CrowdStrike SIEM implementation not just JSON API

[freeload101]

Reference https://github.com/TracecatHQ/tracecat/issues/7

The CS API is basically useless ... Thry have a Splunk app that lets you pull saved searches ( I haven't reversed engineered it but it's probably lame API The problem with scheduled searches is that you have to wait Way too long to actually run a schedule when you create it... She can't really use it for IR..

We're on CS "Next Gen SIEM" ... aka LogScale .... Aka ..Humio....aka modded Splunk (from what I hear) ...

Anyway be nice to have CA_BADGER back for adv hunting but our SOC is not Interested..

[topher-lo]

A few points

1. We aren't using Crowdstrike scheduled searches. The scheduling is managed by Tracecat via Temporal.
2. We are using the /alerts/queries/alerts/v2 endpoint to run queries for alerts stored in Falcon SIEM (the destination for CS agents data)
3. The endpoint /alerts/queries/alerts/v2 is an ad hoc query that runs against the FalconPy SIEM (like the splunkd API you are using in the CS_BADGER script, which as you mentioned is probably modded Splunk anyway

Prior art

• Cribl uses the /alerts/queries/alerts/v2 endpoint to query alerts (see Cribl collector template). They have SLAs to support petabytes of data queries / hunts for Fortune 100 companies. This is definitely good enough for Tracecat (which is a SOAR not a security data lake / data pipeline / SIEM)
• XSOAR / Tines also uses this endpoint to create ad hoc queries for alerts

Other comments

• Looks like what you are asking for is an integration with Falcon SIEM's Splunk integration?

We are using FalconPy under-the-hood

• FalconPy is crowdstrike's officially supported Python client for their REST API
• It's actively maintained and has unit tests across every API endpoint
• Open source library

Side note

• If performance is absolutely critical, I don't think your CS_BADGER (aka use splunk API endpoint) solution is sufficient either.
• The official recommendation for the most sophisticated and high volume hunts is to use CS's newly released Falcon Data Replicator: https://github.com/CrowdStrike/FDR

Reference:

• FalconPy repo: https://github.com/CrowdStrike/falconpy
• Code: https://github.com/TracecatHQ/tracecat/blob/main/tracecat/actions/integrations/edr/crowdstrike.py#L1

  
  Crowdstrike integration.

Authentication method: Direct Authentication

Requires a crowdstrike secret with:

• CROWDSTRIKE_CLIENT_ID
• CROWDSTRIKE_CLIENT_SECRET

References:

• https://falconpy.io/Service-Collections
• https://www.falconpy.io/Usage/Authenticating-to-the-API.html

Supported APIs:

list_alerts = {
    "endpoint": "/alerts/queries/alerts/v2",
    "method": "GET",
    "ocsf_schema": "array[detection_finding]",
    "reference": "https://falconpy.io/Service-Collections/Alerts.html#getqueriesalertsv2"
}

list_detections = {
    "endpoint": "/detects/queries/detects/v1",
    "method": "GET",
    "ocsf_schema": "array[detection_finding]",
    "reference": "https://falconpy.io/Service-Collections/Detects.html#querydetects"
}