CrowdStrikeFalcon API Plugin

Plugins/Community Based Plugins/CrowdStrike Falcon/README.md

@@ -0,0 +1,21 @@
+# Copilot for Security Custom Plugin - API - CrowdStrike Falcon API
+
+#### Copilot for Security Plugin to query alerts, hosts, IoCs and incidents from CrowdStrike Falcon
+
+### Pre-requisites
+
+* [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+* [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+* [Client ID/Client Secret](https://falcon.us-2.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis) from CrowdStrike document
+
+### Instructions
+#### Upload the Custom Plugin
+
+1. Get URL of Manifest file from Copilot for Security Github Repository
+2. Upload the custom plugins [Setting up custom plugin guide](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#add-custom-plugins)
+3. Config Client Secret and Client ID for authentication [CrowdStrike Falcon API Key](https://learn.microsoft.com/en-us/security-copilot/plugin_api#configure-authentication-1)
+![CFS](https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/crowdstrike-falcon/Screenshot%20from%202024-07-18%2009-33-58.png)
+
+
+4. Activate plugin
+![CFS](https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/crowdstrike-falcon/Screenshot%20from%202024-07-17%2017-06-46.png)

Plugins/Community Based Plugins/CrowdStrike Falcon/manifest.yaml

@@ -0,0 +1,29 @@
+Descriptor:
+  Name: CrowdStrike Falcon
+  DisplayName: CrowdStrike Falcon (Preview)
+  DescriptionDisplay: Get access to CrowdStrike Falcon to query alerts, incidents, iocs and hosts
+  Description: |-
+    Use this skillset to call CrowdStrike Falcon APIs to perform actions accross the CrowdStrike Falcon platform.
+    - This skill invokes CrowdStrike Falcon's REST API
+    - Query to get a list of alerts, return a list of alert ids
+    - Query to get detail information of alerts, can take input as a list of alert ids or only 1 alert id, return alert information
+    - Query to get interactive login sessions for a set of devices, take input as device ids, return a list of login information
+    - Query to get IP and MAC addresses that the devices registered to CrowdStrike Falcon platform, take input as device ids, return a list of IP, Mac addresses and timestamp
+    - Query to get a list of hosts registered on CrowdStrike Falcon, return a list of information about hosts
+    - Query to get information about one or more hosts, take input as host ids, return a list of hosts's information
+    - Query to get all hosts that have observed a given custom IOC, take in put IOC information (type and value), return total count of hosts
+    - Query to get detail of IoC (Indicator of Compromise), take input as IoC ids, return IoC details
+    - Query to get a list of IoC (Indicator of Compromise), return a list of IoC ids
+  Icon: https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/crowdstrike-falcon/crowdstrike_logo_transparent.png
+  SupportedAuthTypes:
+    - OAuthClientCredentialsFlow
+  Authorization:
+    Type: OAuthClientCredentialsFlow
+    TokenEndpoint: https://api.us-2.crowdstrike.com/oauth2/token
+    Scopes: alerts:read,devices:read,ioc:read,incidents:read
+    AuthorizationContentType: application/x-www-form-urlencoded
+
+SkillGroups:
+  - Format: API
+    Settings:
+      OpenApiSpecUrl: https://raw.githubusercontent.com/truongphung12947/copilot-manifest/main/api-specs.yaml