Interpres Application - Crowdstrike Falcon

Type: Endpoint
Vendor: Crowdstrike
The Crowdstrike app will process Crowdstrike Detections and turn them into the Alert and Detection DataModel for Interpres. This includes both the Behavioral and Custom IOA based detections
Vendor setup
Go to Support and Resources then API clients and keys
﻿
Click Create API client
For Client name enter “Interpres”
Add the below Scopes as with the “Read” permission
Text
Alerts
Custom IOA rules
Detections
Device control policies
Hosts
Falcon Discover
Host groups
Incidents
Machine Learning Exclusions
Prevention policies
Response policies
IOA Exclusions
Sensor update policies
Sensor Visibility Exclusions
Zero Trust Assessment
Alerts
Custom IOA rules
Detections
Device control policies
Hosts
Falcon Discover
Host groups
Incidents
Machine Learning Exclusions
Prevention policies
Response policies
IOA Exclusions
Sensor update policies
Sensor Visibility Exclusions
Zero Trust Assessment
﻿
Click Create
﻿
Copy the Client ID, Secret, and Base URL to Interpres. If setting up more than one CrowdStrike integration (e.g. CrowdStrike Falcon EDR and CrowdStrike Spotlight) then do not click Done until you have used these credentials for both integrations.
﻿
App Configuration
App Parameters:
Base URL: The base url for the api this should just be scheme + host e.g. https://api.us-2.crowdstrike.com
Client ID: The API Client ID created
Client Secret: The API Client ID created
Asset FQDN: Only grab assets with this fully qualified domain name
App Validation
Check there is connectivity (green light) in the integration created.
Implemented Actions
Get Alerts: Get Alerts will process all the crowdstrike detection objects into alerts, these are uniquely linked to detections via behavior_id.
Get Available Telemetry: This action just returns a predefined set of telemetry that Crowdstrike provides if it is in use.
file access telemetry
file creation telemetry
file modification telemetry
file deletion telemetry
network connection creation telemetry
active dns telemetry
command execution telemetry
process access telemetry
process creation telemetry
process metadata telemetry
scheduled job creation telemetry
scheduled job deletion telemetry
scheduled job metadata telemetry
scheduled job modification telemetry
user account authentication telemetry
user account creation telemetry
windows registry key access telemetry
windows registry key creation telemetry
windows registry key deletion telemetry
windows registry key modification telemetry
wmi creation telemetry
Get Detections: This action processes the Crowdstrike Detection Objects which are really are triggered detections (not to be confused with the detection logic). Each Crowdstrike detection contains device metadata along with one or more behavioral detections which fired. These are turned into the Interpres Detection which is also maintained in state along with a last seen timestamp such that the detection list should contain any detection that was seen over the course of this plugin being installed. For all of the non-IOA alerts they are identified by behavoir id which uniquely identifies a detection to alert mapping.
﻿
Did this page help you?
Interpres Application - Cisco Secure Endpoint
Interpres Application - Crowdstrike Falcon Spotlight