This project leverages the CrowdStrike Falcon API to automate the containment process for a specified list of hosts, with the aim of simplifying security operations.
- FalconTests
- Scripts used for testing/simulating processes of the project
- Contain_Host
- Scripts used to contain, check containment status, or lift containment on individual hosts
- Contain_Group
- Scripts used to contain or lift containment on multiple hosts in a group
All scripts can be executed individually according to the user's needs.
GroupContainment.py performs every script's process in automatic sequence in order to streamline mass containment
- Before using these scripts, ensure you have:
- Python 3.6 or higher installed.
pip(Python package installer) installed. You can install it from here.
- Install the required Python packages listed in the respective requirements.txt file
pip install -r requirements.txt
- Obtaining API Credentials
- Before using the CrowdStrike API, you will need to obtain your client ID and client secret.
- These can be obtained by logging into the CrowdStrike Falcon console and going to System Management > API Clients, then creating a new API client. You will be provided with the client ID and client secret.
- Insert these credentials into the config.yaml files where needed (More info in sub folders)
- Make sure you have a valid credentials for the CrowdStrike API, as you will need to provide them in the configuration file (.yaml).
- Make sure you provide the correct file path for the (computers.txt) file containing the hostnames, as it is required for the program to process the hosts.
- Review the configuration file to ensure that it contains the right information, including the client ID and client secret, which are required for authentication to the API.
- Review the limitations of the API, which may affect the success rate of containing hosts.
- Keep an eye on the overall status of containment, as well as the status of individual hosts, in your Crowdstrike tool and script's output.
The scripts include basic error handling to manage issues such as:
- Checking if the configuration file exists and can be read.
- Checking if the file containing the hostnames exists and can be read.
- Checking if the configuration file contains the necessary information for connecting to the CrowdStrike API.
- Checking if the connection to the CrowdStrike API is successful.
- Handling of API errors and exceptions that may occur during the connection and containment process.
- Differentiating between different HTTP response codes and errors returned by the CrowdStrike API and categorizing them as either successful, pending, or failed to contain a host.
- Printing informative error messages for easy debugging.
This project utilizes the FalconPY library to interact with the CrowdStrike API. FalconPY is an open-source Python client for the CrowdStrike Falcon API, providing easy integration and interaction with CrowdStrike's suite of services.
For more information, documentation, and examples:
Visit the FalconPY GitHub repository: FalconPY on GitHub.
Visit the Crowdstrike Reddit: Crowdstrike on Reddit
Visit the FalconPY Wiki for Python: CrowdstrikeFalconWiki.