Documentation Home Maltego Training Maltego Blog Contact Us
Welcome
Login
Open navigation

CrowdStrike ThreatGraph

Modified on: Wed, 7 Sep, 2022 at 7:03 PM

Overview

CrowdStrike provides a suite of five APIs to enable customers of the CrowdStrike Falcon platform to enhance their triage workflow and leverage their existing security investments.


The Falcon Threat Graph API is one of the five API’s offered by Crowdstrike that leverages CrowdStrike’s multi-petabyte graph database to reveal the underlying relationships between indicators of compromise (IOCs), devices, processes, and other forensic data and events, such as files written, module loads, or network connections.


With ThreatGraph Transforms, investigators can query the CrowdStrike ThreatGraph API to interact with CrowdStrike Falcon data and traverse the graph to investigate relationships between events.


To read more click here.

CrowdStrike ThreatGraph Transforms

[ThreatGraph] Get Sensors

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get Sensors
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetSensors
Input Entities maltego.Hash
Output Entities Phrase
Short Description  

[ThreatGraph] Get User from PID

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get User from PID
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDUser
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get DNS Request Data from PID

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get DNS Request Data from PID
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDDNSReq
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get PID Children

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get PID Children
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDChildren
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get PID Modules that were Written

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get PID Modules that were Written
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDWrittenModule
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get Sensors DNS

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get Sensors DNS
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Output Entities Phrase
Short Description  

Variants

Transform Name Input Entities
GetSensorsDNS maltego.Domain
GetSensorsDNSName maltego.DNSName

[ThreatGraph] Get PID Modules

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get PID Modules
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDModule
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get PID IPv4 Remote Addresses

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get PID IPv4 Remote Addresses
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDIPv4
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get Process ID’s from Sensor

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get Process ID’s from Sensor
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetProcData
Input Entities CS.Sensor
Output Entities Phrase
Short Description  

[ThreatGraph] Get PID Data

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get PID Data
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDData
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get Domains from PID

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get Domains from PID
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDDNS
Input Entities CS.PID
Output Entities Phrase
Short Description  

[ThreatGraph] Get Process Parent

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
CSPass string DefaultValue false true false
CSUser string DefaultValue false true false

Transform Meta Info

Information Value
Display Name [ThreatGraph] Get Process Parent
Owner iTDS
Author iTDS@Paterva.com
Data Source ThreatGraph
Transform Name GetPIDParent
Input Entities CS.PID
Output Entities Phrase
Short Description  

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Search all Maltego Guides:

Interested? Get your free demo
Questions? Contact us

© 2021 by Maltego Technologies.