The CrowdStrike’s Falcon platform provides protection on critical areas of enterprise risk including endpoints and cloud workloads, identity, and data. Its Endpoint Detection and Response capabilities not only provide alerts on discovered threats but also provide a holistic view of threats and intelligence across all the hosts. Therefore, it is very useful for the security team to leverage CrowdStrike API to automate security tasks such as investigation, response, and report. In this blog, we will cover
- Top 3 use cases leveraging CrowdStrike API
- Typical CrowdStrike API Functionalities
- Set up a connection with CrowdStrike in 5 minutes
- How to orchestrate CrowdStrike with other products to achieve automation
- End to end automation example
Top 3 Security Automation Use Cases with CrowdStrike API:
Security analysts have implemented quite a few automation use cases related to CrowdStrike, for example:
- Enrich other security detections with threats discovered from CrowdStrike
- Automate and aggregate CrowdStrike reporting on Popular Data Analytics Tools such as PowerBI
- Synchronize other security products with CrowdStrike on Incident Status
CrowdStrike API Functionalities:
CrowdStrike has a set of APIs supporting functionalities like
- threat intelligence on indicators, reports, and rules
- detections
- Detection and prevention policy
- Host information
- Real-time response
- File Analysis
- IoCs and their details
- Firewall management
- etc.
Connect To CrowdStrike:
CrowdStrike is using OAuth2 for API Integration authentication. OAuth2 is an industry-standard Specification. It provides a time-sensitive token once the client sends the server the client Id and the client secrete.
To connect to the CrowdStrike API server, You will need to specify API URL, Client Id, and Client Secret.
You can find Client ID, Client Secret on Falcon Console.
Once you fill in this information on the UI, you will be able to connect to CrowdStrike API server and trigger actions.
Orchestrate CrowdStrike with Other Products for Security Automation
Security analysts are leveraging CrowdStrike API to achieve automation such as use cases listed on 1. In order to orchestrate CrowdStrike actions with another platform, you will need to take a few steps to make them start talking.
Let’s take a look at “get host Info” action on CrowdStrike.
Besides specifying Server for connection, you will need to specify Input and Output.
In this particular use case, input is the hostId and output is detailed host info. You can either specify hostId directly on the panel or retrieve it from the previous node (or products in the upstream workflow). You do not need to write any code here. Once executed, you will see the results on the right panel.
End to End Use Case Example:
Here is an example of end-to-end automation for creating reporting for CrowdStrike detections and threat intelligence on PowerBI. It pulls detections from CrowdStrike and updates your PowerBI workspace automatically. So, you will always get refreshed data sets in PowerBI for reporting.
Check out more details here.
When you are ready, here are two ways we can help
- Schedule a free consultation to discover the solution for you and your team (schedule here)
- Sign up DTonomy’s Automation platform here to start building automation for crowdstrike.
Additional Information:
Try out DTonomy Automation Community Edition and Start automation tasks related to CrowdStrike today!
Continuous Security Reporting using popular BI tools – AI-Based Analysis and Response