Package Documentation
Storm Package: synapse-crowdstrike
The following Commands are available from this package. This documentation is generated for version 1.0.0 of the package.
Storm Commands
This package implements the following Storm Commands.
crowdstrike.actors.search
Search for actors using specific search parameters.
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the last_modified_date value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for actors with a specific country of origin and yield the results
crowdstrike.actors.search --origins china --size 2 --yield
// Search for actors last modified in a specific time range
crowdstrike.actors.search --size 5 --last-modified (2024-01-01, 2024-01-07) --yield
// Search for actors last modified in a relative time range
crowdstrike.actors.search --size 5 --last-modified (now, -7days) --yield
// Create a cron job to ingest new results for a search every day
cron.add --name "Utilities Actors Feed" --hour 3
{ crowdstrike.actors.search --target-industries Utilities --since-last }
Usage: crowdstrike.actors.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--id <id> : Retrieve actors by ID.
--name <name> : Search for actors by name.
--motivations <motivations> : Filter by actors with specific motivations. Ex "criminal".
--origins <origins> : Filter by actors with specific countries of origin. Ex "china".
--target-countries <target_countries>: Filter by actors which target specific countries. Ex "china".
--target-industries <target_industries>: Filter by actors which target specific industries. Ex "aerospace".
--created <created> : Filter by actors created within a time range.
--last-modified <last_modified>: Filter by actors last modified within a time range.
--first-activity <first_activity>: Filter by actors with a first activity date within a specific time range.
--last-activity <last_activity>: Filter by actors with a last activity date within a specific time range.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--config <config> : The Synapse-CrowdStrike configuration to use. (default: None)
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.config.add
Add a Synapse-CrowdStrike configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Add a global OAuth2 configuration
crowdstrike.config.add default abcd1234 secret1234
// Add a per-user OAuth2 configuration
crowdstrike.config.add myconfig abcd1234 secret1234 --scope self
// Add a configuration without validating credentials
crowdstrike.config.add default abcd1234 secret1234 --no-check
Usage: crowdstrike.config.add [options] <name> <clientid> <secret>
Options:
--help : Display the command usage.
--baseurl <baseurl> : The CrowdStrike API base URL. (default: https://api.crowdstrike.com)
--ssl-noverify : Do not perform SSL/TLS verification.
--proxy <proxy> : Configure the proxy usage. (default: True)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from CrowdStrike. (default: rep.crowdstrike)
--scope <scope> : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
--no-check : Skip credential validation.
Arguments:
<name> : A unique name for the configuration.
<clientid> : The CrowdStrike OAuth2 API client ID.
<secret> : The CrowdStrike OAuth2 API client secret.
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.config.del
Delete a Synapse-CrowdStrike configuration.
Examples:
// Delete the "myconfig" configuration
crowdstrike.config.del myconfig
Usage: crowdstrike.config.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the configuration.
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.config.list
Display the list of Synapse-CrowdStrike configurations you have access to.
Usage: crowdstrike.config.list [options]
Options:
--help : Display the command usage.
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.config.migrate
Migrate options for all Synapse-CrowdStrike configurations.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Migrate the tag prefix for all configurations
crowdstrike.config.migrate --tag-prefix my.tagpref
// Migrate the base URL for all configurations
crowdstrike.config.migrate --baseurl https://api.us-2.crowdstrike.com
Usage: crowdstrike.config.migrate [options]
Options:
--help : Display the command usage.
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from CrowdStrike. (default: None)
--baseurl <baseurl> : The CrowdStrike API base URL. (default: None)
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.admin
crowdstrike.config.show
Show the details of a configuration.
Examples:
// Show the in-use configuration for the current user
crowdstrike.config.show
// Show a configuration by name
crowdstrike.config.show myconfig
Usage: crowdstrike.config.show [options] <name>
Options:
--help : Display the command usage.
Arguments:
[name] : The name of the configuration.
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.config.update
Update the configuration of a defined Synapse-CrowdStrike configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Set the permission level for user "myuser" to "admin" on the "myconfig" configuration
crowdstrike.config.update myconfig --perm user myuser admin
// Change the name of the "myconfig" configuration to "otherconfig"
crowdstrike.config.update myconfig --name otherconfig
Usage: crowdstrike.config.update [options] <config>
Options:
--help : Display the command usage.
--clientid <clientid> : The CrowdStrike OAuth2 API client ID. (default: None)
--secret <secret> : The CrowdStrike OAuth2 API client secret. (default: None)
--baseurl <baseurl> : The CrowdStrike API base URL. (default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from CrowdStrike. (default: None)
--name <name> : Rename the configuration. (default: None)
--perm <perm> : Set the permission level for a user or role on this configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "user" or "role".
<name>: The user/role name depending on scope.
<level>: The $lib.auth.easyperm.level, or None to remove the permission.
(default: None)
--no-check : Skip credential validation.
Arguments:
<config> : The name of the configuration to modify.
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.indicators.enrich
Enrich a node with indicator data from CrowdStrike.
Examples:
// Enrich a hash:md5 node
hash:md5 | limit 1 | crowdstrike.indicators.enrich
// Enrich an inet:ipv4 node and add "related indicators"
inet:ipv4 | limit 1 | crowdstrike.indicators.enrich --add-related
Usage: crowdstrike.indicators.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--no-labels : Skip adding tags for indicator labels.
--add-related : Ingest "related indicators" data and link them using "_crowdstrike:related" edges.
--config <config> : The Synapse-CrowdStrike configuration to use. (default: None)
Inputs:
file:base : file:base nodes
file:bytes : file:bytes nodes
file:path : file:path nodes
hash:md5 : hash:md5 nodes
hash:sha1 : hash:sha1 nodes
hash:sha256 : hash:sha256 nodes
inet:email : inet:email nodes
inet:fqdn : inet:fqdn nodes
inet:ipv4 : inet:ipv4 nodes
inet:passwd : inet:passwd nodes
inet:url : inet:url nodes
inet:user : inet:user nodes
it:dev:mutex : it:dev:mutex nodes
ps:name : ps:name nodes
tel:phone : tel:phone nodes
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.indicators.search
Search for indicators using specific search parameters.
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the last_updated value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for indicators in a specific malware family and yield the results
crowdstrike.indicators.search --malware-family Mofksys --yield
// Search for indicators using a generic phrase and add related indicators
crowdstrike.indicators.search --size 5 --query ransomware --yield
// Search for indicators of specific types
crowdstrike.indicators.search --size 5 --type "url,domain,ip_address" --yield
// Search for indicators published in a specific time range
crowdstrike.indicators.search --size 5 --published (2024-01-01, 2024-01-07) --yield
// Search for indicators published in a relative time range
crowdstrike.indicators.search --size 5 --published (now, -7days) --yield
// Create a cron job to ingest new results for a search every day
cron.add --name "Ransomware Feed" --hour 3
{ crowdstrike.indicators.search --query ransomware --since-last }
Usage: crowdstrike.indicators.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--actor <actor> : Filter indicators by threat actor.
--reports <reports> : Filter indicators by the reports it is associated with.
--malware-family <malware_family>: Filter indicators by malware family. Ex "Mofksys".
--threat-type <threat_type> : Filter indicators by threat type. Ex "ddos".
--type <type> : Filter indicators by type such as "ip_address", "domain", "url", etc.
--targets <targets> : Filter by indicators with a specific target industries. Ex "aerospace".
--vulnerabilities <vulnerabilities>: Filter by indicators associated with specific vulnerabilities. Ex "CVE-2018-0798"
--last-updated <last_updated>: Filter by indicators last updated within a time range.
--published <published> : Filter by indicators published within a time range.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--no-labels : Skip adding tags for indicator labels.
--add-related : Ingest "related indicators" data and link them using "_crowdstrike:related" edges.
--config <config> : The Synapse-CrowdStrike configuration to use. (default: None)
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.reports.search
Search for reports using specific search parameters.
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the last_modified_date value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for reports about specific target countries and yield the results
crowdstrike.reports.search --target-countries china --size 2 --yield
// Search for indicators using a generic phrase match and download the associated pdf
crowdstrike.reports.search --size 2 --query ransomware --download-pdf --yield
// Search for reports last modified in a specific time range
crowdstrike.reports.search --size 5 --last-modified (2024-01-01, 2024-01-07) --yield
// Search for reports last modified in a relative time range
crowdstrike.reports.search --size 5 --last-modified (now, -7days) --yield
// Create a cron job to ingest new results for a search every day
cron.add --name "Ransomware Feed" --hour 3
{ crowdstrike.reports.search --query ransomware --download-pdf --since-last }
Usage: crowdstrike.reports.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--id <id> : Retrieve reports by ID.
--actors <actors> : Filter by reports related to a threat actor.
--motivations <motivations> : Filter reports by motivation. Ex "criminal".
--target-countries <target_countries>: Filter reports by targeted countries. Ex "china".
--target-industries <target_industries>: Filter reports by targeted industries. Ex "aerospace".
--type <type> : Filter by reports of a specific type. Ex "notice".
--tags <tags> : Filter by reports with specific tags. Ex "intel_feed".
--created <created> : Filter by reports created within a time range.
--last-modified <last_modified>: Filter by reports last modified within a time range.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--download-pdf : Download PDF versions of reports to the Axon.
--no-parse : If --download-pdf is specified, skip parsing reports with Fileparser.
--config <config> : The Synapse-CrowdStrike configuration to use. (default: None)
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.vulns.enrich
Enrich a node with vulnerability data from CrowdStrike.
Due to limitations with the reports API, related reports are ingested
by querying the report name using the serial ID returned in the vulnerability
response (e.g. "name:~'CSA-18380'").
Examples:
// Enrich a risk vuln node
risk:vuln:cve=cve-2012-0158 | crowdstrike.vulns.enrich
// Skip ingesting related reports
risk:vuln:cve=cve-2012-0158 | crowdstrike.vulns.enrich --skip-reports
Usage: crowdstrike.vulns.enrich [options]
Options:
--help : Display the command usage.
--skip-reports : Skip ingesting associated reports.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--config <config> : The Synapse-CrowdStrike configuration to use. (default: None)
Inputs:
it:sec:cve : it:sec:cve nodes
risk:vuln : risk:vuln nodes
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
crowdstrike.vulns.search
Search for vulnerabilities using specific search parameters.
Due to limitations with the vulnerabilities API only the first 50,000
results will be retrieved.
Due to limitations with the reports API, related reports are ingested
by querying the report name using the serial ID returned in the vulnerability
response (e.g. "name:~'CSA-18380'").
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the updated_timestamp value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for vulns using a generic phrase match
crowdstrike.vulns.search --query lockbit --yield
// Skip ingesting related reports
crowdstrike.vulns.search --skip-reports --yield --size 5
// Create a cron job to ingest updated vulnerabilities every day
cron.add --name "CrowdStrike Vuln Feed" --hour 3
{ crowdstrike.vulns.search --since-last }
Usage: crowdstrike.vulns.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--cve <cve> : Retrieve vulns by CVE ID.
--exploit-status <exploit_status>: Filter by vulns by exploit status. (choices: unproven, available, easilyaccessible,
activelyused)
--related-threats <related_threats>: Filter vulns by threat name associated with the vuln.
--related-actors <related_actors>: Filter vulns by a named actor associated with the vuln.
--skip-reports : Skip ingesting associated reports.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--config <config> : The Synapse-CrowdStrike configuration to use. (default: None)
The command is accessible to users with one or more of the following permissions:
power-ups.crowdstrike.adminpower-ups.crowdstrike.user
Storm Modules
This package does not export any Storm APIs.