Package Exports

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@gillesvilleneuve/crowdstrike-falcon) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

CrowdStrike Falcon Integration for Active Pieces

This custom piece for Active Pieces provides integration with CrowdStrike Falcon, enabling security automation workflows with capabilities for incident management, host isolation, and real-time response.

Features

Incident Management: Search, retrieve, and update incidents
Host Isolation: Isolate hosts, lift isolation, and check isolation status
Real-Time Response: Initialize sessions, execute commands, and retrieve files
MSSP Support: Flexible authentication for managing multiple customer environments

Installation

Prerequisites

Active Pieces environment (version 0.5.0 or higher)
CrowdStrike Falcon API credentials (Client ID and Client Secret)
Node.js and npm

Setup Instructions

Clone this repository or download the source code
Navigate to the project directory
Install dependencies:
```
npm install
```
Build the piece:
```
npm run build
```
Deploy the built piece to your Active Pieces environment

Authentication

This integration uses OAuth2 authentication with CrowdStrike Falcon API. You'll need to provide:

API Base URL: Your CrowdStrike API endpoint (e.g., https://api.crowdstrike.com)
Client ID: Your CrowdStrike API client ID
Client Secret: Your CrowdStrike API client secret

Each MSSP customer environment can have its own authentication configuration.

Available Actions

Incident Management

Search Incidents: Search for incidents using FQL filters with sorting and paging
Get Incident Details: Retrieve detailed information about specific incidents by their IDs
Update Incidents: Perform actions on incidents such as status updates, assignment, or tagging

Host Isolation

Isolate Host: Isolate a host from the network
Lift Host Isolation: Remove isolation from a previously isolated host
Check Host Isolation Status: Check the current isolation status of a host

Real-Time Response

Initialize RTR Session: Create a new RTR session with a host
Execute RTR Command: Execute a read-only or active responder command on a host
Check RTR Command Status: Check the status of a previously executed command
Get RTR File Contents: Retrieve file contents extracted during an RTR session

Usage Examples

Incident Response Workflow

Use the "Search Incidents" action to find new high-severity incidents
For each incident, use "Get Incident Details" to retrieve full information
If the incident involves a compromised host, use "Isolate Host" to contain the threat
Use "Initialize RTR Session" and "Execute RTR Command" to gather forensic information
Update the incident status using "Update Incidents"

Threat Hunting

Initialize RTR sessions with multiple hosts
Execute commands to search for indicators of compromise
Retrieve and analyze file contents for suspicious activity
Isolate hosts if threats are detected

MSSP Implementation

For MSSP scenarios, this integration supports:

Environment-specific authentication for each customer
Parameterization of all actions
Proper error handling and retry mechanisms
Detailed logging for troubleshooting
Batch operations where applicable

Troubleshooting

Ensure your CrowdStrike API credentials have the necessary permissions
Check that the API Base URL is correct for your environment
Verify that the device IDs used in host isolation and RTR actions are valid
For RTR actions, ensure that the session is initialized before executing commands

Support

For issues or feature requests, please contact your Active Pieces administrator or submit an issue in the repository.