Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/CrowdStrike
История
..
Playbooks/CrowdStrike_ResponsefromTeams
Crowdstrike.jpg
readme.md

readme.md

Crowdstrike playbook templates

Crowdstrike

Table of Contents

  1. Overview
  2. Deploy 4 Playbook templates
  3. Authentication
  4. Prerequisites
  5. Deployment
  6. Post Deployment Steps
  7. Limitations

Overview

CrowdStrike is a SaaS solution that leverages advanced EDR applications and techniques to provide a next generation anti-virus offering powered by machine learning to ensure breaches are stopped before they occur.

Deploy 4 Playbook templates

This package includes 4 playbook templates leverage Crowdstrike API's. You can choose to deploy the whole package (Four playbook templates) from the Deploy To Azure buttons below, or each one separately from it's specific folder.

  • Base playbook is a nested playbook that handles authentication for any of the othe playbooks.

  • Contain Host playbook will automatically contain hosts found in the incident.

  • Enrichment playbook will post a comment to the incident with device information and related detections found in CrowdStrike.

  • Response from Teams playbook will send the SOC Channel interactive cards with host information, allowing taking action on the host: Running a script or contain the host in CrowdStrike.

    Crowdstrike-ResponsefromTeams

Deploy to Azure Deploy to Azure

Crowdstrike playbooks documentation

Authentication

Authentication methods this end point supports- oauth2 authentication

Prerequisites for using and deploying playbooks

  1. Crowdstrike cloud end point should be known. (e.g. https://{CrowdsrtikebaseURL})
  2. User should know the Client ID and Client Secret values, and store them in a Key Vault. Least privileges permissions are Detections Read and Hosts Read for Enrichment playbook, add Hosts Write for containment playbook.
  3. Key vault needs to be created, and include the Client ID and Secret, under the same subscription of the Playbooks. learn how
  4. For playbook Response From Teams:

Deployment instructions

  1. Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
  2. Fill in the required parameters for deploying playbooks
Parameters Description
Service_EndPoint Enter the crowdstrike end point (e.g. https://{CrowdstrikeBaseURL})
keyvault_Name Enter the keyvault name where we are storing the clientID and ClientSecret for authorization )
ClientID Enter the ClientID key name
ClientSecret Enter the ClientSecret key name
CrowdStrike_Base_Playbook_Name Enter the playbook name here (e.g. CrowdStrike_Base)
Crowdstrike_ContainHost_Playbook_Name Enter the playbook name here (e.g. Crowdstrike_ContainHost)
Crowdstrike_Enrichment_GetDeviceInformation_Playbook_Name Enter the playbook name here (e.g. Crowdstrike_Enrichment)
Crowdstrike-ResponsefromTeams_Playbook_Name Enter the playbook name here (e.g. Crowdstrike-ResponsefromTeams)
Teams GroupId Enter the Teams channel id to send the adaptive card
Teams ChannelId Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id

Post-Deployment instructions

The base playbook should be added in the access policies of Key vault learn how

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Azure Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for Teams connection as well

b. Configurations in Sentinel

  1. In Azure sentinel analytical rules should be configured to trigger an incident with risky host.
  2. Configure the automation rules to trigger the playbooks.

Known Issues and Limitations

  1. Run a script is not supported on devices which are offline