Guides

Crowdstrike Falcon API

Integrate Query with Crowdstrike Falcon APIs to retrieve details about users, hosts, detections, and more.

Suggest Edits

📘

TL;DR

To integrate Crowdstrike Falcon with Query:

  • Create an API Client with the appropriate scopes.
  • Configure a Crowdstrike Falcon Connector with your Client ID, Client Secret, and (optionally) API endpoint base URL.
  • Use Query Federated Search to support Incident Response, Investigations, Threat Hunting, Audit, and other security & observability tasks across normalized data from Hosts, Detects, Alerts, Incidents, and more.

Overview

The Crowdstrike Falcon platform is a multi-domain Endpoint Protection Platform (EPP) inclusive of Endpoint Detection & Response (EDR), Identity Threat Detection and Response (ITDR), Cyber Threat Intelligence (CTI), Threat & Vulnerability Management (TVM), and other capabilities. Customers use Crowdstrike to protect their hosts and overall asset footprint from a variety of virus, malware, and other threats to Windows, Linux, and MacOS environments in addition to external threats from cloud misconfigurations and software vulnerabilities.

Query Federated Search integrates with several APIs within the Crowdstrike Falcon EDR ecosystem which are leveraged to take query and investigate users with platform access, devices onboarding to Crowdstrike Falcon, Alerts, Detects, and/or Incidents created automatically or via customer rules. Query Federated Search utilizes the FalconPy official SDK for Crowdstrike to securely access data, submit searches, and subsequently normalize the results from. Federated search allows customers to support Incident Response, Investigations, Threat Hunting, Audit, and other security & observability tasks that require Falcon EDR data. This is all done without duplicating or retaining data in another system.

☝️

On Crowdstrike APIs

As of 15 NOV 2024, Query Federated Search only supports APIs centered around the Endpoint Detection & Response capabilities of Crowdstrike Falcon.

In the future, support Spotlight (for Vulnerability Management), Identity Protection (for ITDR), and the IOC (for CTI) APIs are being considered. To request additional support, please reach out to [email protected]

All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting. Each Event Class also supports searching by Entities, which are based on OCSF Observables for quick broad searches for common indicators and notables within your data.

API NameQDM/OCSF Event ClassSupported Entities
AlertsDetection FindingUsername
Resource ID
IP Address
MAC Address
Hostname
File Hash
File Name
Command Line
Process ID
DetectsDetection FindingUsername
Resource ID
IP Address
MAC Address
Hostname
File Hash
File Name
Command Line
Process ID
HostsDevice Inventory InfoIP Address
Resource UID
MAC Address
Hostname
IncidentsIncident FindingResource ID
Username
User ManagementUser Inventory InfoResource ID
Username
Email Address

👍

On Crowdstrike Falcon Data Replicator

Query has an open source project name Query Open Pipeline for Crowdstrike FDR (QFDR) that will centrally extract, transform, and load (ETL) ~200 FDR events into OCSF and upload them into the Amazon Security Lake if you require the ability to query specific FDR events.

Executing federated searches with Query allows you to pull all relevant data for your search criteria back in a parallelized, normalized, and standardized format without ever moving or duplicating the data into another data repository. For instance, searching for a User ID, Username, or Email Address Entity in Query will allow you to pull all relevant User records. Likewise, you can perform IP-based searches to retrieve Hosts as well as as Detects, Incidents, and Alerts that implicate a specific IP address. You can also perform specific searches such as retrieving Detects that contain a specific command line argument, a specific hostname, or retrieve Incidents with a specific owner.

Prerequisites

To create an API Client to integrate Query Federated Search with your Crowdstrike Falcon tenant, see the following steps.

  1. Login to your Crowdstrike Falcon console, you will require an account with permission to create API keys.
  2. In the dropdown navigation menu in the upper-left of your Console, select Support and Resources --> API clients and keys as shown below (FIG. 1).
FIG. 1 - API Clients and Keys menu in the Crowdstrike Falcon console

FIG. 1 - API Clients and Keys menu in the Crowdstrike Falcon console

  1. Next, select Create API client in the upper right corner as shown below (FIG. 2).

    FIG. 2 - Create a new Crowdstrike API Client

    FIG. 2 - Create a new Crowdstrike API Client

  2. Enter a Client name, an optional Description and add the following Scopes as shown below (FIG. 3).

    1. Alerts
    2. Detections (Detects)
    3. Incidents
    4. Hosts
    5. Host Groups
    6. Users (User Management)
FIG. 3 - API Client configuration wizard

FIG. 3 - API Client configuration wizard

  1. When complete, select Save and copy the Client ID and Secret to configure your Query Federated Search Connector in the next section, as shown below (FIG. 4).

    FIG. 4 - Copying the Client ID, Secret, and Base URL from the Crowdstrike API Client

    FIG. 4 - Copying the Client ID, Secret, and Base URL from the Crowdstrike API Client

Optionally, but not required, you can provide a specific API base URL if you have a us.gov or eu tenant for instance. This is not required, as all connectivity with FalconPy defaults to a generic base URL and is discovered from your client credentials.

👍

On NHI security

NHI - or, Non-Human Identities - such as your Crowdstrike API Client credentials are extremely sensitive, even with limited read Scopes. Query securely stores the Client Secret in a dedicated AWS Secrets Manager Secret per Connector per Tenant.

Every Secret is stored as securely as each other with minimum necessary permissions that only allows the specific piece of serverless infrastructure to retrieve the secret, it is never cached or persisted outside of the Secret.

Configure the Crowdstrike Falcon Connector

Use the following steps to create a new Query Federated Search Connector for Crowdstrike Falcon.

  1. Navigate to the Connectors page, select Add Connector, and selectCrowdstrike Falcon from the Endpoint category as shown below (FIG. 5). Alternatively you can use the search bar to find the Connector.

    FIG. 3 - Adding the Crowdstrike Falcon Connector

    FIG. 5 - Adding the Crowdstrike Falcon Connector

  2. In the Configure Connector section, add the following detail as shown below (FIG. 6):

    1. Connector Alias Name: The human-readable name you want to give to this connector, you can provide it a tenant name or other descriptive name, especially if you setup multiple connectors to support a MDR/MSSP offering or have multiple subsidiaries or tenants.

    2. Default Login: Leave the default value: Default Login.

    3. Falcon API Client ID: The ID for your Falcon API Client, copied in Step 5 of the Prerequisites section.

    4. Falcon Secret Access Key: The Client Secret of your Falcon API Client. copied in Step 5 of the Prerequisites section.

    5. Falcon API Base URL: (OPTIONAL STEP) the region-specific base URL of your Falcon API.

      FIG. 4 - Configuration details for the Crowdstrike Falcon Connector

      FIG. 6 - Configuration details for the Crowdstrike Falcon Connector

  3. Select Save to save and activate the Connector.

  4. Select Test Connection from the bottom-right of the connection pane to ensure that your API Client credentials are valid, that your base URL is valid, and that Query can successfully dispatch a search against the various APIs.

You will now see Crowdstrike Falcon added as an available Connector within the Query Search and Query Summary Insights UI.

Querying Crowdstrike Falcon Connectors

Within the Query Search UI, all Connectors are enabled by default. To check that your specified Connector(s) for Crowdstrike Falcon are enabled, navigate to the Endpoint section of the Selected Connectors dropdown and ensure that your specified Crowdstrike Falcon Connector(s) are are selected (denoted by a checkbox) before running your searches as shown below (FIG. 7).

FIG. 5 - Enabling/Disabling the Crowdstrike Falcon Connector(s)

FIG. 7 - Enabling/Disabling the Crowdstrike Falcon Connector(s)

To learn more about searching with the Crowdstrike Falcon Connector, refer to the subsections below.

Entity-based Search

To conduct an Entity-based search, toggle the Select an Entity dropdown menu in the Federated Search console and ensure the Entity radio button is selected (this is the default option) as shown below (FIG. 8). The typeahead menu searches from the beginning of the Entity, so typing "U", will bring Username, User Agent, and User ID to the top of the list for instance.

FIG. 6 - Entity-based searching with Query Federated Search

FIG. 8 - Entity-based searching with Query Federated Search

Crowdstrike Falcon is a static schema Connector which means that all normalization and search translation is completely defined by the Query team. Refer back to the Introduction section and refer to the table to learn which Entities map against which Falcon APIs. For instance, you can search for Resource ID which maps against several different key-value pairs in the raw Falcon API event from various APIs.

  • Incidents: host_ids
  • Detects & Alerts: device.cid, device.device_id, device.serial_number, cid, detection_id, agent_id
  • Hosts: device_id, serial_number
  • User Management: cid

Since Entity searches are broadly applicable searches, you can get multiple different types of Results across the various Crowdstrike Falcon APIs normalized within the Connector as well as outside sources, such as Crowdstrike FDR data stored in a SIEM or data lakehouse. For instance, the "computer ID" (cid) attribute is present across several APIs and FDR data for retrieval. This allows you to view all network, EDR, identity, and inventory info for any given host(s) all at once.

After selecting an Entity, most allow you to specify an Operator. This allows you to perform simple equality searches or to perform more generalized searches using Contains, Starts With, or Ends With Operators. These operators are implemented using the Falcon Query Language (FQL) filters downstream on your behalf to get at the exact data, in cases where FQL filters do not exist, Query implements the filtering post-hoc when retrieving a result set.

Multiple values can be searched at the same time which are automatically OR'ed and parallelized where possible as different search requests. Additionally, case sensitivity can be toggled for the entire search result as well. An example of a multi-value "Hostname contains" search is shown below (FIG. 9).

FIG. 7 - Orientation for Entity-based search in Query

FIG. 9 - Orientation for Entity-based search in Query

Event-based Search

Event-based searches allow you to broadly search across the entirety of results from a downstream API, or, search for very specific results based on filters. Refer back to the Introduction section and refer to the table to learn which Events map against which Falcon APIs.

In the Federated Search console, select the search dropdown, ensure the Events radio button is selected and search for your desired Event as shown below (FIG. 10). For instance, you can search against the Detection Findings Event Class to retrieve all Alerts and Detects from the Falcon API at the same time in a given time-range. Likewise, you can retrieve all Hosts by using the Device Inventory Info Event Class or all Users with Falcon access using the User Inventory Info Event Class.

FIG. 8 - Showing Event-based search in Query Federated Search

FIG. 10 - Showing Event-based search in Query Federated Search

Searching from the Event will pull a sample of all matching events from the API(s) that is normalized from it. For more specific filtering within an Event, you can choose one or more conditions to refine a search. Selecting the plus-sign (+) dropdown next to the Event menu allows you to choose from any specific OCSF/QDM attribute in the event.

For instance, when searching against the Detection Finding Event Class, you can specify filtering against normalized Objects within the Evidences array such as specific Command Lines in the Process object as shown below (FIG. 11) or against other attributes such as the Device, specific attributes within the File object, or otherwise.

FIG. 9 - Demonstration of filtered Event-based searches in Query Federated Search

FIG. 11 - Demonstration of filtered Event-based searches in Query Federated Search

When adding two or more Conditions, you can further change the behavior by specifying ANY or ALL quantifiers over the filters for greater levels of specificity or more narrow-but-generalized searches, respectively. The ANY quantifier will return Detection Findings that match any specified filter, whereas ALL requires every single filter to evaluate as true.

In each filter when providing multiple values, selecting any of or all of behave in the same exact way as mentioned above, respectively. In the following example, Alerts and Detects from Falcon that implicate powershell.exe OR chrome.exeAND are in a New or In Progress status AND implicate a variety of hostnames are returned as shown below (FIG. 12).

FIG. 10 - Demonstration of a multi-condition and multi-value Detection Finding search

FIG. 12 - Demonstration of a multi-condition and multi-value Detection Finding search

Resources

Troubleshooting Tips

  • Ensure that you have added all required Scopes to your API Client.
  • Ensure that you have copied the correct Client ID and Secret, or that the API Client has not been deleted or had its credentials rotated.
  • Ensure that you entered the Client ID and Secret in the proper parameters in the Crowdstrike Falcon Connector.
  • Ensure that your Crowdstrike tenant has the proper Licenses to provide access to the APIs - HTTP Status Code 403 is supplied for both missing Scopes and Licensing.
  • Ensure that if you provided a base URL, that it is a correct URL.

If you have exhausted the above Troubleshooting list, please contact your designated Query Sales Engineer or Customer Success Manager. If you are using a free tenant, please contact Query Customer Success via the Support email in the Help section, or via Intercom within your tenant.

Updated about 1 month ago