ciscosecurity/tr-05-crowdstrike

By ciscosecurity

Updated 10 months ago

CrowdStrike Relay (Cisco Hosted)

Image

1.0K

Version 2.0.0

  • Replaced full metadata search with Falcon Query Language for more persistent data.
  • Updated creation flow of creating Sighting it is now created for every behavior not detection.
  • Updated Sighting relations to have no floating nodes.

Version 1.0.7

  • Fixed vulnerabilities.
  • CrowdStrike sightings mapping adjustment

Version 1.0.6

  • Fixed vulnerabilities.
  • Outdated "Cisco SecureX Threat Response" identifier.

Version 1.0.5

  • Improved data accuracy in relations.
  • Added target related "relations".
  • Minor formatting fixes.

Version 1.0.4

  • Added user-agent in falconpy.
  • Fixed supported types and added filtration.
  • Added 'relations' fields to Sighting.

Version 1.0.1

  • Updated field to filter by.
  • Updated query param name.
  • Added time range to /observe/observables endpoint.
  • Fixed CrowdStrike Pivot menu error for filename search.

Version 1.0.0

Implemented Relay Endpoints
  • POST /health

    • Authenticates to the underlying external service to check that provided credentials are valid and the service is available at the moment.
  • POST /observe/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data(get the detections in our case) on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Sighting
      • Indicator
      • Relationship
  • POST /refer/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Maps the fetched data into appropriate CTIM entities.
    • Create refer object and return to the relay output.
  • POST /respond/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for actions available for given observables.
    • Returns a list of those actions.
  • POST /respond/trigger

    • Accepts an observable and an action.
    • Triggers an action at the underlying external service.
    • Returns an action result.
Supported Types of Observables(/observe/observables)
  • file_name
  • file_path
  • hostname
  • md5
  • sha256
  • hostname
  • process_name
  • process_args
  • crowdstrike_id
Supported Types of Observables(/respond/observables)
  • domain
  • ip
  • ipv6
  • md5
  • sha256
CTIM Mapping Specifics

Each response from the CrowdStrike API for the supported observables generates the following CTIM entities:

  • Sighting
  • Indicator
  • Relationship

Docker Pull Command

docker pull ciscosecurity/tr-05-crowdstrike