Hey everyone, the integrations team is building out additional plugin actions for the Crowdstrike Falcon plugin for InsightConnect. We currently have capabilities to get detections, get detection information, update detections, search for detection IDs, get device information, search for devices, and contain or lift a containment of a device. We are currently adding capabilities to blacklist a hash, get agent details, and run an antivirus scan.
If you use Crowdstrike Falcon in your environment, we would love to hear from you in a comment or slack message with automation use cases, or any new actions / features / fixes you would like to see in the plugin!
I would like to be able run Crowdstrike Falcon RTR commands as part of triage workflows or even ad hoc commands via chat-ops.
As part of an automated triage workflow for Falcon detection events:
after notifications, setting up case in ticketing/case mgmt systems, etc…
run/capture “pslist”, “ipconfig” and “netstat” at beginning of triage to avoid losing ephemeral evidence.
contain the host (after collecting network/process data.)
Automatically, optionally or by analyst request
run/capture “ls” for folders where suspect processes wrote data to disk.
run/capture “filehash” on files written by suspect processes.
collect hash reputation data from VT or other like services
collect IP reputation for external targets - might need set limits to exclude browsers/processes with huge lists of IP’s
“get” the written/suspect files/evidence.
memory dump collection, after confirming sufficient diskspace to do so.
As the results might be too large for a chat response, some could maybe be included as attachments, others might be directed to the ticketing/case mgmt. system.
Other use cases:
ad hoc run any of the built in commands and gather output
run cloud staged scripts, or an ad hoc PS script/or command
“put” an IR tool or script on the remote device, run that tool and “get” the results.
“get” malware artifacts
“rm” files/malware artifacts
export log files
ad hoc actions, including triage workflows on batch lists of devices
The announcement of Falcon Forensics may make some or all of this moot depending on how that unfolds. Nonetheless, the ability to quickly enrich case details, respond to detections, and automate certain recovery actions should speed triage, incident response, and time to resolution.
Hey @jim_lawhon, thank you for the detailed response - this is exactly the kind of feedback we are looking out for. We’ve heard from a few customers the request to automate out Crowdstrike Falcon RTR commands. My team is investigating a few of these use cases further and will keep you updated as we push features out
We released an update today to the Crowdstrike Falcon plugin where we added the action “Run Real Time Response Commands.” The action is built open ended - you enter any RTR command into the string input box, and if the command is valid it will run the command remotely. Here’s the updated Crowdstrike Falcon listing on the extension library: Rapid7 Extensions
We hope this will help build out some of the triage workflows you outlined above. Let us know if you have more feedback
The plugin has received updates. The last update was March 23 of this year. If you navigate to the plugin page Rapid7 Extensions, you will see on the right hand side a change log. You can see all updates the plugin has received via the change log.
If you are interested only in knowing what actions and triggers the plugin supports you can navigate to the documentation tab for the Plugin and view the tabs on the left hand navigation page for a list of the plugins capabilities.
We currently do not have any new actions planned for the plugin, but always welcome feedback. Is there something specific you are trying to do with the Crowdstrike Plugin?
If this is an action that is supported by the CS agent, it is not an action that is built natively into the plugin. I can submit an idea ticket for this. If it gets picked up, I will reply to this thread.
