Skip to main content

CrowdStrike Falcon

In the context of Fluency SIEM, this plugin integration is named as follows:

PLUGIN_NAME = Falcon

Platform_PluginLambda

The Platform_PluginLambda function is a built-in function that allows the FPL script to access and (remotely) call the corresponder vendor plugin(s) for the APIs listed below.

The CUSTOMER argument is used to specify one or more running instance(s) of the same type of plugin, in the case of multiple customer's data going into a single Fluency SIEM deployment.

Note: Wildcards * are accepted for this argument to facilitate selection

The LAMBDA_FUNCTION argument is a lambda that provides the actual logic that will be performed remotely on the selected plugin.

    Platform_PluginLambda(<PLUGIN_NAME>, <CUSTOMER>, <LAMBDA_FUNCTION>)

Example:

function main() {
  return Platform_PluginLambda("Falcon", "*", (customer) => {
    let hosts = Plugin_Falcon_LoadHost((obj) => {
        let {cid, device_id, hostname, os_version, os_product_name, status, site_name, serial_number} = obj
        return {cid, device_id, hostname, os_version, os_product_name, status, site_name, serial_number}
    })       
    let incidents = Plugin_Falcon_LoadIncident({}, (obj) => {
        let {incident_id, state, status, objectives, tactics, techniques, users, created} = obj
        return {incident_id, state, status, objectives, tactics, techniques, users, created}       
    })       
    return {hosts, incidents}
  })
}

Plugin_Falcon_GetIncident

  • Plugin_Falcon_GetIncident(incidentID)
    • gets the falcon incident with the specified incident id
let {incident} = Platform_PluginLambda("Falcon", "*", () => {
    let incident = Plugin_Falcon_GetIncident(incidentID)
    if incident {
        return {incident}
    } else {
        printf("unknown incidentID: %s", incidentID)
        return {}
    }
})

Plugin_Falcon_LoadIncident

  • Plugin_Falcon_LoadIncident(options, <lambda)>
    • options: filter, limit, sort, order ("asc"/"desc")
let incidents = Plugin_Falcon_LoadIncident({}, (obj) => {
    let {incident_id, state, status, objectives, tactics, techniques, users, created} = obj
    return {incident_id, state, status, objectives, tactics, techniques, users, created}       
})

Plugin_Falcon_LoadHost

  • Plugin_Falcon_LoadHost(<lambda)>
let hosts = Plugin_Falcon_LoadHost((obj) => {
    let {cid, device_id, hostname, os_version, os_product_name, status, site_name, serial_number} = obj
    return {cid, device_id, hostname, os_version, os_product_name, status, site_name, serial_number}
})

Plugin_Falcon_GetHost

  • Plugin_Falcon_GetHost(hostID)
    • gets the falcon host with the host id
Plugin_Falcon_GetHost(hostID)