CrowdStrike Falcon

CrowdStrike Falcon is a cloud-native endpoint protection platform that provides real-time threat detection, prevention, and response capabilities

Category: EDR
Homepage: https://www.crowdstrike.com
Tags: endpoint-protection, threat-detection, incident-response, cloud-native, edr

Subscription Information

• Registration Required: Yes
• Subscription Required: Yes
• Free Subscription Available: No

Analyzers (11)

CrowdstrikeFalcon_Sandbox_Win7 v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json (raw)

CrowdstrikeFalcon_Sandbox_Win7_64 v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json (raw)

CrowdstrikeFalcon_getDeviceAlerts v1.0

Get Device alerts from Crowdstrike Falcon

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: hostname
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json (raw)

CrowdstrikeFalcon_Sandbox_Android v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json (raw)

CrowdstrikeFalcon_Sandbox_MacOS v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json (raw)

CrowdstrikeFalcon_Sandbox_Win11 v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json (raw)

CrowdstrikeFalcon_GetDeviceVulnerabilities v1.0

Get device vulnerabilities from hostname

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: hostname
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json (raw)

CrowdstrikeFalcon_ThreatIntel v1.0

Query threat intelligence indicators from Crowdstrike Falcon Intelligence

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: hash, domain, ip, url
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_ThreatIntel.json (raw)

CrowdstrikeFalcon_Sandbox_Win10 v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json (raw)

CrowdstrikeFalcon_getDeviceDetails v1.0

Get device information from Crowdstrike Falcon

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: hostname
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json (raw)

CrowdstrikeFalcon_Sandbox_Linux v1.0

Send a file to CrowdstrikeFalcon Sandbox

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: file
• Configuration: .upstream/cortex/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json (raw)

---

Responders (9)

CrowdStrikeFalcon_unhideHost v1.0

This action will restore a host. Detection reporting will resume after the host is restored

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unhideHost.json (raw)

CrowdStrikeFalcon_suppressDetections v1.0

Supress detections for the host.

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_suppressDetections.json (raw)

CrowdStrikeFalcon_HostContainment v1.0

This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_containHost.json (raw)

CrowdStrikeFalcon_hideHost v1.0

This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_hideHost.json (raw)

CrowdStrikeFalcon_LiftContainmentHost v1.0

This action lifts containment on the host, which returns its network communications to normal

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_liftContainmentHost.json (raw)

CrowdStrikeFalcon_Sync v1.0

Sync TheHive status back to CS Alerts or Incidents

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case, thehive:alert
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json (raw)

CrowdStrikeFalcon_AddIOC v1.0

Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json (raw)

CrowdStrikeFalcon_unsuppressDetections v1.0

Allow detections for the host.

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdstrikeFalcon_unsuppressDetection.json (raw)

CrowdStrikeFalcon_RemoveIOC v1.0

remove IOC from IoC Management on Crowdstrike

• Author: Fabien Bloume, StrangeBee
• License: AGPL-V3
• Data Types: thehive:case_artifact
• Configuration: .upstream/cortex/responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json (raw)

---

Functions (1)

CRWDAlertIngestion v1.0.0

Ingests CrowdstrikeFalcon Alerts, also processes observables & TTPs.

• Kind: function
• Mode: Enabled
• File: integrations/vendors/CrowdstrikeFalcon/thehive/functions/crwd-alert-ingestion.js (raw)

---

Use Cases (2)

Synchronise status between TheHive alerts/cases and CrowdStrike detections/incidents

Keep case/alert status in sync between TheHive and CrowdStrike Falcon using notifications and the CrowdStrikeFalcon_Sync responder.

Tags: status, sync, crowdstrike, thehive, automation 📄 Documentation (raw)

---

Ingest CrowdStrike Falcon Detections and Incidents into TheHive Using an External Script

TO DO LATER

Tags: alert-ingestion, crowdstrike, thehive, automation 📄 Documentation (raw)

---

External Integrations (1)

External integrations that connect CrowdStrike Falcon with TheHive:

falcon2thehive

Real-time connector that streams CrowdStrike Falcon detection events into TheHive, turning Falcon alerts into actionable TheHive Alerts. Supports DetectionSummaryEvent, IdentityProtectionEvent, and MobileDetectionSummaryEvent with automatic observable extraction and TTP mapping.

Type: connector Documentation: https://github.com/StrangeBeeCorp/falcon2thehive

---

Statistics

• Total Analyzers: 11
• Total Responders: 9
• Total Functions: 1
• Total External Integrations: 1
• Total Integrations: 22

---

This file is auto-generated from the integration manifest. Do not edit manually.