diff --git a/Plugins/Community Based Plugins/CrowdStrike Falcon/README.md b/Plugins/Community Based Plugins/CrowdStrike Falcon/README.md new file mode 100644 index 00000000..09b4c87c --- /dev/null +++ b/Plugins/Community Based Plugins/CrowdStrike Falcon/README.md @@ -0,0 +1,21 @@ +# Copilot for Security Custom Plugin - API - CrowdStrike Falcon API + +#### Copilot for Security Plugin to query alerts, hosts, IoCs and incidents from CrowdStrike Falcon + +### Pre-requisites + +* [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +* [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) +* [Client ID/Client Secret](https://falcon.us-2.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis) from CrowdStrike document + +### Instructions +#### Upload the Custom Plugin + +1. Get URL of Manifest file from Copilot for Security Github Repository +2. Upload the custom plugins [Setting up custom plugin guide](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins) +3. Config Client Secret and Client ID for authentication [CrowdStrike Falcon API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1) +![CFS](https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/crowdstrike-falcon/Screenshot%20from%202024-07-18%2009-33-58.png) + + +4. Activate plugin +![CFS](https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/crowdstrike-falcon/Screenshot%20from%202024-07-17%2017-06-46.png) \ No newline at end of file diff --git a/Plugins/Community Based Plugins/CrowdStrike Falcon/manifest.yaml b/Plugins/Community Based Plugins/CrowdStrike Falcon/manifest.yaml new file mode 100644 index 00000000..e287303f --- /dev/null +++ b/Plugins/Community Based Plugins/CrowdStrike Falcon/manifest.yaml @@ -0,0 +1,29 @@ +Descriptor: + Name: CrowdStrike Falcon + DisplayName: CrowdStrike Falcon (Preview) + DescriptionDisplay: Get access to CrowdStrike Falcon to query alerts, incidents, iocs and hosts + Description: |- + Use this skillset to call CrowdStrike Falcon APIs to perform actions accross the CrowdStrike Falcon platform. + - This skill invokes CrowdStrike Falcon's REST API + - Query to get a list of alerts, return a list of alert ids + - Query to get detail information of alerts, can take input as a list of alert ids or only 1 alert id, return alert information + - Query to get interactive login sessions for a set of devices, take input as device ids, return a list of login information + - Query to get IP and MAC addresses that the devices registered to CrowdStrike Falcon platform, take input as device ids, return a list of IP, Mac addresses and timestamp + - Query to get a list of hosts registered on CrowdStrike Falcon, return a list of information about hosts + - Query to get information about one or more hosts, take input as host ids, return a list of hosts's information + - Query to get all hosts that have observed a given custom IOC, take in put IOC information (type and value), return total count of hosts + - Query to get detail of IoC (Indicator of Compromise), take input as IoC ids, return IoC details + - Query to get a list of IoC (Indicator of Compromise), return a list of IoC ids + Icon: https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/crowdstrike-falcon/crowdstrike_logo_transparent.png + SupportedAuthTypes: + - OAuthClientCredentialsFlow + Authorization: + Type: OAuthClientCredentialsFlow + TokenEndpoint: https://api.us-2.crowdstrike.com/oauth2/token + Scopes: alerts:read,devices:read,ioc:read,incidents:read + AuthorizationContentType: application/x-www-form-urlencoded + +SkillGroups: + - Format: API + Settings: + OpenApiSpecUrl: https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/api-specs.yaml \ No newline at end of file