In this post, I will introduce the Falcon Foundry platform to beginners who would like to get started with building custom security integrations with CrowdStrike. I will also walk through developing a custom integration app with Zoho Desk using CrowdStrike Falcon Foundry, cybersecurity’s first-low-code application platform.

Motivation

In today’s rapidly evolving cybersecurity landscape, professionals are constantly challenged to keep up with the latest threats and technologies. Navigating multiple platforms and integrating various tools can be time-consuming and complex. CrowdStrike Falcon Foundry offers a powerful solution by providing a low-code application platform (LCAP) that simplifies the development of custom cybersecurity integration apps. By leveraging this platform, cybersecurity experts can streamline their workflows, enhance their threat detection capabilities, and respond to incidents more efficiently. This blog post aims to guide you through the process of developing a custom app using CrowdStrike Falcon Foundry, empowering you to harness the full potential of this innovative platform to integrate with any other tool at hand.

Background

Foundry applications offer a range of capabilities that allow developers to incorporate a multitude of functionalities within their integrated applications such as storing data in collections, executing code in functions, integration with third-party APIs, and more. The table below describes the capabilities covered by Foundry applications. Note that I will only be covering API integration and function capabilities in this post.

Foundry Functions

Foundry functions allow developers to build custom business logic into the app and run it in the CrowdStrike cloud. Supported languages are Python 3.9 or later and Go 1.19 or later. CrowdStrike caps the execution timeout to 30 seconds. The function capability allows security analysts to execute any custom code and include it as a workflow action in Fusion SOAR. Some examples of logic that can be implemented include modifying variables, writing to collections, executing a LogScale query, and even sending custom HTTP requests.

API Integration

Foundry applications are also able to integrate with HTTP-based web services within Falcon using the OpenAPI specification. Once configured, the Falcon platform becomes able to interact with and orchestrate API requests as a Fusion SOAR workflow action. Each Falcon application is limited to one API host (one domain per app). This capability allows CrowdStrike users to integrate their security solution with any other service through 3rd party API requests even if the integration isn’t natively supported.

Falcon Platform

Foundry gives users two ways to build and manage custom apps:

1. Command Line Interface (CLI): build locally and deploy from the command line
2. UI-based tool (App builder): build the application from the Falcon console (over the web)

Note that not all capabilities are offered over CLI or the App builder. The figure below specifies which interface allows you to develop specific capabilities:

In this post, I will be exclusively using the Foundry CLI to create, develop, and deploy the Foundry app. Note that the API integration created can be developed using the App builder over the web.

Quickstart

To get started with Foundry app development, you’ll need to install the Foundry CLI. On Windows, you can install it using Scoop:

scoop bucket add foundry https://github.com/crowdstrike/scoop-foundry-cli.git
scoop install foundry

For Linux and macOS users, install using Homebrew:

brew tap crowdstrike/foundry-cli
brew install foundry

Verify your installation by running:

foundry version

Once the Foundry CLI is installed, you will need to create a profile by logging in. This ensures you have the appropriate credentials to build the app on your CrowdStrike console. Run foundry login in your terminal. You should be redirected to a login page where you will set the appropriate permissions, name your credentials and hit authorize.

Here’s an overview of useful commands:

• foundry apps create - Create a new Foundry app
• foundry apps deploy - Deploy the Foundry app
• foundry apps release - Release the Foundry app

Once release, you will have to install it through the App builder in the Falcon console which might require consenting to the permissions requested by the app.

Create a function

To create a function, run the following command:

foundry functions create --name <function name> --description <function description> --handler-name <handler-name> -l <language> --handler-method <handler-method> --handler-path <handler-path>

This will create a new function with filler code. To add environment variables, you can include the following in the manifest file:

functions:
    environment_variables:
        variable_name: value

If the function expects input data or returns data, specify the request and response schema as JSON schema files and include their path in the manifest file. If needed, also consider making the function available on Fusion SOAR (through the App builder).

Create an API integration

To create an API integration, you will need to create an OpenAPI specification file (either yourself or the published specification of the API you’re integrating with). This file will define the API endpoints, request and response schemas, and other details. Once you have the OpenAPI specification file, you can create the API integration using the following command:

foundry api-integrations create

This command will prompt you for the name of the API integration, a description and a path to a local file or URL for the openAPI specification file.

Zoho Desk Foundry app

As an example of what you can achieve with CrowdStrike Foundry, I have created a custom integration with Zoho Desk since CrowdStrike doesn’t natively support it. This integration allows users to create tickets and add tags to a ticket directly from the CrowdStrike platform, leveraging OAuth2 authentication and data transformation functions. If you are interested in experimenting with or using this integration, you can find the complete code and instructions on the GitHub repository.

References

Falcon Foundry documentation (must be signed in)