Package Documentation
Storm Package: synapse-crowdstrike
The following Commands are available from this package. This documentation is generated for version 0.3.0 of the package.
Storm Commands
This package implements the following Storm Commands.
crowdstrike.actors.search
Search for actors using specific search parameters.
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the last_modified_date value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for actors with a specific country of origin and yield the results
crowdstrike.actors.search --origins china --size 2 --yield
// Search for actors last modified in a specific time range
crowdstrike.actors.search --size 5 --last-modified (2024-01-01, 2024-01-07) --yield
// Search for actors last modified in a relative time range
crowdstrike.actors.search --size 5 --last-modified (now, -7days) --yield
// Create a cron job to ingest new results for a search every day
cron.add --name "Utilities Actors Feed" --hour 3
{ crowdstrike.actors.search --target-industries Utilities --since-last }
Usage: crowdstrike.actors.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--id <id> : Retrieve actors by ID.
--name <name> : Search for actors by name.
--motivations <motivations> : Filter by actors with specific motivations. Ex "criminal".
--origins <origins> : Filter by actors with specific countries of origin. Ex "china".
--target-countries <target_countries>: Filter by actors which target specific countries. Ex "china".
--target-industries <target_industries>: Filter by actors which target specific industries. Ex "aerospace".
--created <created> : Filter by actors created within a time range.
--last-modified <last_modified>: Filter by actors last modified within a time range.
--first-activity <first_activity>: Filter by actors with a first activity date within a specific time range.
--last-activity <last_activity>: Filter by actors with a last activity date within a specific time range.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
crowdstrike.indicators.enrich
Enrich a node with indicator data from CrowdStrike.
Examples:
// Enrich a hash:md5 node
hash:md5 | limit 1 | crowdstrike.indicators.enrich
// Enrich an inet:ipv4 node and add "related indicators"
inet:ipv4 | limit 1 | crowdstrike.indicators.enrich --add-related
Usage: crowdstrike.indicators.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--no-labels : Skip adding tags for indicator labels.
--add-related : Ingest "related indicators" data and link them using "_crowdstrike:related" edges.
crowdstrike.indicators.search
Search for indicators using specific search parameters.
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the last_updated value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for indicators in a specific malware family and yield the results
crowdstrike.indicators.search --malware-family Mofksys --yield
// Search for indicators using a generic phrase and add related indicators
crowdstrike.indicators.search --size 5 --query ransomware --yield
// Search for indicators of specific types
crowdstrike.indicators.search --size 5 --type "url,domain,ip_address" --yield
// Search for indicators published in a specific time range
crowdstrike.indicators.search --size 5 --published (2024-01-01, 2024-01-07) --yield
// Search for indicators published in a relative time range
crowdstrike.indicators.search --size 5 --published (now, -7days) --yield
// Create a cron job to ingest new results for a search every day
cron.add --name "Ransomware Feed" --hour 3
{ crowdstrike.indicators.search --query ransomware --since-last }
Usage: crowdstrike.indicators.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--actor <actor> : Filter indicators by threat actor.
--reports <reports> : Filter indicators by the reports it is associated with.
--malware-family <malware_family>: Filter indicators by malware family. Ex "Mofksys".
--threat-type <threat_type> : Filter indicators by threat type. Ex "ddos".
--type <type> : Filter indicators by type such as "ip_address", "domain", "url", etc.
--targets <targets> : Filter by indicators with a specific target industries. Ex "aerospace".
--vulnerabilities <vulnerabilities>: Filter by indicators associated with specific vulnerabilities. Ex "CVE-2018-0798"
--last-updated <last_updated>: Filter by indicators last updated within a time range.
--published <published> : Filter by indicators published within a time range.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--no-labels : Skip adding tags for indicator labels.
--add-related : Ingest "related indicators" data and link them using "_crowdstrike:related" edges.
crowdstrike.reports.search
Search for reports using specific search parameters.
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the last_modified_date value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for reports about specific target countries and yield the results
crowdstrike.reports.search --target-countries china --size 2 --yield
// Search for indicators using a generic phrase match and download the associated pdf
crowdstrike.reports.search --size 2 --query ransomware --download-pdf --yield
// Search for reports last modified in a specific time range
crowdstrike.reports.search --size 5 --last-modified (2024-01-01, 2024-01-07) --yield
// Search for reports last modified in a relative time range
crowdstrike.reports.search --size 5 --last-modified (now, -7days) --yield
// Create a cron job to ingest new results for a search every day
cron.add --name "Ransomware Feed" --hour 3
{ crowdstrike.reports.search --query ransomware --download-pdf --since-last }
Usage: crowdstrike.reports.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--id <id> : Retrieve reports by ID.
--actors <actors> : Filter by reports related to a threat actor.
--motivations <motivations> : Filter reports by motivation. Ex "criminal".
--target-countries <target_countries>: Filter reports by targeted countries. Ex "china".
--target-industries <target_industries>: Filter reports by targeted industries. Ex "aerospace".
--type <type> : Filter by reports of a specific type. Ex "notice".
--tags <tags> : Filter by reports with specific tags. Ex "intel_feed".
--created <created> : Filter by reports created within a time range.
--last-modified <last_modified>: Filter by reports last modified within a time range.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--download-pdf : Download PDF versions of reports to the Axon.
--no-parse : If --download-pdf is specified, skip parsing reports with Fileparser.
crowdstrike.setup.client
Manage the CrowdStrike API client configuration.
Examples
// Set global CrowdStrike API client configuration.
crowdstrike.setup.client abcd1234 secret1234
// Set CrowdStrike API client configuration for the current user.
crowdstrike.setup.client --self abcd1234 secret1234
// Display the scope of the current client configuration.
crowdstrike.setup.client --show-scope
// Display the current API client configuration.
crowdstrike.setup.client --show-client
// Remove the current global API client configuration.
crowdstrike.setup.client --remove
// Remove the per-user API client configuration for the current user.
crowdstrike.setup.client --self --remove
Usage: crowdstrike.setup.client [options] <clientid> <secret>
Options:
--help : Display the command usage.
--self : Set or remove the configuration for the current user. If not used, it is set globally.
--show-scope : Display the API configuration scope in use (global vs self).
--show-client : Display the API configuration (requires admin perms or a "self" scope configuration).
--remove : Remove the configured API client. May be used with --self.
Arguments:
[clientid] : The client ID.
[secret] : The client secret.
crowdstrike.setup.tagprefix
Set the tag prefix used when recording CrowdStrike tags.
The default tag prefix is "rep.crowdstrike" if not specified.
Any labels provided by the CrowdStrike API will be added within the given namespace.
For example, the tag "Sinkholed" would result in "#rep.crowdstrike.sinkholed". Any
characters incompatible with tag names are replaced with "_".
Usage: crowdstrike.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
crowdstrike.setup.url
Manage the CrowdStrike API URL.
By default, the base API URL used will be https://api.crowdstrike.com
Examples:
// Set the CrowdStrike API URL
crowdstrike.setup.url https://api.us-2.crowdstrike.com
// Display the current API URL
crowdstrike.setup.url --show-url
// Remove the current API URL
crowdstrike.setup.url --remove
Usage: crowdstrike.setup.url [options] <url>
Options:
--help : Display the command usage.
--show-url : Display the CrowdStrike API URL value.
--remove : Remove the configured CrowdStrike API URL.
Arguments:
[url] : The base CrowdStrike API URL.
crowdstrike.vulns.enrich
Enrich a node with vulnerability data from CrowdStrike.
Due to limitations with the reports API, related reports are ingested
by querying the report name using the serial ID returned in the vulnerability
response (e.g. "name:~'CSA-18380'").
Examples:
// Enrich a risk vuln node
risk:vuln:cve=cve-2012-0158 | crowdstrike.vulns.enrich
// Skip ingesting related reports
risk:vuln:cve=cve-2012-0158 | crowdstrike.vulns.enrich --skip-reports
Usage: crowdstrike.vulns.enrich [options]
Options:
--help : Display the command usage.
--skip-reports : Skip ingesting associated reports.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
crowdstrike.vulns.search
Search for vulnerabilities using specific search parameters.
Due to limitations with the reports API, related reports are ingested
by querying the report name using the serial ID returned in the vulnerability
response (e.g. "name:~'CSA-18380'").
This command will create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string. When using --since-last,
the updated_timestamp value of the most recent result will be stored in the
:offset property of the associated it:exec:query node. This means that the
offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
Examples:
// Search for vulns using a generic phrase match
crowdstrike.vulns.search --query lockbit --yield
// Skip ingesting related reports
crowdstrike.vulns.search --skip-reports --yield --size 5
// Create a cron job to ingest updated vulnerabilities every day
cron.add --name "CrowdStrike Vuln Feed" --hour 3
{ crowdstrike.vulns.search --since-last }
Usage: crowdstrike.vulns.search [options]
Options:
--help : Display the command usage.
--query <query> : Perform a generic phrase match search across all fields.
--cve <cve> : Retrieve vulns by CVE ID.
--exploit-status <exploit_status>: Filter by vulns by exploit status. (choices: unproven, available, easilyaccessible,
activelyused)
--related-threats <related_threats>: Filter vulns by threat name associated with the vuln.
--related-actors <related_actors>: Filter vulns by a named actor associated with the vuln.
--skip-reports : Skip ingesting associated reports.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--since-last : Retrieve results since the last run of the command with --since-last specified.
Storm Modules
This package does not export any Storm APIs.