Endpoint enrichment - Crowdstrike
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions:
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CrowdStrike Falcon Endpoint Protection |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
http |
Built-in | 0 | 4 |
workflow |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP-Get_detection_information | POST | @{body('CrowdStrike_Base')?['FalconHost']}/detects/entities/summaries/GET/v1 |
— |
| HTTP_-Search_for_detections | GET | @{body('CrowdStrike_Base')?['FalconHost']}/detects/queries/detects/v1?filter=first_behavior:>'@{variables('Timestamp')}'&device_id:'@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}'&sort=first_behavior.desc |
— |
| HTTP_-Get_device_information | GET | @{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices/v1?ids=@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]} |
— |
| HTTP_-_Get_device_id | GET | @{body('CrowdStrike_Base')?['FalconHost']}/devices/queries/devices/v1?filter=hostname:'@{body('Entities_-_Get_Hosts')?['Hosts']?[0]?['HostName']}' |
— |
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| CrowdStrike_Base | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Logic/workflows/', parameters('CrowdStrike_Base_Playbook_Name'))]triggerName= manual |
Additional Documentation
📄 Source: CrowdStrike_Enrichment_GetDeviceInformation/readme.md
Crowdstrike_Enrichment_GetDeviceInformation
Summary
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions:
- Fetches the device information from Crowdstrike
- Enrich the incident with device information from Crowdstrike
Prerequisites
- Azure Key vault is required for storing the Crowdstrike ClientID and Secrets, create key vault if not exists learn how
- Add Crowdstrike Client ID and Client Secret in Key vault secrets and capture the keys which are required during the template deployment
- CrowdStrike_Base playbook needs to be deployed prior to the deployment of this playbook under the same subscription and under the same resource group.
- CrowdStrike_Base playbook needs to be added in the access policy of the Key Vault learn how
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook_Name: Enter the playbook name here (Ex:Crowdstrike_ContainHost)
- CrowdStrike_Base_Playbook_Name : Enter the base playbook name here (Ex:CrowdStrike_Base)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize connections.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with risky device
- Configure the automation rules to trigger this playbook
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Entities - Get Hosts
Get the list of risky devices as entities from the Incident
Initialize_variable_comment
Initialize a string variable to store comments to update in the incident
Initialize variable timestamp
Initialize timestamp variable to hold the timestamp for the past 3 days
CrowdStrike Base
Call the base logic App to get access token and Falcon Host URL
HTTP-Get device id
This gets the device id from crowdstrike by filtering on hostname
Parse JSON Get device id response
This prepares Json message for the device id response
Condition to check if device is present in crowdstrike
- If device is present, get the device information from crowdstrike API and prepares HTML table with required information
- Set the timestamp for past 3 days and search for detections on the host and get the detection information
- check if detection information is present create HTML table for detection information
Compose image to add in the incident
This action will compose the Crowdstrike image to add to the incident comments
Add a comment to the incident with the information
This action will enrich the incident with the constructed HTML table with device information
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to CrowdStrike Falcon Endpoint Protection