The CrowdStrike’s Falcon platform provides protection on critical areas of enterprise risk including endpoints and cloud workloads, identity, and data. Its Endpoint Detection and Response capabilities not only provide alerts on discovered threats but also provide a holistic view of threats and intelligence across all the hosts. Therefore, it is very useful for the security team to leverage CrowdStrike API to automate security tasks such as investigation, response, and report. In this blog, we will cover
Security analysts have implemented quite a few automation use cases related to CrowdStrike, for example:
CrowdStrike has a set of APIs supporting functionalities like
CrowdStrike is using OAuth2 for API Integration authentication. OAuth2 is an industry-standard Specification. It provides a time-sensitive token once the client sends the server the client Id and the client secrete.
To connect to the CrowdStrike API server, You will need to specify API URL, Client Id, and Client Secret.
You can find Client ID, Client Secret on Falcon Console.
Once you fill in this information on the UI, you will be able to connect to CrowdStrike API server and trigger actions.
Security analysts are leveraging CrowdStrike API to achieve automation such as use cases listed on 1. In order to orchestrate CrowdStrike actions with another platform, you will need to take a few steps to make them start talking.
Let’s take a look at “get host Info” action on CrowdStrike.
Besides specifying Server for connection, you will need to specify Input and Output.
In this particular use case, input is the hostId and output is detailed host info. You can either specify hostId directly on the panel or retrieve it from the previous node (or products in the upstream workflow). You do not need to write any code here. Once executed, you will see the results on the right panel.
Here is an example of end-to-end automation for creating reporting for CrowdStrike detections and threat intelligence on PowerBI. It pulls detections from CrowdStrike and updates your PowerBI workspace automatically. So, you will always get refreshed data sets in PowerBI for reporting.
Check out more details here.
Try out DTonomy Automation Community Edition and Start automation tasks related to CrowdStrike today!
Continuous Security Reporting using popular BI tools – AI-Based Analysis and Response
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!