Skip to content

Interpres Application - Crowdstrike Falcon

  • Type: Endpoint
  • Vendor: Crowdstrike

The Crowdstrike app will process Crowdstrike Detections and turn them into the Alert and Detection DataModel for Interpres. This includes both the Behavioral and Custom IOA based detections

Vendor setup

Go to Support and Resources then API clients and keys

  1. Click Create API client
  2. For Client name enter “Interpres”
  3. Add the below Scopes as with the “Read” permission
Alerts
Custom IOA rules
Detections
Device control policies
Hosts
Falcon Discover
Host groups
Incidents
Machine Learning Exclusions
Prevention policies
Response policies
IOA Exclusions
Sensor update policies
Sensor Visibility Exclusions
Zero Trust Assessment
  1. Click Create

  1. Copy the Client ID, Secret, and Base URL to Interpres. If setting up more than one CrowdStrike integration (e.g. CrowdStrike Falcon EDR and CrowdStrike Spotlight) then do not click Done until you have used these credentials for both integrations.

App Configuration

App Parameters:

  • Base URL: The base url for the api this should just be scheme + host e.g. https://api.us-2.crowdstrike.com
  • Client ID: The API Client ID created
  • Client Secret: The API Client ID created
  • Asset FQDN: Only grab assets with this fully qualified domain name

App Validation

Check there is connectivity (green light) in the integration created.

Implemented Actions

  • Get Alerts: Get Alerts will process all the crowdstrike detection objects into alerts, these are uniquely linked to detections via behavior_id.

  • Get Available Telemetry: This action just returns a predefined set of telemetry that Crowdstrike provides if it is in use.

    • file access telemetry
    • file creation telemetry
    • file modification telemetry
    • file deletion telemetry
    • network connection creation telemetry
    • active dns telemetry
    • command execution telemetry
    • process access telemetry
    • process creation telemetry
    • process metadata telemetry
    • scheduled job creation telemetry
    • scheduled job deletion telemetry
    • scheduled job metadata telemetry
    • scheduled job modification telemetry
    • user account authentication telemetry
    • user account creation telemetry
    • windows registry key access telemetry
    • windows registry key creation telemetry
    • windows registry key deletion telemetry
    • windows registry key modification telemetry
    • wmi creation telemetry

  • Get Detections: This action processes the Crowdstrike Detection Objects which are really are triggered detections (not to be confused with the detection logic). Each Crowdstrike detection contains device metadata along with one or more behavioral detections which fired. These are turned into the Interpres Detection which is also maintained in state along with a last seen timestamp such that the detection list should contain any detection that was seen over the course of this plugin being installed. For all of the non-IOA alerts they are identified by behavoir id which uniquely identifies a detection to alert mapping.