Admin Guide

Synapse-CrowdStrike Admin Guide

Configuration

Synapse-CrowdStrike requires a CrowdStrike OAuth2 API client. Falcon Administrators can manage or create new API clients from the API Clients and Keys page of the CrowdStrike console.

Setting the API base URL

By default, Synapse-CrowdStrike will use https://api.crowdstrike.com as the base URL when making requests. If your integration is hosted on a different cloud, use the crowstrike.setup.url command to set the base URL for your cloud.

> crowdstrike.setup.url https://api.us-2.crowdstrike.com
Setting CrowdStrike URL to https://api.us-2.crowdstrike.com for all users.

Setting an API client for global use

To set-up a global API client:

> crowdstrike.setup.client myclientid mysecret
Setting CrowdStrike API client configuration for all users.

Using per-user API clients

A user may set-up their own API client:

> crowdstrike.setup.client --self myclientid mysecret
Setting CrowdStrike API client configuration for the current user.

Dependencies

Synapse-CrowdStrike does not have any dependencies.

Permissions

Package (synapse-crowdstrike) defines the following permissions:
power-ups.crowdstrike.user       : Controls user access to Synapse-CrowdStrike. ( default: false )

You may add rules to users/roles directly from Storm:

> auth.user.addrule visi power-ups.crowdstrike.user
Added rule power-ups.crowdstrike.user to user visi.

or:

> auth.role.addrule ninjas power-ups.crowdstrike.user
Added rule power-ups.crowdstrike.user to role ninjas.

Exported APIs

Synapse-CrowdStrike does not currently export any APIs.

Workflows

Synapse-CrowdStrike provides the following workflows in Optic:

Title: Configuration

Node Actions

Synapse-CrowdStrike provides the following node actions in Optic:

Name : indicators.enrich
Desc : Enrich nodes with indicators data from CrowdStrike
Forms: file:base, file:bytes, file:path, hash:md5, hash:sha1, hash:sha256, inet:email, inet:fqdn, inet:ipv4, inet:passwd, inet:url, inet:user, it:dev:mutex, ps:name, tel:phone

Name : vulns.enrich
Desc : Enrich nodes with vulnerability data from CrowdStrike
Forms: it:sec:cve, risk:vuln

Onload Events

Synapse-CrowdStrike does not use any onload events.