All Collections
Integration Guide
CrowdStrike Falcon Integration
CrowdStrike Falcon Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About CrowdStrike

Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies. It prevents all types of sophisticated attacks including malware and ransomware. Falcon gives a comprehensive view of the attack cycle of a threat for faster investigations with deep context.

SIRP integrates with CrowdStrike Falcon for the enrichment of the collected data, visibility into threat patterns, and extended automation for removing or containing threats.

Comprehensive detection capabilities of CrowdStrike Falcon, combined together with SIRP’s risk-based SOAR platform provide SOC teams with an unparalleled defense posture. The SOC teams have access to active threats, accelerated visibility and detection, and complete information on artifacts to provide context and threat validation.

Supported Actions

SIRP’s CrowdStrike integration app allows you to execute the following actions:

S.no

Actions

Description

1

Block Domain

Block domain name on CrowdStrike Falcon

2

Block Hash

Block hash on CrowdStrike Falcon

3

Block IP

Block IP address on CrowdStrike Falcon

4

Contain Host

Isolate host through CrowdStrike Falcon

5

Delete IP

Remove IP address from the CrowdStrike Falcon’s indicators list

6

Delete Domain

Remove domain from the CrowdStrike Falcon’s indicators list

7

Delete Hash

Remove hash from the CrowdStrike Falcon’s indicators list

8

Get Behaviors

Get behavior (details) against a particular Detection from CrowdStrike Falcon

9

Get Detections

Get detections (against predefined indicators) from CrowdStrike Falcon

10

Get Endpoint Details

Get details of a host from CrowdStrike Falcon

11

Get Incidents

Get new incidents from CrowdStrike Falcon

12

Get Process Details

Get details of a particular process from CrowdStrike Falcon

13

Uncontain Host

Unblock/uncontain a (previously contained) host

14

Unblock IP

Unblock (previously blocked) IP on CrowdStrike Falcon

15

Unblock Domain

Unblock (previously blocked) domain on CrowdStrike Falcon

16

Unblock Hash

Unblock (previously blocked) hash on CrowdStrike Falcon

17

Mark As False Positive

Mark a Detection as “False Positive” on CrowdStrike Falcon

18

Close Incident

Close a particular incident on Crowdstrike Falcon

Enable and Configure the CrowdStrike App

Create CrowdStrike API Credentials

Follow these steps to generate the CrowdStrike API credentials (which will be later used in SIRP to enable the CrowdStrike Falcon App):

  • Log in to your Falcon Insight instance.

  • Access the Settings on the dashboard.

  • Click on the Support dropdown then select API Clients and Keys.

  • Within the API Clients and Keys section, click on the Add new API Client option.

  • Select the API scopes you want to read and write.

  • Click on Add.

Once the API client is created, the client ID, Secret key, and Base URL will be generated and displayed in a popup dialogue box. Copy this information for the next step.

Configure The SIRP App

  • Next, log in to SIRP, then go to Apps from the left navigation bar

  • Locate the CrowdStrike App.

  • Click on the Toggle button to enable the app.

  • As soon as you enable the App, you will get an option to add the configuration details.

  • Add the following details and click Save:

    • Host <Enter the CrowdStrike Falcon Base URL>

    • Client-ID <Enter the CLIENT ID created in the last step>

    • Client-Secret <Enter the SECRET created in the last step>

CrowdStrike In Action

Once the integration between SIRP and CrowdStrike is complete, you can execute all the supported actions. For example, click on a hash then select CrowdStrike Falcon > block hash.

Once the action is successfully executed, the hash would have been blocked within CrowdStrike EDR.

Did this answer your question?