When using CrowdStrike sensors, some playbooks may fail to execute when performing file-based actions like Delete File.
Red Canary and CrowdStrike Falcon
CrowdStrike telemetry sends file path data to Red Canary in the following format:
However, for delete commands Red Canary expects file paths in this format:
Per CrowdStrike's direction, Red Canary created a solution which requires the following:
- Custom Scripts must be enabled in Real Time Response policies.
- To enable custom scripts, navigate to Configuration > Response Policies then edit the applicable response policy. Ensure that both "Real Time Response" and "Custom Scripts" are enabled:
- The attached PowerShell script that maps device paths to drive paths.
- To apply the script, copy and paste the entirety of the script into the CrowdStrike console.
- Ensure the script is named "get_device_to_drive_mappings".
This script returns device-to-drive mappings in NDJSON and allows Red Canary to work around path-formatting issues in CrowdStrike telemetry. Here's an example of its output:
Once a script with the name "get_device_to_drive_mappings" is added to CrowdStrike, Red Canary must manually enable the setting to utilize the script for that account to fully resolve the issue.
Here's the code needed to fix this.
sensor_ids_for_device_to_ drive_mappings = ["ALL"]