CrowdStrike Falcon - Search Endpoints By Hash
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook searches across the organization for other endpoints associated with a specific SHA256/MD5/SHA1 hash.
CrowdStrike Falcon · 19 tasks · 4 inputs · 10 outputs
Inputs
FileSha256— The SHA256 file hash to search for.HostId— The ID of the host that originated the detection.SHA1— The SHA1 file hash to search for.MD5— The MD5 file hash to search for.
Outputs
Endpoint— Additional hosts that have the hash present.CrowdStrike.IOC.DeviceCount— The number of devices the IOC ran on.Endpoint.Hostname— The endpoint's hostname.CrowdStrike.IOC.Type— The type of the IOC.Endpoint.IPAddress— The endpoint's IP address or list of IP addresses.CrowdStrike.IOC.Value— The string representation of the indicator.Endpoint.OS— The endpoint operation system.Endpoint.Status— The endpoint status.Endpoint.IsIsolated— The endpoint isolation status.CrowdStrike.DeviceID— Device IDs an indicator ran on.
Commands used
cs-falcon-device-count-ioc
cs-falcon-device-ran-on
endpoint