CrowdStrike Discover
Overview
CrowdStrike Falcon® Discover allows you to quickly identify and eliminate malicious or noncompliant activity by providing unmatched real-time visibility into the devices, users and applications in your network. Discover shows you the accounts that are logged in, the applications they're using, and the hardware and virtual hardware assets they're accessing.
D3 SOAR is providing REST operations to function with CrowdStrike Discover.
CrowdStrike Discover is available for use in:
Known Limitations
The Falcon Discover API endpoint only returns data if the response set includes 10,000 or fewer items. This limit applies to the total size of the API response, regardless of the pagination sizes with the limit and offset parameters. If the response set contains more than 10,000 items, the Falcon Discover API will return an HTML 400 response. To prevent his issue, use the filter parameter to reduce the total number of items in the API response.
The default rate limit for requests that contain a valid bearer token is 6,000 requests per minute per customer account. Every request in the customer account decreases one request from that pool, regardless of the API endpoint or API client used for the request. The rate limit is calculated on a sliding window.
Requests with missing, malformed, or expired bearer tokens are rate limited at 15 requests per minute per source IP address (not per customer account).
If you exceed your rate limit, any further request will receive an "HTTP 429: Too Many Requests" error along with the current rate limit status in the HTTP headers.
For more information, see Falcon Discover APIs.
Connection
To connect to CrowdStrike Discover from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the CrowdStrike API. | https://api.crowdstrike.com |
Client ID | The client ID to authenticate the API connection. | acb9eb714b************75b76e66a9 |
Client Secret | The client secret to authenticate the API connection. | m132NkPjVva************I6sJ7UFC8LwGQdSetf |
API Version | The API version to use for the connection. | v1 |
Permission Requirements
All commands in this integration require the Falcon Discover:Read permission.
Reader Note
Please refer to Users and Roles for details on configuring user profiles. You can also use the shortcut Ctrl + K (Windows) or Cmd + K (macOS) to bring up the search bar to find and access the Roles and permissions page.
Configuring CrowdStrike Discover to Work with D3 SOAR
Log in to the CrowdStrike portal (https://falcon.crowdstrike.com/login/).
Use the shortcut Ctrl + K (Windows) or Cmd + K (macOS) to bring up the search bar. Use it to find and select API clients and keys.
On the API clients and keys page, click Add new API Client.
The Add new API client will appear. Input a Client Name and a description (optional). Select the Falcon Discover Read permission. Click Add.
Reader Note
See Permissions Requirements for more information on API scopes.
The API client created window will appear with a Client ID and Secret.
Reader Note
This is the only time you can view the Secret Key. Store it in a secure location for future reference.
(Optional) You can edit the permission scopes for the created API client by clicking the Edit icon under the Action column of the API client. An Edit API client window will appear for you to edit the permission scopes. Click Save to complete editing.
(Optional) You can reset the Secret Key by clicking the Reset Secret icon under the Action column of the API client. A Reset the secret window will appear asking you to confirm. Click Reset.
Configuring D3 SOAR to Work with CrowdStrike Discover
Log in to D3 SOAR.
Find the CrowdStrike Discover integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type CrowdStrike Discover in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to CrowdStrike Discover.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Copy and input the Base URL from the CrowdStrike platform. The default value is https://api.crowdstrike.com (refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR).
2. Copy and input the Client ID from the CrowdStrike platform (refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR)
3. Copy and input the Client Secret from the CrowdStrike platform (refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR)
4. The default value of the API Version is v1. You can use the default value when creating connections.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
CrowdStrike Discover includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the CrowdStrike Discover API, please refer to the CrowdStrike Discover API reference.
Reader Note
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring CrowdStrike Discover to Work with D3 SOAR for details.
List Accounts
Retrieves details on the accounts matching the input Falcon Query Language (FQL) query statement.
Reader Note
Filter allows you to define the search query. Refer to Falcon Query Language (FQL) from Crowdstrike’s documentation for more information about the syntax. You can run this command with no filter expressions defined to see the queryable property names in the returned raw data.
The basic syntax is: property_name:<operator>‘<value>’. The <operator> is optional to input. For example, to search the username d3user-C, the filter expression would be username: "d3user-C".
The following are commonly used operators and their associated meanings:
+ = and
, = or
! = not equal to
For the list of filterable property names, see Account and Login Filters.
Input
Input Parameter | Required/Optional | Description | Example |
Filter | Optional | The query to filter results. For more information about the query syntax, see Crowdstrike Falcon Query Language. | admin_privileges:'Yes'+ last_successful_login_timestamp:>'now-7d' |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Accounts and Logins failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Discover portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: ****** filter is invalid, cannot be parsed. |
Error Sample Data List Accounts and Logins failed. Status Code: 400. Message: ****** filter is invalid, cannot be parsed. |
List Assets
Retrieves details on the assets matching the input Falcon Query Language (FQL) query statement.
Reader Note
Filter allows you to define the search query. Refer to Falcon Query Language (FQL) from Crowdstrike’s documentation for more information about the syntax. You can run this command with no filter expressions defined to see the queryable property names in the returned raw data.
The basic syntax is: property_name:<operator>‘<value>’. The <operator> is optional to input. For example, to search the username d3user-C, the filter expression would be username: "d3user-C".
The following are commonly used operators and their associated meanings:
+ = and
, = or
! = not equal to
For the list of filterable property names, see Asset Filters.
Input
Input Parameter | Required/Optional | Description | Example |
Filter | Optional | The query to filter results. For more information about the query syntax, see Crowdstrike Falcon Query Language. | entity_type:'managed'+product_type_desc:'Workstation'+hostname:'DESKTOP-***' |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Assets failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Discover portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: ****** filter is invalid, cannot be parsed. |
Error Sample Data List Assets failed. Status Code: 400. Message: ****** filter is invalid, cannot be parsed. |
List Logins
Retrieves details on the logins matching the input Falcon Query Language (FQL) query statement. Note: A single login ID in Falcon may consist of one or multiple login attempts, whether they are all successful or failed. These attempts are made by a single account on a particular asset within a designated time frame. For information about how logins are defined in CrowdStrike, see Understanding Logins.
Reader Note
Filter allows you to define the search query. Refer to Falcon Query Language (FQL) from Crowdstrike’s documentation for more information about the syntax. You can run this command with no filter expressions defined to see the queryable property names in the returned raw data.
The basic syntax is: property_name:<operator>‘<value>’. The <operator> is optional to input. For example, to search the username d3user-C, the filter expression would be username: "d3user-C".
The following are commonly used operators and their associated meanings:
+ = and
, = or
! = not equal to
For the list of filterable property names, see Account and Login Filters.
Input
Input Parameter | Required/Optional | Description | Example |
Filter | Optional | The query to filter results. For more information about the query syntax, see Crowdstrike Falcon Query Language. | login_status:'Failed'+login_timestamp:>'now-5d' |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Error Sample Data List Logins failed. Status Code: 400. Message: ****** filter is invalid, cannot be parsed. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed:Get accesstoken failed |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Discover portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Test Connection failed:Get accesstoken failed |
Error Sample Data Test Connection failed:Get accesstoken failed Status Code: 400. Message: Test Connection failed:Get accesstoken failed |