Skip to main content
SWATHI_KV
SWATHI_KV
New Member
May 26, 2021
Question

"prevent" action with Crowdstrike connector

  • May 26, 2021
  • 2 replies
  • 1956 views
Has anyone tried to upload ioc into crowdstrike console with policy as "prevent".
I am getting error when I do this as "inavalid policy"
But the crowdstrike Doc Says "prevent" is supported

Regrads,
Swathi

    2 replies

    Christopher_Ichelson
    Christopher_Ichelson
    Visitor III
    May 26, 2021

    Reach out to Crowdstrike Support.  A lot of times they have to enable the specific functions in the api to work.  Also what version of Crowdstrike are you running.  We also run Crowdstrike for some of our customers.

     

    Is your connector connecting at all?

     

    --

    Chris Ichelson

    360 SOC, an HTG 360 Inc. Company
    Direct: 480-685-8029

    (O): 480-685-8028
    (F): 866-278-5578
    (M): 480-993-6941



    Need to Send Me a Secure File or Secure Email by using my SendSafely Link:  Click Here to Send Now 
     

    Notice:  360 SOC is a division of HTG 360, Inc.  This message and any attachments are confidential and may also be legally privileged. If you are not the intended recipient, please notify the sender immediately. You must not copy this message or use it for any purpose nor publish or disclose its contents to any other person.

     

     



    -------------------------------------------
    Original Message:
    Sent: 5/26/2021 5:21:00 AM
    From: SWATHI
    Subject: "prevent" action with Crowdstrike connector

    Has anyone tried to upload ioc into crowdstrike console with policy as "prevent".
    I am getting error when I do this as "inavalid policy"
    But the crowdstrike Doc Says "prevent" is supported

    Regrads,
    Swathi
    Prerna_Joshi
    Staff
    Prerna_Joshi
    Staff
    May 27, 2021
    Hello Swathi,
    FortiSoar CrowdStrike connector uses https://api.crowdstrike.com/indicators/entities/iocs/v1 endpoint to Upload/Create the Custom IOC's.
    AFAIK this endpoint supports only two types of values currently for policy. i.e.
    > detect: Enable detections for this custom IOC
    > none: Disable detections for this custom IOC
    CrowdStrike mentioned the supported policy types at https://developer.crowdstrike.com/crowdstrike/docs/custom-ioc-api

    It would be good if you share the FortiSOAR connector version that you are testing? And also let me know if there is any new CrowdStrike API document?-------------------------------------------
    Original Message:
    Sent: May 26, 2021 02:20 AM
    From: SWATHI KV
    Subject: "prevent" action with Crowdstrike connector

    Has anyone tried to upload ioc into crowdstrike console with policy as "prevent".
    I am getting error when I do this as "inavalid policy"
    But the crowdstrike Doc Says "prevent" is supported

    Regrads,
    Swathi
    Terms & ConditionsAccessibility statement