Endpoint Security – Falcon Fusion with Real Time Response
Introduction
Security teams today are often overwhelmed by the number of security related tasks required to protect their environment. One avenue to alleviate this is to increase the level of automation provided by their security tools.
CrowdStrike’s Falcon® Fusion is able to build out workflows to automate actions taken when specified conditions are met. In addition to performing built in actions, Falcon Fusion is also able to leverage customized scripts to execute almost any action on the endpoint.
In this video, we’ll focus on taking a look at using Real time response scripts with Falcon Fusion.
Alright, with that out of the way, let’s get started.
Walkthrough
First, let’s take a look at the workflow. This workflow will use a combination of scripts and built in commands to get information about a file used in an attack, and then use that information to determine if further actions should be taken.
Now let’s take a look at the scripts.
Here we can see some sample scripts that can be created for Falcon Fusion with Real time response. These scripts can do anything from restoring files with volume shadow copy to collecting forensic data.
To showcase some of the capabilities of falcon fusion, we’ll take a look at the script “get file metadata”. This script will retrieve the metadata of a file which we can then output for use later in the workflow.
The ability to customize the optional input and output parameters allows us a lot of flexibility within the script to capture the specific data to be used in the workflow.
Here we can see that this script is expecting a file_path input property. To capture the input, we’ll go to the input schema tab where we can use json schema to define our properties.
To simplify its creation, Falcon also provides the ability to enter a json string and convert it to a formatted json schema.
Now let’s take a look at adding our real time response script to a workflow. Here we have the start of a workflow with a condition that identifies the platform, which is required when we use a script with Falcon Fusion.
When we add an action, we can set the action type as real time response and the action as the get file metadata script that we had just updated.
And here we can see our input field file path, where we can type in the path of the file to get its metadata.
While the option to manually enter a file path is good, Falcon Fusion also provides the ability to dynamically assign the value of the file path based on the data captured by the initial detection.
To do that, let’s go back and modify our script.
In the input schema, we’ll also want to add a format type. For this format, it’ll use a signal field type which will automatically match up the input value with the field from the detection.
In this case, we’ll want to add the localFilePath for the format. The other available signal field types are listed in the documentation.
While we’re here, let’s also add our output types.
If we don’t add anything to the output schema, the output will just be unstructured standard out.
So again, here we’ll add the json and click Convert.
This will provide us with the json schema for the output and now we can update our script.
Now, let’s go back to our workflow to test out our changes.
First, we’ll remove our existing get file metadata action and add it again to see our changes.
After we add our action to get file metadata, we can now use a drop down and have the option to select the file path, parent process file path, or the grand parent process file path.
So unlike the previous example where we had to manually enter a file path, we are now able to have the file path automatically provided by the initial detection.
We’ll just select the file path here.
Now to see our output options that we had created with the script, let’s add another condition.
We can now customize the parameters for our newly created condition.
Here we can see all the standard conditions that are available with Falcon Fusion, but when we scroll to the bottom, we can also see the list of parameters from the get file metadata output schema. We now have the option to select one of these conditions to continue the workflow.
For this example, let’s select the size. Let’s say that we want the file to be less than about a meg in size, so about a million bytes.
What this condition has done is restrict it so that subsequent actions will only be performed on small files.
For the last step of the workflow, let’s add a final action.
We’ll use another real time response action, and select the get file action, and choose the file path to pull the file.
Just to recap the workflow that we had just built, it will identify a detection on windows, get the metadata of the file from the detection, determine if the file is less than a meg, and then get the file if it fulfills the condition.
And then it will upload the file if it is less than about a meg using the size information from the metadata.
Conclusion
So to sum things up, Real time response with Falcon Fusion provides highly customizable workflows that can use scripts to capture inputs from other workflow stages and provide outputs to further hone the conditions for which actions are to be performed.
This capability will help automate security tasks, reducing the burden on security teams and help prevent breaches.