Admin Guide
Synapse-CrowdStrike Admin Guide
Configuration
Synapse-CrowdStrike requires a CrowdStrike OAuth2 API client_id and client_secret.
Falcon Administrators can manage or create API clients from the API Clients and Keys
page of the CrowdStrike console.
Setting an API client for global use
To set up a global OAuth2 configuration:
> crowdstrike.config.add default myclientid mysecret --no-check
Synapse-CrowdStrike config "default" added
Creating a configuration for role-based use
Add an unscoped configuration and grant permissions to another user or role:
> crowdstrike.config.add myunscoped myclientid mysecret --scope unscoped --no-check
Synapse-CrowdStrike config "myunscoped" added
Grant another user admin permissions to the new configuration:
> crowdstrike.config.update myunscoped --perm user visi admin
Updated Synapse-CrowdStrike config "myunscoped"
Grant a role read permissions to the new configuration:
> crowdstrike.config.update myunscoped --perm role ninjas read
Updated Synapse-CrowdStrike config "myunscoped"
Configuring a non-default API base URL
For tenants hosted outside the default US-1 region, specify the base URL when adding the configuration:
> crowdstrike.config.add default myclientid mysecret --baseurl https://api.us-2.crowdstrike.com --no-check
Synapse-CrowdStrike config "default" added
Overriding the proxy configuration
In order to override the default proxy configuration in the Cortex the user must have the
power-ups.crowdstrike.admin or storm.lib.inet.http.proxy permission.
When the proxy configuration is set to (false) or a URL the permission will be checked
when a configuration is created/updated, and when it is used to make an HTTP request.
Dependencies
Synapse-CrowdStrike does not have any dependencies.
Permissions
Package (synapse-crowdstrike) defines the following permissions:
power-ups.crowdstrike.user : Controls user access to Synapse-CrowdStrike. ( default: false )
power-ups.crowdstrike.admin : Controls access to Synapse-CrowdStrike admin options. ( default: false )
You may add rules to users/roles directly from Storm:
> auth.user.addrule visi power-ups.crowdstrike.user
Added rule power-ups.crowdstrike.user to user visi.
or:
> auth.role.addrule ninjas power-ups.crowdstrike.user
Added rule power-ups.crowdstrike.user to role ninjas.
Exported APIs
Synapse-CrowdStrike does not currently export any APIs.
Workflows
Synapse-CrowdStrike provides the following workflows in Optic:
Title: Configuration
Node Actions
Synapse-CrowdStrike provides the following node actions in Optic:
Name : indicators.enrich
Desc : Enrich nodes with indicators data from CrowdStrike
Forms: file:base, file:bytes, file:path, hash:md5, hash:sha1, hash:sha256, inet:email, inet:fqdn, inet:ipv4, inet:passwd, inet:url, inet:user, it:dev:mutex, ps:name, tel:phone
Name : vulns.enrich
Desc : Enrich nodes with vulnerability data from CrowdStrike
Forms: it:sec:cve, risk:vuln