About CrowdStrike
Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies. It prevents all types of sophisticated attacks including malware and ransomware. Falcon gives a comprehensive view of the attack cycle of a threat for faster investigations with deep context.
SIRP integrates with CrowdStrike Falcon for the enrichment of the collected data, visibility into threat patterns, and extended automation for removing or containing threats.
Comprehensive detection capabilities of CrowdStrike Falcon, combined together with SIRP’s risk-based SOAR platform provide SOC teams with an unparalleled defense posture. The SOC teams have access to active threats, accelerated visibility and detection, and complete information on artifacts to provide context and threat validation.
Supported Actions
SIRP’s CrowdStrike integration app allows you to execute the following actions:
S.no | Actions | Description |
1 | Block Domain | Block domain name on CrowdStrike Falcon |
2 | Block Hash | Block hash on CrowdStrike Falcon |
3 | Block IP | Block IP address on CrowdStrike Falcon |
4 | Contain Host | Isolate host through CrowdStrike Falcon |
5 | Delete IP | Remove IP address from the CrowdStrike Falcon’s indicators list |
6 | Delete Domain | Remove domain from the CrowdStrike Falcon’s indicators list |
7 | Delete Hash | Remove hash from the CrowdStrike Falcon’s indicators list |
8 | Get Behaviors | Get behavior (details) against a particular Detection from CrowdStrike Falcon |
9 | Get Detections | Get detections (against predefined indicators) from CrowdStrike Falcon |
10 | Get Endpoint Details | Get details of a host from CrowdStrike Falcon |
11 | Get Incidents | Get new incidents from CrowdStrike Falcon |
12 | Get Process Details | Get details of a particular process from CrowdStrike Falcon |
13 | Uncontain Host | Unblock/uncontain a (previously contained) host |
14 | Unblock IP | Unblock (previously blocked) IP on CrowdStrike Falcon |
15 | Unblock Domain | Unblock (previously blocked) domain on CrowdStrike Falcon |
16 | Unblock Hash | Unblock (previously blocked) hash on CrowdStrike Falcon |
17 | Mark As False Positive | Mark a Detection as “False Positive” on CrowdStrike Falcon |
18 | Close Incident | Close a particular incident on Crowdstrike Falcon |
Enable and Configure the CrowdStrike App
Create CrowdStrike API Credentials
Follow these steps to generate the CrowdStrike API credentials (which will be later used in SIRP to enable the CrowdStrike Falcon App):
Log in to your Falcon Insight instance.
Access the Settings on the dashboard.
Click on the Support dropdown then select API Clients and Keys.
Within the API Clients and Keys section, click on the Add new API Client option.
Select the API scopes you want to read and write.
Click on Add.
Once the API client is created, the client ID, Secret key, and Base URL will be generated and displayed in a popup dialogue box. Copy this information for the next step.
Configure The SIRP App
Next, log in to SIRP, then go to Apps from the left navigation bar
Locate the CrowdStrike App.
Click on the Toggle button to enable the app.
As soon as you enable the App, you will get an option to add the configuration details.
Add the following details and click Save:
Host <Enter the CrowdStrike Falcon Base URL>
Client-ID <Enter the CLIENT ID created in the last step>
Client-Secret <Enter the SECRET created in the last step>
CrowdStrike In Action
Once the integration between SIRP and CrowdStrike is complete, you can execute all the supported actions. For example, click on a hash then select CrowdStrike Falcon > block hash.
Once the action is successfully executed, the hash would have been blocked within CrowdStrike EDR.