CrowdStrike OAuth API Identifier Activity Analysis
Description
Accepts a file hash or domain name, and asks CrowdStrike for a list of device IDs that have interacted with each. The list of IDs is then sent back to Crowdstrike to get more information, and then produces a normalized output and summary table.
- Type: Investigation
- Product: Splunk SOAR
- Apps: CrowdStrike OAuth API
- Last Updated: 2023-03-30
- Author: Lou Stella, Splunk
- ID: 5299d9dc-e9c4-42fa-b051-92ace0ff816d
- Use-cases:
- Enrichment
- Endpoint
Associated Detections
How To Implement
This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style.
D3FEND
ID | Technique | Definition | Category |
---|---|---|---|
D3-IAA | Identifier Activity Analysis | Taking known malicious identifiers and determining if they are present in a system. | Identifier Analysis |
Explore Playbook
Required field
Reference
source | version: 1