FalconHost (Deprecated)
This Integration is part of the FalconHost (Deprecated) Pack.#
Deprecated
Use the CrowdStrike Falcon integration instead.
Use the CrowdStrike Falcon Host integration to detect and block malicious activity.
Configure CrowdStrike Falcon Host Integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for FalconHost.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- API ID
- API Key
- Use system proxy settings
- Allow self-signed SSL certificates
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Upload indicators for CS to monitor: cs-upload-ioc
- Get definitions of monitored indicators: cs-get-ioc
- Update indicators: cs-update-ioc
- Delete an indicator: cs-delete-ioc
- Get a list of uploaded IOCs: cs-search-iocs
- Search for devices: cs-device-search
- Get device details: cs-device-details
- Get the number of devices an IOC ran on: cs-device-count-ioc
- Get a list of device IDs that an indicator ran on: cs-device-ran-on
- Get the process ID of an indicator for a device: cs-processes-ran-on
- Get process details: cs-process-details
- Set resolution status: cs-resolve-detection (Deprecated)
- Search all detection fields: cs-detection-search (Deprecated)
- Get detection details: cs-detection-details (Deprecated)
1. Upload indicators for CS to monitor
Uploads one or more indicators for CrowdStrike to monitor.
Base Command
cs-upload-ioc
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The type of the indicator | Required |
| value | The string representation of the indicator | Required |
| policy | The policy to enact when the value is detected on a host. A value of none is equivalent to turning the indicator off. | Optional |
| share_level | The level at which the indicator will be shared. Only red share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
| expiration_days | The days the indicator is be valid for. This only applies to domain, IPv4, and IPv6 types. Default is 30. | Optional |
| source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters. | Optional |
| description | A meaningful description of the indicator. Limit 200 characters. | Optional |
Context Output
There is no context output for this command.
Command Example
!cs-upload-ioc type=ipv4 value=8.8.8.8
Human Readable Output
2. Get definitions of monitored indicators
Get the full definition of one or more indicators that you are watching
Base Command
cs-get-ioc
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The IOC type to retrieve | Required |
| value | The IOC value to retrieve | Required |
Context Output
There is no context output for this command.
Command Example
!cs-get-ioc type=ipv4 value=8.8.8.8
Human Readable Output
3. Update indicators
Updates one or more of the uploaded indicators.
Base Command
cs-update-ioc
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The IOC type to update | Required |
| value | The IOC value to update | Required |
| policy | The policy to enact when the value is detected on a host. A value of none is equivalent to turning the indicator off. | Optional |
| share_level | The level at which the indicator will be shared. Only red share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
| expiration_days | The days the indicator is be valid for. This only applies to domain, IPv4, and IPv6 types. Default is 30. | Optional |
| source | The source where this indicator originated. This can be used to track where this indicator was defined. Limit 200 characters. | Optional |
| description | A meaningful description of the indicator. Limit 200 characters. | Optional |
Context Output
There is no context output for this command.
Command Example
!cs-update-ioc type=ipv4 value=8.8.8.8 policy=none
Human Readable Output
4. Delete an indicator
Deletes an indicator that you are monitoring.
Base Command
cs-delete-ioc
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The IOC type to delete | Required |
| value | The IOC value to delete | Optional |
Context Output
There is no context output for this command.
Command Example
!cs-delete-ioc type=ipv4 value=8.8.8.8
Human Readable Output
5. Get a list of uploaded IOCs
Returns a list of your uploaded IOCs that match the search criteria.
Base Command
cs-search-iocs
Input
| Argument Name | Description | Required |
|---|---|---|
| types | A list of indicator types. Separate multiple types by comma. Valid types are sha256, sha1, md5, domain, ipv4, ipv6. | Optional |
| values | Comma-separated list of indicator values | Optional |
| policies | Comma-separated list of indicator policies | Optional |
| share_levels | A list of share levels. Only red is supported. | Optional |
| sources | Comma-separated list of IOC sources | Optional |
| from_expiration_date | Start of date range to search (YYYY-MM-DD format) | Optional |
| to_expiration_date | End of date range to search (YYYY-MM-DD format) | Optional |
| sort | The order of the results. Format is field.asc or field.desc . | Optional |
| limit | The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100. | Optional |
| offset | The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. | Optional |
Context Output
There is no context output for this command.
Command Example
!cs-search-iocs types=domain
!cs-search-iocs types=ipv4
Human Readable Output
6. Search for devices
Search for devices in your environment by platform, host name, IP, or various other parameters.
Base Command
cs-device-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Search for a value across all fields | Optional |
| filter | Filter devices using query syntax of "field:value+field:value" where string values are enclosed in single quotes or as arrays in single quotes (['x', 'y']). Numerical fields and dates also support operators like field:>value. For a list of relevant fields, see the CrowdStrike documentation. | Optional |
| limit | Number of results to return | Optional |
| offset | The result to start from | Optional |
Context Output
| Path | Description |
|---|---|
| FalconHostDevices | Device IDs found by device search |
Command Example
!cs-device-search limit=2
!cs-device-search
Human Readable Output
7. Get device details
Get details for one or more devices, according to device ID.
Base Command
cs-device-details
Input
| Argument Name | Description | Required |
|---|---|---|
| ids | The ID of the process. Allows multiple values separated by comma. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| FalconHostDetails | string | The ID to retrieve details for. Supports comma-separated list of IDs. |
| Endpoint.ID | string | Unique ID of the endpoint in FalconHost |
| Endpoint.IPAddress | string | IPAddress of the endpoint |
| Endpoint.Domain | string | Domain of the endpoint |
| Endpoint.MACAddress | string | MAC address of the endpoint |
| Endpoint.OS | string | OS of the endpoint |
| Endpoint.OSVersion | string | OS version of the endpoint |
| Endpoint.BIOSVersion | string | BIOS version of the endpoint |
| Endpoint.HostName | string | The host of the endpoint |
Command Example
!cs-device-details ids=1e371d976b4549186ed5f09e49e49c12
!cs-device-details ids=${FalconHostDevices}
Context Example
Human Readable Output
8. Get the number of devices an IOC ran on
Returns the number of devices on which an IOC ran, according to type and value of an IOC
Base Command
cs-device-count-ioc
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The type of indicator | Required |
| value | The actual string representation of the indicator | Required |
Context Output
There is no context output for this command.
Command Example
!cs-device-count-ioc type=sha1 value=f28c592833f234c619917b5c7d8974840a810247
!cs-device-count-ioc type=domain value=7.tw
9. Get a list of device IDs that an indicator ran on
Returns a list of device IDs on which an indicator ran
Base Command
cs-device-ran-on
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The type of indicator from the list of supported indicator types. | Required |
| value | The actual string representation of the indicator | Required |
Context Output
| Path | Description |
|---|---|
| FalconHostDevices | Device IDs found by device IOC search |
Command Example
!cs-device-ran-on type=sha1 value=f28c592833f234c619917b5c7d8974840a810247
!cs-device-ran-on type=domain value=7.tw
10. Get the process ID of an indicator for a device
Returns the process ID of the indicator if it ran on given device recently
Base Command
cs-processes-ran-on
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The type of indicator from the list of supported indicator types. | Required |
| value | The actual string representation of the indicator | Required |
| device_id | The device ID you want to check against | Required |
Context Output
| Path | Description |
|---|---|
| FalconHostProcesses | List of processes of the searched indicators |
11. Get process details
Retrieves the details of a process, according to process ID, that is running or that previously ran.
Base Command
cs-process-details
Input
| Argument Name | Description | Required |
|---|---|---|
| ids | The ID of the process. Allows multiple values separated by comma. | Required |
Context Output
There is no context output for this command.
12. Set resolution status (Deprecated)
Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead.
Sets the state of a detection in Falcon Host. You can obtain detection IDs from the Falcon Host UI or from the Falcon Streaming API.
Base Command
cs-resolve-detection
Input
| Argument Name | Description | Required |
|---|---|---|
| ids | The IDs of the detections you want to resolve. Falcon Host API v2: detection ids are in the following format: ldt:[first field]:[second field], for example, ldt:cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142. | Required |
| status | The status to which you want to transition a detection | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CrowdStrikeHost.Detections.cid | string | cid of the detection |
| CrowdStrikeHost.Detections.detection_id | string | ID of the detection |
| CrowdStrikeHost.Detections.first_behavior | string | First behavior of the detection |
| CrowdStrikeHost.Detections.last_behavior | string | Last behavior of the detection |
| CrowdStrikeHost.Detections.max_confidence | number | Max confidence of the detection |
| CrowdStrikeHost.Detections.max_severity | number | Max severity of the detection |
| CrowdStrikeHost.Detections.max_severity_display_name | string | Displayname of the max severity |
| CrowdStrikeHost.Detections.behaviors.alleged_file_type | string | Alleged filetype of the behavior |
| CrowdStrikeHost.Detections.behaviors.behavior_id | string | ID of the behavior |
| CrowdStrikeHost.Detections.behaviors.device_id | string | ID of the device of the behavior |
| CrowdStrikeHost.Detections.behaviors.user_id | string | ID of the user of the behavior |
| CrowdStrikeHost.Detections.behaviors.control_graph_id | string | ID of the control graph of the behavior |
| CrowdStrikeHost.Detections.behaviors.cmdline | string | Commandline of the behavior |
| CrowdStrikeHost.Detections.behaviors.confidence | number | Confidence of the behavior |
| CrowdStrikeHost.Detections.behaviors.severity | number | Severity of the behavior |
| CrowdStrikeHost.Detections.behaviors.filename | string | Filename of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_description | string | IOC description of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_source | string | IOC source of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_type | string | IOC type of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_value | string | IOC value of the behavior |
| CrowdStrikeHost.Detections.behaviors.md5 | string | MD5 of the behavior |
| CrowdStrikeHost.Detections.behaviors.sha256 | string | SHA256 of the behavior |
| CrowdStrikeHost.Detections.behaviors.timestamp | string | Timestamp of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_cmdline | string | Commandline of the parent of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_md5 | string | MD5 of the parent of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_sha256 | string | SHA256 of the parent of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_control_graph_id | string | Control graph ID of the parent of the behavior |
| CrowdStrikeHost.Detections.device.agent_version | string | Agent version of the device |
| CrowdStrikeHost.Detections.device.bios_version | string | Bios version of the device |
| CrowdStrikeHost.Detections.device.os_version | string | OS version of the device |
| CrowdStrikeHost.Detections.device.mac_address | string | MACAddress of the device |
| CrowdStrikeHost.Detections.device.local_ip | string | Local IP of the device |
| CrowdStrikeHost.Detections.device.external_ip | string | External IP of the device |
| CrowdStrikeHost.Detections.device.hostname | string | Hostname of the device |
| CrowdStrikeHost.Detections.behaviors.technique | string | Technique of the behavior |
Command Example
!cs-resolve-detection ids=cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142 status=in_progress
13. Search all detection fields (Deprecated)
Deprecated. Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
Performs a string search through all CrowdStrike Detection fields. For example, provide a sensor ID to search for all detections that contain that sensor ID.
Base Command
cs-detection-searchInput
| Argument Name | Description | Required |
|---|---|---|
| query | Free text search filter | Optional |
| first_behavior | First Behavior of the detection, e.g., 2017-01-31T22:36:11Z | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CrowdStrikeHost.Detections.detection_id | string | IDs of the related detections |
Command Example
!cs-detection-search query=".exe"
Human Readable Output
14. Get detection details (Deprecated)
Deprecated. Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
Fetches details of a CrowdStrike Detection using the detection ID.
Base Command
cs-detection-detailsInput
| Argument Name | Description | Required |
|---|---|---|
| detection_id | ID of the detections | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CrowdStrikeHost.Detections.cid | string | cid of the detection |
| CrowdStrikeHost.Detections.detection_id | string | ID of the detection |
| CrowdStrikeHost.Detections.first_behavior | string | First behavior of the detection |
| CrowdStrikeHost.Detections.last_behavior | string | Last behavior of the detection |
| CrowdStrikeHost.Detections.max_confidence | number | Max confidence of the detection |
| CrowdStrikeHost.Detections.max_severity | number | Max severity of the detection |
| CrowdStrikeHost.Detections.max_severity_display_name | string | Displayname of the max severity |
| CrowdStrikeHost.Detections.behaviors.alleged_file_type | string | Alleged filetype of the behavior |
| CrowdStrikeHost.Detections.behaviors.behavior_id | string | ID of the behavior |
| CrowdStrikeHost.Detections.behaviors.device_id | string | ID of the device of the behavior |
| CrowdStrikeHost.Detections.behaviors.user_id | string | ID of the user of the behavior |
| CrowdStrikeHost.Detections.behaviors.control_graph_id | string | ID of the control graph of the behavior |
| CrowdStrikeHost.Detections.behaviors.cmdline | string | Commandline of the behavior |
| CrowdStrikeHost.Detections.behaviors.confidence | number | Confidence of the behavior |
| CrowdStrikeHost.Detections.behaviors.severity | number | Severity of the behavior |
| CrowdStrikeHost.Detections.behaviors.filename | string | Filename of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_description | string | IOC description of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_source | string | IOC source of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_type | string | IOC type of the behavior |
| CrowdStrikeHost.Detections.behaviors.ioc_value | string | IOC value of the behavior |
| CrowdStrikeHost.Detections.behaviors.md5 | string | MD5 of the behavior |
| CrowdStrikeHost.Detections.behaviors.sha256 | string | SHA256 of the behavior |
| CrowdStrikeHost.Detections.behaviors.timestamp | string | Timestamp of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_cmdline | string | Commandline of the parent of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_md5 | string | MD5 of the parent of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_sha256 | string | SHA256 of the parent of the behavior |
| CrowdStrikeHost.Detections.behaviors.parent_details.parent_control_graph_id | string | Control graph ID of the parent of the behavior |
| CrowdStrikeHost.Detections.device.agent_version | string | Agent version of the device |
| CrowdStrikeHost.Detections.device.bios_version | string | Bios version of the device |
| CrowdStrikeHost.Detections.device.os_version | string | OS version of the device |
| CrowdStrikeHost.Detections.device.mac_address | string | MACAddress of the device |
| CrowdStrikeHost.Detections.device.local_ip | string | Local IP of the device |
| CrowdStrikeHost.Detections.device.external_ip | string | External IP of the device |
| CrowdStrikeHost.Detections.device.hostname | string | Hostname of the device |
| CrowdStrikeHost.Detections.behaviors.technique | string | Technique of the behavior |
Command Example
!cs-detection-details detectionID=${CrowdStrikeHost.Detections.detectionID}
Human Readable Output
