FortiSOAR

Expand all | Collapse all

"prevent" action with Crowdstrike connector

  • 1.  "prevent" action with Crowdstrike connector

    Posted May 26, 2021 02:21 AM
    Has anyone tried to upload ioc into crowdstrike console with policy as "prevent".
    I am getting error when I do this as "inavalid policy"
    But the crowdstrike Doc Says "prevent" is supported

    Regrads,
    Swathi


  • 2.  RE: "prevent" action with Crowdstrike connector

    Posted May 26, 2021 05:55 AM

    Reach out to Crowdstrike Support.  A lot of times they have to enable the specific functions in the api to work.  Also what version of Crowdstrike are you running.  We also run Crowdstrike for some of our customers.

     

    Is your connector connecting at all?

     

    --

    Chris Ichelson

    360 SOC, an HTG 360 Inc. Company
    Direct: 480-685-8029

    (O): 480-685-8028
    (F): 866-278-5578
    (M): 480-993-6941



    Need to Send Me a Secure File or Secure Email by using my SendSafely Link:  cichelson@..." title="https://www.sendsafely.com/u/cichelson@...">Click Here to Send Now 
     

    Notice:  360 SOC is a division of HTG 360, Inc.  This message and any attachments are confidential and may also be legally privileged. If you are not the intended recipient, please notify the sender immediately. You must not copy this message or use it for any purpose nor publish or disclose its contents to any other person.

     

     






  • 3.  RE: "prevent" action with Crowdstrike connector

    Posted May 27, 2021 05:34 AM
    Hello Swathi,
    FortiSoar CrowdStrike connector uses https://api.crowdstrike.com/indicators/entities/iocs/v1 endpoint to Upload/Create the Custom IOC's.
    AFAIK this endpoint supports only two types of values currently for policy. i.e.
    > detect: Enable detections for this custom IOC
    > none: Disable detections for this custom IOC
    CrowdStrike mentioned the supported policy types at https://developer.crowdstrike.com/crowdstrike/docs/custom-ioc-api

    It would be good if you share the FortiSOAR connector version that you are testing? And also let me know if there is any new CrowdStrike API document?