440f97e480
|
||
|---|---|---|
| .. | ||
| Playbooks | ||
| Crowdstrike.jpg | ||
| readme.md | ||
readme.md
Crowdstrike playbook templates
Table of Contents
- Overview
- Deploy 4 Playbook templates
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
- Limitations
Overview
CrowdStrike is a SaaS solution that leverages advanced EDR applications and techniques to provide a next generation anti-virus offering powered by machine learning to ensure breaches are stopped before they occur.
Deploy 4 Playbook templates
This package includes 4 playbook templates leverage Crowdstrike API's. You can choose to deploy the whole package (Four playbook templates) from the Deploy To Azure buttons below, or each one separately from it's specific folder.
-
Base playbook is a nested playbook that handles authentication for any of the othe playbooks.
-
Contain Host playbook will automatically contain hosts found in the incident.
-
Enrichment playbook will post a comment to the incident with device information and related detections found in CrowdStrike.
-
Response from Teams playbook will send the SOC Channel interactive cards with host information, allowing taking action on the host: Running a script or contain the host in CrowdStrike.
Crowdstrike playbooks documentation
Authentication
Authentication methods this end point supports- oauth2 authentication
Prerequisites for using and deploying playbooks
- Crowdstrike cloud end point should be known. (e.g. https://{CrowdsrtikebaseURL})
- User should know the Client ID and Client Secret values, and store them in a Key Vault.
- Key vault needs to be created, and include the Client ID and Secret, under the same subscription of the Playbooks. learn how
- For playbook Response From Teams:
- There should be a list of prewritten scripts created in Crowdstrike, so SOC analyst can choose from that list. learn how to create scripts our playbook does not provide an option to create a script.
- To run a script user needs to be an RTR Active Responder and RTR Administrator in the falcon console. Understand and assign Real Time Responder roles
- The following settings needs to be done on the host to run a script:
- Configure Response Policies - create policies and assign host groups to them
- Enable the toggle real time functionality and enable custom scripts toggle to run them in Real time response policy settings
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying playbooks
| Parameters | Description |
|---|---|
| Service_EndPoint | Enter the crowdstrike end point (e.g. https://{CrowdstrikeBaseURL}) |
| keyvault_Name | Enter the keyvault name where we are storing the clientID and ClientSecret for authorization ) |
| ClientID | Enter the ClientID key name |
| ClientSecret | Enter the ClientSecret key name |
| CrowdStrike_Base_Playbook_Name | Enter the playbook name here (e.g. CrowdStrike_Base) |
| Crowdstrike_ContainHost_Playbook_Name | Enter the playbook name here (e.g. Crowdstrike_ContainHost) |
| Crowdstrike_Enrichment_GetDeviceInformation_Playbook_Name | Enter the playbook name here (e.g. Crowdstrike_Enrichment) |
| Crowdstrike-ResponsefromTeams_Playbook_Name | Enter the playbook name here (e.g. Crowdstrike-ResponsefromTeams) |
| Teams GroupId | Enter the Teams channel id to send the adaptive card |
| Teams ChannelId | Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id |
Post-Deployment instructions
The base playbook should be added in the access policies of Key vault learn how
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for Teams connection as well
b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with risky host.
- Configure the automation rules to trigger the playbooks.
Known Issues and Limitations
- Run a script is not supported on devices which are offline