Crowdstrike Falcon plugin for InsightConnect

Hey everyone, the integrations team is building out additional plugin actions for the Crowdstrike Falcon plugin for InsightConnect. We currently have capabilities to get detections, get detection information, update detections, search for detection IDs, get device information, search for devices, and contain or lift a containment of a device. We are currently adding capabilities to blacklist a hash, get agent details, and run an antivirus scan.

If you use Crowdstrike Falcon in your environment, we would love to hear from you in a comment or slack message with automation use cases, or any new actions / features / fixes you would like to see in the plugin!

2 Likes

I would like to be able run Crowdstrike Falcon RTR commands as part of triage workflows or even ad hoc commands via chat-ops.

As part of an automated triage workflow for Falcon detection events:

  • after notifications, setting up case in ticketing/case mgmt systems, etc…
  • run/capture “pslist”, “ipconfig” and “netstat” at beginning of triage to avoid losing ephemeral evidence.
  • contain the host (after collecting network/process data.)

Automatically, optionally or by analyst request

  • run/capture “ls” for folders where suspect processes wrote data to disk.
  • run/capture “filehash” on files written by suspect processes.
  • collect hash reputation data from VT or other like services
  • collect IP reputation for external targets - might need set limits to exclude browsers/processes with huge lists of IP’s
  • “get” the written/suspect files/evidence.
  • memory dump collection, after confirming sufficient diskspace to do so.

As the results might be too large for a chat response, some could maybe be included as attachments, others might be directed to the ticketing/case mgmt. system.

Other use cases:

  • ad hoc run any of the built in commands and gather output
  • run cloud staged scripts, or an ad hoc PS script/or command
  • “put” an IR tool or script on the remote device, run that tool and “get” the results.
  • “get” malware artifacts
  • “rm” files/malware artifacts
  • export log files
  • ad hoc actions, including triage workflows on batch lists of devices

The announcement of Falcon Forensics may make some or all of this moot depending on how that unfolds. Nonetheless, the ability to quickly enrich case details, respond to detections, and automate certain recovery actions should speed triage, incident response, and time to resolution.

2 Likes

Hey @jim_lawhon, thank you for the detailed response - this is exactly the kind of feedback we are looking out for. We’ve heard from a few customers the request to automate out Crowdstrike Falcon RTR commands. My team is investigating a few of these use cases further and will keep you updated as we push features out :+1: