Add CrowdstrikeFalcon responders

responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json

@@ -0,0 +1,110 @@
+{
+  "name": "CrowdStrikeFalcon_AddIOC",
+  "version": "1.0",
+  "author": "nusantara-self, StrangeBee",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes",
+  "dataTypeList": [
+    "thehive:case_artifact"
+  ],
+  "command": "CrowdstrikeFalcon/CrowdstrikeFalconIOC.py",
+  "baseConfig": "CrowdstrikeFalcon",
+  "config": {
+    "service": "addIOC"
+  },
+  "configurationItems": [
+    {
+      "name": "client_id",
+      "description": "Crowdstrike client ID key",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    },
+    {
+      "name": "client_secret",
+      "description": "Crowdstrike client secret key",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    },
+    {
+      "name": "severity",
+      "description": "Severity linked to the IoC - informational, low, medium, high, critical",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "informational"
+    },
+    {
+      "name": "action",
+      "description": "Action policy to do - no_action, detect, allow, prevent. Prevent & Allow only works with hashes. In case of other types, prevent will default to detect.",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "prevent"
+    },
+    {
+      "name": "expiration_days",
+      "description": "Expiration date of the IoC -- None if not filled.",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 0
+    },
+    {
+      "name": "platform_list",
+      "description": "List of Platforms",
+      "type": "string",
+      "multi": true,
+      "required": true,
+      "defaultValue": [
+        "windows",
+        "mac",
+        "linux"
+      ]
+    },
+    {
+      "name": "host_groups_list",
+      "description": "Applies Detection to all Hosts if left empty. Else, provide host group IDs",
+      "type": "string",
+      "multi": true,
+      "defaultValue": [
+        "all"
+      ],
+      "required": false
+    },
+    {
+      "name": "retrodetect_flag",
+      "description": "Flag to indicate whether to submit retrodetects.",
+      "type": "boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "tags_list",
+      "description": "Tags added to IOC when TheHive pushes the IoC",
+      "type": "string",
+      "multi": true,
+      "required": false,
+      "defaultValue": []
+    }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://www.crowdstrike.com",
+  "service_logo": {
+    "path": "assets/crowdstrike.png",
+    "caption": "Crowdstrike logo"
+  },
+  "screenshots": [
+    {
+      "path": "assets/responder-report-1-ioc.png",
+      "caption": "Crowdstrike: responder report example"
+    }
+  ]
+}

responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json

@@ -0,0 +1,58 @@
+{
+  "name": "CrowdStrikeFalcon_Sync",
+  "version": "1.0",
+  "author": "nusantara-self, StrangeBee",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Sync TheHive status back to CS Alerts or Incidents",
+  "dataTypeList": [
+    "thehive:case", "thehive:alert"
+  ],
+  "command": "CrowdstrikeFalcon/CrowdstrikeFalconSync.py",
+  "baseConfig": "CrowdstrikeFalcon",
+  "config": {
+    "service": "sync"
+  },
+  "configurationItems": [
+    {
+      "name": "client_id",
+      "description": "Crowdstrike client ID key",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    },
+    {
+      "name": "client_secret",
+      "description": "Crowdstrike client secret key",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    },
+    {
+      "name": "custom_field_name_alert_id",
+      "description": "Custom field in TheHive containing the CSFalcon Alert ID",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "csfalcon-alert-id"
+    },
+    {
+      "name": "custom_field_name_incident_id",
+      "description": "Custom field in TheHive containing the CSFalcon Incident ID",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "csfalcon-incident-id"
+    }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://www.crowdstrike.com",
+  "service_logo": {
+    "path": "assets/crowdstrike.png",
+    "caption": "Crowdstrike logo"
+  }
+}

responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json

@@ -0,0 +1,48 @@
+{
+  "name": "CrowdStrikeFalcon_RemoveIOC",
+  "version": "1.0",
+  "author": "nusantara-self, StrangeBee",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "remove IOC from IoC Management on Crowdstrike",
+  "dataTypeList": [
+    "thehive:case_artifact"
+  ],
+  "command": "CrowdstrikeFalcon/CrowdstrikeFalconIOC.py",
+  "baseConfig": "CrowdstrikeFalcon",
+  "config": {
+    "service": "removeIOC"
+  },
+  "configurationItems": [
+    {
+      "name": "client_id",
+      "description": "Crowdstrike client ID key",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    },
+    {
+      "name": "client_secret",
+      "description": "Crowdstrike client secret key",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://www.crowdstrike.com",
+  "service_logo": {
+    "path": "assets/crowdstrike.png",
+    "caption": "Crowdstrike logo"
+  },
+  "screenshots": [
+    {
+      "path": "assets/responder-report-2-ioc.png",
+      "caption": "Crowdstrike: responder report example"
+    }
+  ]
+}

responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+
+from cortexutils.responder import Responder
+from falconpy import OAuth2, Hosts
+
+class CrowdstrikeFalconHosts(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.client_id = self.get_param("config.client_id")
+        self.client_secret = self.get_param("config.client_secret")
+        self.service = self.get_param("config.service", None)
+
+    def run(self):
+        Responder.run(self)
+        hostname = self.get_param("data.data", None)
+        #self.report({'message': f"Host {device_name}"})
+        auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+        hosts = Hosts(auth_object=auth)
+
+        # Search for the device ID using the hostname
+        if self.service == "unhide_host":
+            response = hosts.query_hidden_devices(filter=f"hostname:'{hostname}'")
+        else:
+            response = hosts.query_devices_by_filter(filter=f"hostname:'{hostname}'")
+        if 200 <= response["status_code"] < 300:
+            hosts_ids = response["body"]["resources"]
+        else:
+            return self.error(f"Error on getting device ID : {response['body']['errors']}")
+
+        if hosts_ids:
+            action_response = hosts.perform_action(action_name=self.service, ids=hosts_ids)
+            if 200 <= action_response["status_code"] < 300:
+                return self.report({'message': f"Operation {self.service} has been performed on {hostname} successfully: {action_response['body']['resources']}"})
+            else:
+                return self.error(f"Error on performing operation {self.service} on {hostname}: {action_response['body']['errors']}")
+        else:
+            return self.error(f"Host {hostname} not found.")
+
+
+    def operations(self, raw):
+        operations_list = []
+        if self.service in ["contain", "hide_host", "detection_suppress"]: 
+            operations_list.append(self.build_operation('AddTagToCase', tag=f'containment:{self.get_param("config.service", None)}={self.get_param("data.data", None)}'))
+        return operations_list
+
+if __name__ == '__main__':
+    CrowdstrikeFalconHosts().run()