CrowdStrike bidirectional response actions (isolate & release) #5529
Conversation
joepeeples
added
Team: EDR Workflows
|
A documentation preview will be available soon. Request a new doc build by commenting
If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here. |
|
🚀 Built elastic-dot-co-docs-preview-docs successfully!
|
docs/serverless/endpoint-response-actions/response-actions-config.mdx
Outdated
Show resolved
Hide resolved
docs/serverless/endpoint-response-actions/response-actions-config.mdx
Outdated
Show resolved
Hide resolved
docs/serverless/endpoint-response-actions/response-actions-config.mdx
Outdated
Show resolved
Hide resolved
docs/serverless/endpoint-response-actions/response-actions-config.mdx
Outdated
Show resolved
Hide resolved
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
There was a problem hiding this comment.
Hi @joepeeples ,
I took a pass at these docs, but really I'm hopping that you can wait until sometime next week to get @tomsonpl 's review since he's the most knowledgeable with CrowdStrike.
|
|
||
| . **Create an API client in CrowdStrike.** Refer to CrowdStrike's docs for instructions on creating an API client. | ||
| + | ||
| - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. |
There was a problem hiding this comment.
Lets double check this step is correct, because this currently states that the 1 API key with full privileges to read and also execute response actions. This provides the integration policy with a token that IMO has too many unnecessary privileges.
There was a problem hiding this comment.
Makes sense. The demo video and other materials I was able to find for CrowdStrike didn't specify multiple API clients, but we recommend 2 API keys for SentinelOne and could do something similar for CrowdStrike.
There was a problem hiding this comment.
Unfortunately I cannot confirm this - but you both may be right. Ingesting data might use a different clientId/secret than response actions - but it's rather Crowdstrike specific that I do not have information of ;/
There was a problem hiding this comment.
OK, I can try to reword this to be a little less prescriptive about exact number of API clients, give more general guidelines and leave it up to the user's discretion.
| - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. | ||
| - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike. | ||
|
|
||
| . **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] |
There was a problem hiding this comment.
NOTE: there are two crowdstrike integrations. Lets confirm that the only needed one is this one you documented here (the other one is called 'CrowdStrike Falcon Intelligence')
| - **Client Secret**: Client secret allowing you access to CrowdStrike. | ||
| .. Click **Save**. | ||
|
|
||
| . **Create and enable a rule to generate {elastic-sec} alerts.** (Optional) Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts based on CrowdStrike events and data. Use the index pattern `logs-crowdstrike*`. |
There was a problem hiding this comment.
This, IMO, is not a good suggestion for the index name - it essentially says "create alerts for any type of crowdstrike data". I think (but you would need to confirm with @tomsonpl ) that there are specific indicates for crowdstrike alerts and other malware data, so perhaps using a more specific example would be best.
The other alternative would be to refer the customer tot he Integration overview page which describes the different types of data collected by the integration - that should give the user a good starting point on how to setup their Rule to only promote valid threats to SIEM alerts in kibana.
@caitlinbetz - it would be great if we could get an example rule from one of our customers that run CrowdStrike just to see how they have setup their rule
There was a problem hiding this comment.
A sample index pattern or query would be preferable, I think — linking to the integration's docs could be overwhelming since it just lists every possible fields ingested, but doesn't recommend any particular pattern.
Is there an alert-specific pattern we could suggest, similar to how for SentinelOne we suggest logs-sentinel_one.alert*? That way the query only targets alerts, not all CrowdStrike data.
There was a problem hiding this comment.
I would agree with @paul-tavares here, it's really up to user what query they want to use and most of the times they are pretty specific. For the docs I would suggest using something like this: 'use a query or index pattern that could find Crowdstrike data' - of course in better English ;p
WDYT @joepeeples ?
There was a problem hiding this comment.
Similar to above, I'll reword this to be more general guidance, and probably link to our CrowdStrike integration docs page since it lists all the available fields. Even if it's up to the user to write queries however they see fit, it'd be ideal if we could at least give some example queries to illustrate how to detect specific things, but maybe we can add that in a later revision once we know more about the data.
|
@paul-tavares @tomsonpl I pushed some revisions to address your feedback above (API client privs, rule query suggestions). Please check out the updated preview page and let me know if this works. We can always add more details later to fine-tune our guidance for customers. Thanks! |
| .. Enter the configuration information: | ||
| - **Connector name**: A name to identify the connector. | ||
| - **CrowdStrike API URL**: The base URL of the CrowdStrike API. | ||
| - **CrowdStrike Client ID**: Client ID for the API client used to perform actions in CrowdStrike. |
There was a problem hiding this comment.
Wondering if the API client used to perform actions also needs privs to read CrowdStrike data?
There was a problem hiding this comment.
🤷 no idea, but I would assume it's nicely explained in CrowdStrike when creating credentials, so imho the users shouldn't be confused by this 👍
* Incomplete first draft, serverless only * Fills in config details, edits * First draft of classic version * Apply suggestions from Nastasha's review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Revise link to CrowdStrike connector docs * Revise API client guidelines * Revise detection rule guidelines * Update serverless with revisions from feedback * Fix typo on serverless side --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 7c23048) # Conflicts: # docs/serverless/endpoint-response-actions/response-actions-config.mdx # docs/serverless/endpoint-response-actions/response-actions.mdx # docs/serverless/endpoint-response-actions/third-party-actions.mdx
… (backport #5529) (#5671) * CrowdStrike bidirectional response actions (isolate & release) (#5529) * Incomplete first draft, serverless only * Fills in config details, edits * First draft of classic version * Apply suggestions from Nastasha's review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Revise link to CrowdStrike connector docs * Revise API client guidelines * Revise detection rule guidelines * Update serverless with revisions from feedback * Fix typo on serverless side --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 7c23048) # Conflicts: # docs/serverless/endpoint-response-actions/response-actions-config.mdx # docs/serverless/endpoint-response-actions/response-actions.mdx # docs/serverless/endpoint-response-actions/third-party-actions.mdx * Delete docs/serverless directory and its contents --------- Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Contributes to #5446 and https://github.com/elastic/security-docs-internal/issues/21 (internal).
Previews
The format is a little different between serverless and stateful docs, due to each system's limitations. The serverless version uses a neat tabbed format to display one EDR system at a time, while stateful docs use separate sections or collapsible sections. The goal in both approaches is to avoid overwhelming the reader by limiting the amount of text displayed (one EDR system at at time).
Serverless docs:
Stateful/ESS docs: