CrowdStrike
Overview
The CrowdStrike connector enables your AI Colleagues to integrate with your organization's CrowdStrike Falcon platform, facilitating automated security operations, incident management, detection lifecycle management, device operations, and user administration workflows.
CrowdStrike Falcon is a cloud-native endpoint security platform that provides comprehensive visibility into endpoint activities and real-time threat detection and prevention. The CrowdStrike connector allows Leena AI to automate security workflows, manage incidents and detections, perform device remediation actions, and administer users and roles seamlessly.
API Details
Leena AI integrates with CrowdStrike via REST APIs.
Documentation link: https://falcon.crowdstrike.com/documentation
Setup
The CrowdStrike connector uses OAuth 2.0 authentication with the client credentials grant type.
Prerequisites
Before setting up the CrowdStrike connector, ensure you have:
- Administrator access to your CrowdStrike Falcon Console
- Access to CrowdStrike API Clients and Keys management
- Ability to create OAuth API clients in CrowdStrike
- Access to your Leena AI workspace with connector management permissions
Get credentials
Here is how to create an OAuth API client in CrowdStrike Falcon Console:
- Log in to CrowdStrike Falcon Console (Ensure you're signed in as an admin).
- Navigate to API Clients and Keys:
- Go to Support and resources in the navigation menu
- Select API Clients and Keys
- Create API Client:
- Click Create API client
- Enter a Client name (e.g., "Leena AI Integration")
- Enter a Description for your API client
- Configure API Scopes:
- Enable the required scopes based on the actions you need to perform:
- Detections: Read and Write (for detection management)
- Incidents: Read and Write (for incident management)
- Hosts: Read and Write (for device operations)
- User Management: Read and Write (for user administration)
- Alerts: Read and Write (for alert management)
- Enable the required scopes based on the actions you need to perform:
- Save and Note Credentials:
- Click Create
- Copy the Client ID (32-character lowercase hexadecimal string)
- Copy the Client Secret (40-character alphanumeric string)
- Note: The Secret is displayed only once during creation - store it securely
- Identify Your API URL:
- Your API base URL depends on your CrowdStrike cloud region:
- US-1:
https://api.crowdstrike.com - US-2:
https://api.us-2.crowdstrike.com - EU-1:
https://api.eu-1.crowdstrike.com - US-GOV-1:
https://api.laggar.gcw.crowdstrike.com
- US-1:
- Your API base URL depends on your CrowdStrike cloud region:
Add connection
Here is how to add a connection on Leena AI:
- Log in to your Leena AI workspace
- Navigate to Settings > Integrations
- Search for "CrowdStrike" and select it from the list to add its new connector
- Start configuring the connector:
- Client Id: OAuth API client ID from CrowdStrike
- Client Secret: OAuth API client secret from CrowdStrike
- API URL: Your CrowdStrike API base URL (e.g.,
https://api.us-2.crowdstrike.com)
- Complete Connection Setup:
- Click Connect in Leena AI for CrowdStrike connector setup
- The connector will authenticate using the provided credentials
- Upon successful authentication, the connector will be saved
Actions
The following actions are supported for the CrowdStrike connector:
Incidents: Get Incidents
Retrieves a list of incident IDs from CrowdStrike Falcon. The Agent can leverage the skill (workflow), which has been designed to query incidents using Falcon Query Language (FQL), once the user raises a query to do so.
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Filter | FQL syntax to filter incidents |
| Limit | Maximum number of results to return |
| Offset | Index to start pagination |
| Sort | Sort results using supported fields (e.g., start|desc) |
Here is a sample JSON input:
{
"filter": "status:'new'+state:'open'",
"limit": "50",
"offset": "0",
"sort": "start|desc"
}Response
Upon successful query, the action returns:
- List of incident IDs
- Pagination metadata
- Query execution status
Incidents: Get Incident By ID
Retrieves detailed information for specific incidents by their IDs. The Agent can leverage this action to fetch comprehensive incident details for investigation purposes.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Incident IDs | Enter incident ID(s), comma-separated for multiple |
Here is a sample JSON input:
{
"ids": "inc:abc123xyz789:1234567890,inc:def456uvw012:0987654321"
}Response
Upon successful retrieval, the action returns:
- Incident details including status, severity, and timestamps
- Associated hosts and users
- Incident timeline and events
- Tags and assigned analysts
Incidents: Perform Incident Action
Updates an existing incident in CrowdStrike Falcon. The Agent can leverage this action to modify incident status, assign analysts, add comments, and manage tags.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Incident IDs | Enter incident ID(s), comma-separated for multiple |
Optional
| Name | Description |
|---|---|
| Add Comment | Add a comment to the incident(s) |
| Add Tag | Add a tag to the incident(s) |
| Delete Tag | Delete a tag from the incident(s) |
| Update Name | Update the name of the incident(s) |
| Update Description | Update the description of the incident(s) |
| Update Status | Update status, options: New (20), Reopened (25), In Progress (30), Closed (40) |
| Assign To User UUID | UUID of the user to assign |
| Unassign | Unassign the incident from the current analyst |
| Update Detects | Update associated detections |
| Overwrite Detects | Overwrite existing set of associated detections |
Here is a sample JSON input:
{
"ids": "inc:abc123xyz789:1234567890",
"action_parameters": {
"update_status": "30",
"add_comment": "Investigation in progress - analyzing endpoint logs",
"add_tag": "high-priority",
"update_assigned_to_v2": "user-uuid-12345"
}
}Response
Upon successful update, the action returns:
- Confirmation of successful update
- Updated incident properties
- Modification timestamp
Detections: Get Detects
Retrieves a list of detection IDs from CrowdStrike Falcon. The Agent can leverage this action to query detections using FQL filtering and full-text search.
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Filter | FQL filter (e.g., status:'new') |
| Limit | Maximum number of resources to return |
| Offset | Starting index of overall result set from which to return resources |
| Query | Search all detection metadata for the provided string |
| Sort | Sort order (e.g., first_behavior.asc, last_behavior.desc) |
Here is a sample JSON input:
{
"filter": "status:'new'+severity:'high'",
"limit": "100",
"offset": "0",
"sort": "last_behavior|desc"
}Response
Upon successful query, the action returns:
- List of detection IDs
- Pagination metadata
- Query execution status
Detections: Update Detects
Updates the state of one or more detections in CrowdStrike Falcon. The Agent can leverage this action to change status, assign analysts, add comments, and control visibility.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Detection IDs | Enter detection ID(s) |
Optional
| Name | Description |
|---|---|
| Assign To User UUID | UUID of the user to assign |
| Comment | Add a comment to the detection(s) |
| New Behaviors Processed | New behaviors processed |
| Show in UI | Whether to display this detection in the Falcon console |
| Status | Detection status, options: Ignored, New, In Progress, True Positive, False Positive |
Here is a sample JSON input:
{
"ids": "ldt:abc123xyz789:1234567890",
"status": "in_progress",
"assigned_to_uuid": "user-uuid-12345",
"comment": "Investigating suspicious activity",
"show_in_ui": true
}Response
Upon successful update, the action returns:
- Confirmation of successful update
- Updated detection properties
- Modification timestamp
Alerts: Get Alerts
Retrieves a list of alert IDs from CrowdStrike Falcon. The Agent can leverage this action to query alerts with filtering and search capabilities.
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Filter | FQL filter for alerts |
| Include Hidden | Include hidden alerts in results |
| Limit | Maximum number of results to return |
| Offset | Index to start pagination |
| Sort | Sort order for results |
| Query | Full-text search query |
Here is a sample JSON input:
{
"filter": "severity:'critical'",
"include_hidden": false,
"limit": "50",
"offset": "0",
"sort": "created_timestamp|desc"
}Response
Upon successful query, the action returns:
- List of alert IDs
- Pagination metadata
- Query execution status
Alerts: Update Alerts
Updates the state of one or more alerts in CrowdStrike Falcon. The Agent can leverage this action to manage alert status, assignment, tags, and visibility.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Composite IDs | Alert composite IDs to update |
Optional
| Name | Description |
|---|---|
| Add Tag | Add a tag to the alert(s) |
| Append Comment | Append a comment to the alert(s) |
| Assign To Name | Name of the user to assign |
| Assign To User ID | User ID to assign |
| Assign To UUID | UUID of the user to assign |
| New Behavior Processed | New behavior processed |
| Remove Tag | Remove a tag from the alert(s) |
| Remove Tag By Prefix | Remove tags by prefix |
| Show In UI | Whether to display in the Falcon console |
| Unassign | Unassign the alert |
| Update Status | Update alert status |
| Include Hidden | Include hidden alerts |
Here is a sample JSON input:
{
"composite_ids": "alert_composite_id_123",
"action_parameters": {
"add_tag": "reviewed",
"append_comment": "Alert reviewed and escalated",
"assign_to_uuid": "user-uuid-12345",
"update_status": "in_progress",
"show_in_ui": true
}
}Response
Upon successful update, the action returns:
- Confirmation of successful update
- Updated alert properties
- Modification timestamp
Devices: Get Combined Devices by Filter
Retrieves a comprehensive list of devices from CrowdStrike Falcon with detailed information. The Agent can leverage this action to search, sort, and paginate through large device datasets.
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Fields | Specific fields to return (e.g., device_id,first_login_user,last_login_user) |
| Filter | FQL filter for devices |
| Limit | Maximum number of results to return |
| Offset | Index to start pagination |
| Sort | Sort order for results |
Here is a sample JSON input:
{
"filter": "platform_name:'Windows'+status:'normal'",
"fields": "device_id,hostname,platform_name,os_version",
"limit": "100",
"offset": "0",
"sort": "hostname|asc"
}Response
Upon successful query, the action returns:
- List of device details
- Device properties including hostname, OS, agent version
- Network configuration and logged-in users
- Pagination metadata
Devices: Get Device Details
Retrieves detailed information for specific devices by their IDs. The Agent can leverage this action to fetch comprehensive device information for investigation purposes.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Device IDs | Enter the device ID, comma-separated for multiple |
Here is a sample JSON input:
{
"ids": "device_id_123abc,device_id_456def"
}Response
Upon successful retrieval, the action returns:
- Device details including hostname and platform
- Agent version and configuration
- Network configuration
- Security policies applied
- Logged-in users history
Devices: Perform Action on Device
Executes a remediation or management action on one or more CrowdStrike devices. The Agent can leverage this action to contain threats, manage host visibility, and control detection suppression.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Action Name | The action to perform, options: Contain, Lift Containment, Detection Suppress, Detection Unsuppress, Hide Host, Unhide Host |
| Device IDs | Comma separated list of device IDs |
Here is a sample JSON input:
{
"action_name": "contain",
"ids": "device_id_123abc,device_id_456def"
}Response
Upon successful execution, the action returns:
- Confirmation of action execution
- Affected device IDs
- Action execution status
Users: Create User
Creates a new user account in CrowdStrike Falcon. The Agent can leverage this action to automate user onboarding and provisioning workflows.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| First Name | User's first name |
| Last Name | User's last name |
| User ID | User email ID |
Here is a sample JSON input:
{
"first_name": "John",
"last_name": "Doe",
"uid": "[email protected]"
}Response
Upon successful creation, the action returns:
- Created user details
- User UUID
- Creation timestamp
Users: List Users
Retrieves a list of user IDs from CrowdStrike Falcon with filtering and pagination. The Agent can leverage this action for user auditing and administration purposes.
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Limit | Max number of records to return (default: 0, max: 500) |
| Offset | Index to start retrieving records from (default: 0) |
| Sort | Sort field (e.g., first_name, last_name, name, uid) |
| Filter | FQL filter (e.g., first_name:'John', status:'active'). Filterable fields: assigned_cids, cid, first_name, last_name, name, status, uid |
Here is a sample JSON input:
{
"filter": "status:'active'",
"limit": "100",
"offset": "0",
"sort": "last_name"
}Response
Upon successful query, the action returns:
- List of user IDs
- Pagination metadata
- Query execution status
Updated 1 day ago