Crowdstrike bidirectional integration (tech preview) [Request]

[caitlinbetz]

Description

We are releasing our bidirectional capability with Crowdstrike, which will allow users to execute host isolation / release of a crowdstrike agent through elastic security. Functionalities include:

• check CS host status (+ name)
• isolate/release the host
• see process tree in Analyzer

This is similar to the functionality (and docs) we previously added for Sentinel One: https://www.elastic.co/guide/en/security/current/response-actions-config.html (see also, S1 docs ticket: #4312)

Background & resources

• Internal docs issue (additional context and discussion): https://github.com/elastic/security-docs-internal/issues/21

• PRs: [EDR Workflows] Add Crowdstrike Response Actions client kibana#180197

  Additional PRs

  • [EDR Workflows] Enable crowdstrike in analyzer kibana#174590
  • [EDR Workflows] Add Crowdstrike connector and Actions kibana#180175
  • [EDR Workflows] Add Crowdstrike Response Actions client kibana#180197
  • [EDR Workflows] Add crowdstrike agent status  kibana#180200
  • [EDR Workflows] Crowdstrike - add support to responder kibana#184217
  • [EDR Workflows] Improve Crowdstrike's connector API errors kibana#184302
  • [EDR Workflows] Change crowdstrike fields to ecs fields kibana#186469
  • [EDR Workflows] Complete Crowdstrike actions kibana#186522

• Issues/metas: EPIC: https://github.com/elastic/security-team/issues/6200, https://github.com/elastic/security-team/issues/8907, https://github.com/elastic/security-team/issues/9587

  Additional issues

  • https://github.com/elastic/security-team/issues/8810
  • https://github.com/elastic/security-team/issues/8904
  • https://github.com/elastic/security-team/issues/8906
  • https://github.com/elastic/security-team/issues/8907
  • https://github.com/elastic/security-team/issues/8905
  • https://github.com/elastic/security-team/issues/8942
  • https://github.com/elastic/security-team/issues/8943
  • https://github.com/elastic/security-team/issues/8944
  • https://github.com/elastic/security-team/issues/9587
  • https://github.com/elastic/security-team/issues/9589
  • https://github.com/elastic/security-team/issues/9663
  • https://github.com/elastic/security-team/issues/9411
  • https://github.com/elastic/security-team/issues/9771
  • https://github.com/elastic/security-team/issues/9773
  • https://github.com/elastic/security-team/issues/8369

• Point of contact: @tomsonpl @paul-tavares @caitlinbetz @dasansol92

• Test environments:

Additional info

• Which documentation set does this change impact? ESS and serverless

• ESS release: 8.15

• Serverless release: Week of July 1, 2024

• Feature differences: n/a

• API docs impact: @tomsonpl - can you provide?

• Prerequisites, privileges, feature flags:

  ESS:

  • Actions and Connectors : All
  • Security: Host Isolation: All

---

Tasks & Pull Requests

Preview Give feedback

1. Feature docs [serverless + stateful] – CrowdStrike bidirectional response actions (isolate & release) #5529
2. Connector docs [stateful] – [EDR Workflows] Add Crowdstrike Connector docs kibana#187850
3. Connector docs [serverless Security] – Add links to classic from Security serverless docs (done here)
4. Connector docs [serverless general] – Add link to new CrowdStrike connector docs-content#46
5. API docs?

[joepeeples]

@caitlinbetz Thanks for opening the ticket! I'll need a bit more time than June 24 to deliver serverless docs; we generally shoot for 2-week turnaround and I'm on PTO the rest of this week. But I can tackle this as soon as I get back and give you an updated ETA

[lcawl]

Hi! I noticed the Crowdstrike connector showing up in my screenshots but it's not in the API docs or the Kibana docs yet. If it's ready to be documented, typically the dev owners create the first draft of the latter by using the layout in https://github.com/elastic/kibana/blob/main/docs/action-type-template.asciidoc. I'm happy to help add details to the API document (currently manually maintained in https://github.com/elastic/kibana/tree/main/x-pack/plugins/actions/docs/openapi/components/schemas) too

[joepeeples]

@lcawl I actually just asked the dev team about this over on another docs issue, so I referenced your comment too. Thanks for checking up on this!

[lcawl]

FYI I've created elastic/kibana#192526 to add this connector to the API docs