence of the behavior
CrowdStrikeHost.Detections.behaviors.severity number Severity of the behavior
CrowdStrikeHost.Detections.behaviors.filename string Filename of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_description string IOC description of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_source string IOC source of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_type string IOC type of the behavior
CrowdStrikeHost.Detections.behaviors.ioc_value string IOC value of the behavior
CrowdStrikeHost.Detections.behaviors.md5 string MD5 of the behavior
CrowdStrikeHost.Detections.behaviors.sha256 string SHA256 of the behavior
CrowdStrikeHost.Detections.behaviors.timestamp string Timestamp of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_cmdline string Commandline of the parent of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_md5 string MD5 of the parent of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_sha256 string SHA256 of the parent of the behavior
CrowdStrikeHost.Detections.behaviors.parent_details.parent_control_graph_id string Control graph ID of the parent of the behavior
CrowdStrikeHost.Detections.device.agent_version string Agent version of the device
CrowdStrikeHost.Detections.device.bios_version string Bios version of the device
CrowdStrikeHost.Detections.device.os_version string OS version of the device
CrowdStrikeHost.Detections.device.mac_address string MACAddress of the device
CrowdStrikeHost.Detections.device.local_ip string Local IP of the device
CrowdStrikeHost.Detections.device.external_ip string External IP of the device
CrowdStrikeHost.Detections.device.hostname string Hostname of the device
CrowdStrikeHost.Detections.behaviors.technique string Technique of the behavior
Command Example
!cs-detection-details detectionID=${CrowdStrikeHost.Detections.detectionID}
Human Readable Output

screen shot 2018-10-08 at 12 13 14