Package Documentation

Storm Package: synapse-crowdstrike

The following Commands are available from this package. This documentation is generated for version 1.0.0 of the package.

Storm Commands

This package implements the following Storm Commands.

crowdstrike.config.add

Add a Synapse-CrowdStrike configuration.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Add a global OAuth2 configuration
  crowdstrike.config.add default abcd1234 secret1234

  // Add a per-user OAuth2 configuration
  crowdstrike.config.add myconfig abcd1234 secret1234 --scope self

  // Add a configuration without validating credentials
  crowdstrike.config.add default abcd1234 secret1234 --no-check


Usage: crowdstrike.config.add [options] <name> <clientid> <secret>

Options:

  --help                      : Display the command usage.
  --baseurl <baseurl>         : The CrowdStrike API base URL. (default: https://api.crowdstrike.com)
  --ssl-noverify              : Do not perform SSL/TLS verification.
  --proxy <proxy>             : Configure the proxy usage. (default: True)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from CrowdStrike. (default: rep.crowdstrike)
  --scope <scope>             : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
  --no-check                  : Skip credential validation.

Arguments:

  <name>                      : A unique name for the configuration.
  <clientid>                  : The CrowdStrike OAuth2 API client ID.
  <secret>                    : The CrowdStrike OAuth2 API client secret.

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

crowdstrike.config.del

Delete a Synapse-CrowdStrike configuration.

Examples:

  // Delete the "myconfig" configuration
  crowdstrike.config.del myconfig


Usage: crowdstrike.config.del [options] <name>

Options:

  --help                      : Display the command usage.

Arguments:

  <name>                      : The name of the configuration.

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

crowdstrike.config.list

Display the list of Synapse-CrowdStrike configurations you have access to.


Usage: crowdstrike.config.list [options]

Options:

  --help                      : Display the command usage.

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

crowdstrike.config.migrate

Migrate options for all Synapse-CrowdStrike configurations.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Migrate the tag prefix for all configurations
  crowdstrike.config.migrate --tag-prefix my.tagpref

  // Migrate the base URL for all configurations
  crowdstrike.config.migrate --baseurl https://api.us-2.crowdstrike.com


Usage: crowdstrike.config.migrate [options]

Options:

  --help                      : Display the command usage.
  --ssl-verify <ssl_verify>   : Set whether to verify the SSL certificate of the server. (default: None)
  --proxy <proxy>             : Configure the proxy usage. (default: None)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from CrowdStrike. (default: None)
  --baseurl <baseurl>         : The CrowdStrike API base URL. (default: None)

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

crowdstrike.config.show

Show the details of a configuration.

Examples:

  // Show the in-use configuration for the current user
  crowdstrike.config.show

  // Show a configuration by name
  crowdstrike.config.show myconfig


Usage: crowdstrike.config.show [options] <name>

Options:

  --help                      : Display the command usage.

Arguments:

  [name]                      : The name of the configuration.

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

crowdstrike.config.update

Update the configuration of a defined Synapse-CrowdStrike configuration.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Set the permission level for user "myuser" to "admin" on the "myconfig" configuration
  crowdstrike.config.update myconfig --perm user myuser admin

  // Change the name of the "myconfig" configuration to "otherconfig"
  crowdstrike.config.update myconfig --name otherconfig


Usage: crowdstrike.config.update [options] <config>

Options:

  --help                      : Display the command usage.
  --clientid <clientid>       : The CrowdStrike OAuth2 API client ID. (default: None)
  --secret <secret>           : The CrowdStrike OAuth2 API client secret. (default: None)
  --baseurl <baseurl>         : The CrowdStrike API base URL. (default: None)
  --ssl-verify <ssl_verify>   : Set whether to verify the SSL certificate of the server. (default: None)
  --proxy <proxy>             : Configure the proxy usage. (default: None)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from CrowdStrike. (default: None)
  --name <name>               : Rename the configuration. (default: None)
  --perm <perm>               : Set the permission level for a user or role on this configuration.
                                Arguments to this option are ``scope``, ``name``, ``level``:
                                  <scope>: The scope for the permission, either "user" or "role".
                                  <name>: The user/role name depending on scope.
                                  <level>: The $lib.auth.easyperm.level, or None to remove the permission.
                                 (default: None)
  --no-check                  : Skip credential validation.

Arguments:

  <config>                    : The name of the configuration to modify.

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

crowdstrike.indicators.enrich

Enrich a node with indicator data from CrowdStrike.

Examples:

  // Enrich a hash:md5 node
  hash:md5 | limit 1 | crowdstrike.indicators.enrich

  // Enrich an inet:ipv4 node and add "related indicators"
  inet:ipv4 | limit 1 | crowdstrike.indicators.enrich --add-related


Usage: crowdstrike.indicators.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --no-labels                 : Skip adding tags for indicator labels.
  --add-related               : Ingest "related indicators" data and link them using "_crowdstrike:related" edges.
  --config <config>           : The Synapse-CrowdStrike configuration to use. (default: None)

Inputs:

  file:base                   : file:base nodes
  file:bytes                  : file:bytes nodes
  file:path                   : file:path nodes
  hash:md5                    : hash:md5 nodes
  hash:sha1                   : hash:sha1 nodes
  hash:sha256                 : hash:sha256 nodes
  inet:email                  : inet:email nodes
  inet:fqdn                   : inet:fqdn nodes
  inet:ipv4                   : inet:ipv4 nodes
  inet:passwd                 : inet:passwd nodes
  inet:url                    : inet:url nodes
  inet:user                   : inet:user nodes
  it:dev:mutex                : it:dev:mutex nodes
  ps:name                     : ps:name nodes
  tel:phone                   : tel:phone nodes

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

crowdstrike.vulns.enrich

Enrich a node with vulnerability data from CrowdStrike.

Due to limitations with the reports API, related reports are ingested
by querying the report name using the serial ID returned in the vulnerability
response (e.g. "name:~'CSA-18380'").

Examples:

  // Enrich a risk vuln node
  risk:vuln:cve=cve-2012-0158 | crowdstrike.vulns.enrich

  // Skip ingesting related reports
  risk:vuln:cve=cve-2012-0158 | crowdstrike.vulns.enrich --skip-reports


Usage: crowdstrike.vulns.enrich [options]

Options:

  --help                      : Display the command usage.
  --skip-reports              : Skip ingesting associated reports.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --config <config>           : The Synapse-CrowdStrike configuration to use. (default: None)

Inputs:

  it:sec:cve                  : it:sec:cve nodes
  risk:vuln                   : risk:vuln nodes

The command is accessible to users with one or more of the following permissions:

  • power-ups.crowdstrike.admin

  • power-ups.crowdstrike.user

Storm Modules

This package does not export any Storm APIs.