CrowdStrike OAuth API Identifier Activity Analysis

Description

Accepts a file hash or domain name, and asks CrowdStrike for a list of device IDs that have interacted with each. The list of IDs is then sent back to Crowdstrike to get more information, and then produces a normalized output and summary table.

Type: Investigation
Product: Splunk SOAR
Apps: CrowdStrike OAuth API
Last Updated: 2023-03-30
Author: Lou Stella, Splunk
ID: 5299d9dc-e9c4-42fa-b051-92ace0ff816d
Use-cases:
- Enrichment
- Endpoint

Associated Detections

How To Implement

This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style.

D3FEND

ID	Technique	Definition	Category
D3-IAA	Identifier Activity Analysis	Taking known malicious identifiers and determining if they are present in a system.	Identifier Analysis

CrowdStrike OAuth API Identifier Activity Analysis

Description

Associated Detections

How To Implement

D3FEND

Explore Playbook

Required field

Reference

You May Also Enjoy

Windows Defender ASR Registry Modification

Windows Defender ASR Rule Disabled

Windows Defender ASR Audit Events

Windows Defender ASR Block Events