Crowdstrike

Host containment

Intro

This document describes using Stamus Networks’ chained webhook mechanism in order to provide integrated detection and response with CrowdStrike EDR resulting in containing (quarantining) the offending host upon Declaration of Compromise® Declaration of Compromise®.

Setup CrowdStrike authentication

Please generate access RestAPI keys and tokens via the official CrowdStrike site Generated and obtain: Auth url , Client id , Client secret.

Clear NDR® Configuration

In the Administration menu , from the upper left corer drop down, select Integrations. From the left hand side menu , select Configure providers. Fill in the Auth url , Client id , Client secret. Click Submit.

CrowdStrike contain  response integration example

Create a workflow for the integration - In the Administration menu , from the upper left corer drop down, select Integrations. From the left hand side menu , select Add workflow.

CrowdStrike containment needs 2 calls. The first one to get the resource id of the host. The second one to contain it - meaning a RestAPI call to block/quarantine the network on the host via the CrowdStrike falcon agent.

Select the CrowdStrike provider , select DoC type of response:

CrowdStrike contain response integration example

Set up one webhook to fetch the recourse id and the second one to do the action/contain.

Get the resource id

webhook_1: `https://api.us-2.crowdstrike.com/devices/queries/devices/v1?filter=local_ip:'{{asset.value}}'`

HTTP method: GET

Headers: Content-Type: application/json

CrowdStrike contain response integration example

Contain the host

webhook_2: https://api.us-2.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain
CrowdStrike contain response integration example

HTTP method: POST

Headers: Content-Type: application/json

Stop condition (if applicable) - meaning exclude or do not engage the response/quarantine in certain conditions.

Here multiple or conditions can be added to set exclusions, for example: or asset.value == "10.136.0.222" or asset.value == "10.136.0.223".

The first condition if not webhook_1.json.resources is set so the call is executed only if the resource id from the previous webhook_1 is available:

{% if not webhook_1.json.resources or asset.value == "10.136.0.222" %}
true
{% endif %}

Template content:

{
  "action_parameters": [
    {
      "name": "DoC {{asset.value}}",
      "value": "{{threat.name}}"
    }
  ],
  "ids": {{ webhook_1.json.resources | tojson }}
}

Verify and test

In this step a verification of the full sequence is triggered. In the example below the communication and process works. There is simply a stop condition that takes effect and no host is contained.

CrowdStrike contain response integration example

Click Submit

Additional CrowdStrike information:

Videos:

Rest API: