Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CrowdStrike Falcon to XSIAM Marketplace #37854

Open
wants to merge 85 commits into
base: master
Choose a base branch
from
Open

Add CrowdStrike Falcon to XSIAM Marketplace #37854

wants to merge 85 commits into from
+1,010 −380

Conversation

kamalq97
Copy link
Contributor

@kamalq97 kamalq97 commented Dec 26, 2024
edited
Loading

Related Issues

fixes: link to the issue

Description

Update CrowdStrike Falcon pack:

  • Made the pack available in the Cortex XSIAM marketplace.
  • Improved documentation and metadata.
  • Ensure certain content items (playbooks, incident fields, incident types) only appear in Cortex XSOAR.

@kamalq97 kamalq97 added the inprogress It means the PR is still on progress, and should not be merged even if the build is green or approve label Dec 26, 2024
@kamalq97 kamalq97 self-assigned this Dec 26, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 29, 2024
edited
Loading

Coverage

Coverage Report
FileStmtsMissCoverMissing
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon
   CrowdStrikeFalcon.py300274875%353–354, 479, 504, 544, 556, 590–591, 593–594, 612, 803–805, 820, 823, 851–860, 881, 956, 994–995, 997, 1000–1002, 1050, 1080, 1139–1140, 1142, 1147, 1150–1151, 1166–1168, 1173, 1176–1177, 1192–1193, 1195, 1200, 1203–1204, 1232, 1234, 1239–1240, 1250, 1252, 1257–1258, 1368, 1489, 1491, 1519, 1521, 1543–1546, 1581, 1631, 1635, 1737, 1749–1750, 1752–1753, 1756, 1758, 1762–1763, 1799, 1808, 1813, 1842, 1844, 1872, 1876, 1908, 1910, 2040, 2045, 2056–2059, 2068–2072, 2122, 2125–2126, 2129, 2138, 2141–2142, 2145, 2161, 2193, 2199–2202, 2205, 2209, 2262–2263, 2265, 2269, 2272, 2275, 2279–2280, 2283, 2298, 2461–2465, 2470, 2473, 2476–2477, 2480–2482, 2484, 2493, 2495, 2575–2577, 2579–2581, 2698, 2703, 2707, 2711, 2751–2754, 2757, 2760, 2762–2763, 2806–2808, 2811–2813, 2815, 2836, 2943, 2970–2971, 2979, 2981, 3034–3035, 3044, 3046, 3087, 3165–3168, 3170, 3180–3183, 3185, 3227, 3230, 3237, 3239, 3418–3419, 3604, 3708–3709, 3711, 3749–3754, 3804–3807, 3876, 3883, 3921, 4010, 4048, 4066, 4080, 4094–4097, 4110–4114, 4116–4117, 4119–4120, 4132–4135, 4158, 4200, 4206, 4241–4249, 4251–4252, 4260–4273, 4275–4276, 4278, 4280–4281, 4283–4285, 4287–4290, 4292, 4294, 4296, 4308–4316, 4318–4331, 4339–4342, 4350–4353, 4389–4392, 4411–4416, 4418–4419, 4421–4428, 4438–4439, 4442, 4659–4661, 4669, 4691–4694, 4706, 4737–4740, 4756, 4788–4791, 4811–4812, 4822, 4835–4836, 4838, 4847–4850, 4891–4892, 4910–4913, 4958–4961, 4997, 5002–5003, 5045, 5047–5048, 5088–5089, 5095, 5116–5117, 5133–5134, 5149, 5163, 5166–5167, 5175, 5178–5179, 5190, 5194, 5233–5235, 5243–5245, 5247, 5274–5283, 5314, 5381–5384, 5387–5388, 5392–5395, 5398–5399, 5408–5409, 5411, 5413, 5415, 5417–5419, 5423, 5437–5441, 5506–5508, 5510, 5513, 5515, 5518, 5520–5522, 5524, 5526–5527, 5531–5535, 5540, 5542–5543, 5547–5548, 5550–5554, 5558, 5619, 5722, 6033, 6074, 6085, 6156, 6158, 6167, 6173, 6240, 6247, 6252, 6254, 6264, 6270, 6275, 6277–6278, 6280–6282, 6284, 6292, 6310, 6319, 6325, 6343, 6351, 6356, 6358–6359, 6361–6363, 6365, 6373, 6403, 6409, 6414, 6416, 6425, 6431, 6436, 6438–6439, 6441–6443, 6445, 6453, 6507, 6509–6510, 6512–6513, 6515, 6559–6560, 6562–6563, 6570, 6572, 6577, 6656, 6685–6686, 6694–6695, 6699, 6763, 6815, 6868, 6992, 7066–7067, 7069, 7071, 7088–7090, 7092–7098, 7100–7163, 7165–7176, 7183–7196, 7198–7199, 7201–7202, 7210–7211, 7213–7214, 7216–7217, 7219–7220, 7222–7226, 7230–7231, 7233–7235, 7239–7240, 7242–7247, 7249–7252, 7254–7307, 7309–7324, 7326, 7328–7329
Packs/CrowdStrikeFalcon/Scripts/ConvertEnrichmentsToTable
   ConvertEnrichmentsToTable.py60100% 
Packs/CrowdStrikeFalcon/Scripts/ConvertRequestParametersToTable
   ConvertRequestParametersToTable.py60100% 
Packs/CrowdStrikeFalcon/Scripts/ConvertResourceAttributesToTable
   ConvertResourceAttributesToTable.py60100% 
Packs/CrowdStrikeFalcon/Scripts/ConvertResponseElementsToTable
   ConvertResponseElementsToTable.py60100% 
Packs/CrowdStrikeFalcon/Scripts/ConvertUserIdentityToTable
   ConvertUserIdentityToTable.py60100% 
Packs/CrowdStrikeFalcon/Scripts/Cspresentgrandparentprocess
   Cspresentgrandparentprocess.py29389%8, 17, 20
Packs/CrowdStrikeFalcon/Scripts/Cspresentparentprocess
   Cspresentparentprocess.py29486%8, 17, 20, 37
Packs/CrowdStrikeFalcon/Scripts/Cspresentpolicyactions
   Cspresentpolicyactions.py340100% 
Packs/CrowdStrikeFalcon/Scripts/ReadNetstatFile
   ReadNetstatFile.py45980%46–51, 55–57
Packs/CrowdStrikeFalcon/Scripts/TransformIndicatorToCSFalconIOC
   TransformIndicatorToCSFalconIOC.py601181%52, 59, 65, 69, 93–95, 98, 102, 110–111
TOTAL322977576% 

Tests Skipped Failures Errors Time
372 0 💤 0 ❌ 0 🔥 13.334s ⏱️

@kamalq97
Fill empty README of packs containing supported integrations
8fbdd48
@kamalq97
Ensure deprecated integration remains in XSOAR marketplace
0277d97
@kamalq97
Improve CrowdStrike FalconX docs
7aa4115
@kamalq97
Update README.md
b974c2f
@kamalq97
Update README.md
aed3032
@kamalq97
Support XSIAM fetch-events in CrowdStrike Falcon
00deaac
@kamalq97
Update CrowdStrikeFalcon.yml
d06f02e
@kamalq97
Remove CrowdStrike Falcon Streaming from marketplacev2
79f632a
@kamalq97
Update README.md
8bb1982
@kamalq97
Update pack_metadata.json
b7b72c8
@kamalq97
Update README.md
59cc169
@kamalq97
Update CrowdStrikeFalcon_description.md
e459aa0
@kamalq97
Update CrowdStrike Falcon docs
6eb3b16
@kamalq97
Merge branch 'master' into CIAC-12439-crowdstrike-marketplacev2
9f28831
@kamalq97
Update release notes
d890986
@kamalq97
Implement cs-falcon-get-events
9bd749e
@kamalq97
Update README.md
eea721f
@kamalq97
Update and document fetch default
22ff568
@kamalq97
Ensure CrowdStrike Falcon Streaming v2 is in XSOAR marketplace
326c79a
@kamalq97
Update release notes
0a32f63
@kamalq97
Update FQL links
1186901
@kamalq97
Update README.md
bda1e23
@kamalq97
Update VENDOR and PRODUCT
1c0b735
@kamalq97
Update CrowdStrikeFalcon_description.md
3a62184
@ShirleyDenkberg
Copy link
Contributor

@JasBeilin Doc review completed.

@kamalq97 kamalq97 removed the question label Jan 27, 2025
JasBeilin
JasBeilin reviewed Jan 30, 2025
View reviewed changes
Copy link
Contributor

@JasBeilin JasBeilin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! please check my comments.

Packs/CrowdStrikeFalcon/Scripts/ConvertEnrichmentsToTable/ConvertEnrichmentsToTable.yml Outdated Show resolved Hide resolved
Packs/CrowdStrikeFalcon/ReleaseNotes/2_1_10.md Outdated Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py Outdated Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml Outdated Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml Outdated Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon_description.md Show resolved Hide resolved
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon_description.md Outdated Show resolved Hide resolved
Packs/CrowdStrikeFalcon/ReleaseNotes/2_1_10.md Outdated
Comment on lines 12 to 272

#### Incident Types

##### CrowdStrike Falcon Detection

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon Incident

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon On-Demand Scans Detection

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon Mobile Detection

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon IOM Event

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon OFP Detection

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon IDP Detection

Ensured incident type only appears in Cortex XSOAR.

##### CrowdStrike Falcon IOA Event

Ensured incident type only appears in Cortex XSOAR.


#### Mappers

##### Legacy CrowdStrike Falcon-Mapper

Ensured mapper only appears in Cortex XSOAR.

##### CrowdStrike Falcon Mapper

Ensured mapper only appears in Cortex XSOAR.

##### CrowdStrike Falcon - Outgoing Mapper

Ensured mapper only appears in Cortex XSOAR.


#### Playbooks

##### CrowdStrike Falcon - Search Endpoints By Hash

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon - T1059 - Command and Scripting Interpreter

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon - Get Detections by Incident

Ensured playbook only appears in Cortex XSOAR.

##### Crowdstrike Falcon - Unisolate Endpoint

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon - Get Endpoint Forensics Data

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon - Search Endpoints By Indicators

Ensured playbook only appears in Cortex XSOAR.

##### Crowdstrike Falcon - Isolate Endpoint

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon - Retrieve File

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon - Block File

Ensured playbook only appears in Cortex XSOAR.

##### CrowdStrike Falcon Malware - Verify Containment Actions

Ensured playbook only appears in Cortex XSOAR.


#### Scripts

##### ConvertEnrichmentsToTable

Ensured script only appears in Cortex XSOAR.
-->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for all of it to be a comment. It is irrelevant to customers.

Copy link
Contributor Author

@kamalq97 kamalq97 Feb 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is in a comment for the following reasons:

  • To document this in the code without being visible in the official release notes (also documented internally)
  • To pass the SDK release notes validation (if certain titles do not appear, the release notes are considered invalid)

Refer to the official documentation on excluding items from release notes.

kamalq97 and others added 15 commits February 2, 2025 14:26
@kamalq97 @JasBeilin
Update Packs/CrowdStrikeFalcon/ReleaseNotes/2_1_10.md
439d074 
Co-authored-by: Jasmine Beilin <[email protected]>
@kamalq97
Improve description
75a0c4a
@kamalq97
Rename function
a1dcacd
@kamalq97
Merge branch 'master' into CIAC-12439-crowdstrike-marketplacev2
922740d
@kamalq97
Update release notes
0048ab8
@kamalq97
Add link to FQL syntax documentation
bc5345b
@kamalq97
Add link to CSPM Registration Keyword Arguments docs
f1310f7
@kamalq97
Revert ConvertEnrichmentsToTable script YML changes
18dd1ca
@kamalq97
Improve TransformIndicatorToCSFalconIOC docs
9d30465
@kamalq97
Merge branch 'master' into CIAC-12439-crowdstrike-marketplacev2
83d6362
@kamalq97
Update TransformIndicatorToCSFalconIOC.yml
3a943cb
@kamalq97
Fix description of script output field
603b19c
@kamalq97
Restrict most scripts to XSOAR
473b127
@kamalq97
Fix descriptions of script output field again
f0cc525
@kamalq97
Fix descriptions of script output field 3rd try
b0eca36
@kamalq97 kamalq97 requested a review from JasBeilin February 4, 2025 13:40
JasBeilin
JasBeilin reviewed Feb 4, 2025
View reviewed changes
Copy link
Contributor

@JasBeilin JasBeilin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but I see automations are still being removed from xsiam, is that intended?
See my comments.

Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon_description.md
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we checked it looks correct when the tags are inside the link itself?

Packs/CrowdStrikeFalcon/ReleaseNotes/2_1_10.md Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please Revert

Packs/CrowdStrikeFalcon/Scripts/ConvertEnrichmentsToTable/ConvertEnrichmentsToTable.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like we are still removing this script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JasBeilin JasBeilin JasBeilin left review comments

@ShirleyDenkberg ShirleyDenkberg ShirleyDenkberg left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@kamalq97 kamalq97

@ShirleyDenkberg ShirleyDenkberg

Labels
docs-approved enhancement python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kamalq97 @ShirleyDenkberg @JasBeilin