EN
Request a demo
EN
Products
Pricing
Company
Resources
Events
Request a demo
See all integrations

CrowdStrike Falcon

CrowdStrike Falcon is a cloud-native endpoint protection platform that provides real-time threat detection, prevention, and response capabilities
EDR
11 Analyzers
9 Responders
2 Use cases
1 External integration
www.crowdstrike.com GitHub

Use Cases (2)

Ingest CrowdStrike Falcon Detections and Incidents into TheHive Using an External Script

Install and configure the falcon2thehive connector to automatically ingest CrowdStrike Falcon detections and incidents into TheHive as alerts in real time.

Synchronise status between TheHive alerts/cases and CrowdStrike detections/incidents

Keep case/alert status in sync between TheHive and CrowdStrike Falcon using notifications and the CrowdStrikeFalcon_Sync responder.

  • License required: Platinum
  • TheHive version required: 5.0+

Analyzers (11)

CrowdstrikeFalcon Sandbox Win7 64 v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

CrowdstrikeFalcon GetDeviceVulnerabilities v1.0

Get device vulnerabilities from hostname

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: hostname

CrowdstrikeFalcon Sandbox Android v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

CrowdstrikeFalcon Sandbox Linux v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

CrowdstrikeFalcon getDeviceDetails v1.0

Get device information from Crowdstrike Falcon

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: hostname

CrowdstrikeFalcon ThreatIntel v1.0

Query threat intelligence indicators from Crowdstrike Falcon Intelligence

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: hash, domain, ip, url

CrowdstrikeFalcon Sandbox Win11 v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

CrowdstrikeFalcon Sandbox MacOS v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

CrowdstrikeFalcon Sandbox Win10 v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

CrowdstrikeFalcon getDeviceAlerts v1.0

Get Device alerts from Crowdstrike Falcon

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: hostname

CrowdstrikeFalcon Sandbox Win7 v1.0

Send a file to CrowdstrikeFalcon Sandbox

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: file

Responders (9)

CrowdStrikeFalcon AddIOC v1.0

Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon unhideHost v1.0

This action will restore a host. Detection reporting will resume after the host is restored

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon RemoveIOC v1.0

remove IOC from IoC Management on Crowdstrike

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon unsuppressDetections v1.0

Allow detections for the host.

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon HostContainment v1.0

This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon hideHost v1.0

This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon Sync v1.0

Sync TheHive status back to CS Alerts or Incidents

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case, thehive:alert

CrowdStrikeFalcon suppressDetections v1.0

Supress detections for the host.

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

CrowdStrikeFalcon LiftContainmentHost v1.0

This action lifts containment on the host, which returns its network communications to normal

  • Author: Fabien Bloume, StrangeBee
  • License: AGPL-V3
  • Data Types: thehive:case_artifact

External Integrations (1)

External integrations that connect CrowdStrike Falcon with TheHive:

falcon2thehive

Real-time connector that streams CrowdStrike Falcon detection events into TheHive, turning Falcon alerts into actionable TheHive Alerts. Supports DetectionSummaryEvent, IdentityProtectionEvent, and MobileDetectionSummaryEvent with automatic observable extraction and TTP mapping.

  • Type: connector
Splunk
VirusTotal
Microsoft Defender for Endpoint
Microsoft Entra ID
MISP
Google Threat Intelligence
Recorded Future
Microsoft Defender for Office 365
Proofpoint
Shodan
Slack
AbuseIPDB
Cloudflare
URLScan.io
URLhaus
ONYPHE
YARA
CAPA
Telegram
Airtable
AnyRun
Autofocus
AWSLambda
AWX
Axur
BackscatterIO
BinalyzeAIR
Censys
CERTatPassiveDNS
ChainAbuse
CheckPhish
CheckPoint
CiscoUmbrella
CISMCAP
ClamAV
Cluster25
ClusterHawk
Crtsh
CuckooSandbox
CyberChef
Cyberprotect
Cylance
DNS-RPZ
DNSDB
DNSdumpster
DNSLookingglass
DNSSinkhole
DomainTools
DShield
Duo Security
EchoTrail
EclecticIQ
EmergingThreats
EmlParser
FileInfo
FireHOLBlocklists
FoxIO
Gatewatcher CTI
Gmail
GoogleDNS
GRR
HarfangLab
Hashdd
Inoitsu
IntezerCommunity
Investigate
IP-API
IPVoid
isMalicious
IVRE
JAMFProtect
JIRA
Jupyter
KnowBe4
LdapQuery
Lookyloo
LupovisProwl
Mailer
MailIncidentStatus
Malpedia
MalwareClustering
Malwares
MetaDefender
MsgParser
NERD
Nessus
Netcraft
NSRL
Okta
ONYPHEActiveScan
OpenCTI
OrionMalware
PassiveTotal
Patrowl
PhishingInitiative
Pulsedive
QrDecode
Redmine
Robtex
RT4
SecurityTrails
SendGrid
SentinelOne
SinkDB
SophosIntelix
SpamAssassin
SpamhausDBL
StamusNetworks
StopForumSpam
ThreatGrid
ThreatMiner
ThreatResponse
Thunderstorm
TorBlutmagie
TorProject
Triage
UnshortenLink
urlDNA.io
Valhalla
ValidateObservable
Verifalia
VMRay
Vulners
Watcher
Wazuh
WOT
Yeti
ZEROFOX
Zscaler
Abuse Finder
AIL Onion-Lookup
AlienVault OTX
CIRCL Hash Lookup
CIRCL Passive DNS
CIRCL Passive SSL
CIRCL Vulnerability-Lookup
Cisco Secure Endpoint (Formerly AMP for Endpoints)
CrowdSec
Domain Mail SPF DMARC
DomainTools Iris
Elasticsearch
EmailRep
FireEye iSIGHT
Forcepoint WebsensePing
Google Safe Browsing
Google Vision API
GreyNoise
Have I Been Pwned
Hunter.io
Hybrid Analysis
IBM QRadar
IBM X-Force
IPinfo
Joe Sandbox
Kaspersky TIP
Maltiverse
MalwareBazaar
Malware Hash Registry (MHR)
MaxMind
MISP Warning Lists
Mnemonic Passive DNS
n8n
PAN Cortex XDR
PAN Cortex XSOAR
PAN Next Generation Firewall
PAN WildFire
PhishTank
Rapid7 InsightConnect
SEKOIA Intelligence Center
Shuffle
ThreatConnect
Tines
Velociraptor
VirusShare
Back to all integrations
Explore similar integrations
Microsoft Defender for Endpoint
EDR
12 Responders
See how TheHive can help your team
Thousands of analysts worldwide rely on our platform to manage security incidents more efficiently than ever.
See what the buzz is about:
Request a demo