CRWDFalcon update

Author: nusantara-self

integrations/vendors/CrowdstrikeFalcon/use-cases/ingest-crowdstrike-falcon-alerts-external-script.md

@@ -1,21 +1,19 @@
 ---
 title: Ingest CrowdStrike Falcon Detections and Incidents into TheHive Using an External Script
 description: Install and configure the falcon2thehive connector to automatically ingest CrowdStrike Falcon detections and incidents into TheHive as alerts in real time.
-tags: 
+tags:
   - alert-ingestion
   - crowdstrike
   - thehive
   - automation
 ---
 # Tutorial: Ingest CrowdStrike Falcon Detections and Incidents into TheHive Using an External Script
 
-<!-- md:integration External --> <!-- md:version 5.0 -->
+> **Warning:** The falcon2thehive connector is currently in beta. Features and configuration may change.
 
-{% include-markdown "includes/falcon2thehive-beta.md" %}
+In this tutorial, we're going to install and configure the [falcon2thehive connector](https://github.com/StrangeBeeCorp/falcon2thehive) to ingest CrowdStrike Falcon detections and incidents into TheHive as alerts.
 
-In this tutorial, we're going to install and configure the [falcon2thehive connector](https://github.com/StrangeBeeCorp/falcon2thehive){target=_blank} to ingest CrowdStrike Falcon detections and incidents into TheHive as alerts.
-
-By the end, you’ll have a working setup that automatically brings CrowdStrike Falcon detections and incidents into TheHive in real time, helping your team respond as soon as they happen.
+By the end, you'll have a working setup that automatically brings CrowdStrike Falcon detections and incidents into TheHive in real time, helping your team respond as soon as they happen.
 
 Before you begin, ensure that the CrowdStrike Falcon detections and incidents you want to ingest are part of the supported event types:
 
@@ -25,14 +23,14 @@ Before you begin, ensure that the CrowdStrike Falcon detections and incidents yo
 * IdpDetectionSummaryEvent
 * MobileDetectionSummaryEvent
 
-!!! tip "More integration options"
-    For the complete list of integration options between CrowdStrike Falcon and TheHive, see [CrowdStrike Falcon Integration with TheHive](crowdstrike-falcon-integrations.md).
+> **Tip:** More integration options
+> For the complete list of integration options between CrowdStrike Falcon and TheHive, see [CrowdStrike Falcon Integration with TheHive](crowdstrike-falcon-integrations.md).
 
 ## Step 1: Create an API client in CrowdStrike Falcon
 
-Let’s start by setting up an API client in your CrowdStrike Falcon console. This will allow the connector to securely access your detections and incidents.
+Let's start by setting up an API client in your CrowdStrike Falcon console. This will allow the connector to securely access your detections and incidents.
 
-1. Go to [https://www.crowdstrike.com/login/](https://www.crowdstrike.com/login/){target=_blank}.
+1. Go to [https://www.crowdstrike.com/login/](https://www.crowdstrike.com/login/).
 
 2. Log in to your CrowdStrike Falcon tenant with an administrator account.
 
@@ -46,33 +44,31 @@ Let’s start by setting up an API client in your CrowdStrike Falcon console. Th
 
 7. Select **Create**.
 
-8. You’ll now see your client ID, secret, and base URL. Copy and save them somewhere safe. You’ll need them in the next step.
+8. You'll now see your client ID, secret, and base URL. Copy and save them somewhere safe. You'll need them in the next step.
 
 ## Step 2: Install and configure falcon2thehive
 
 You can install the falcon2thehive connector using either a [Docker deployment](#docker-deployment) or a [manual installation](#manual-python-installation), depending on your setup and preferences. Docker is the recommended method for ease of deployment and consistency.
 
 ### Docker deployment
 
-!!! note "Recommended installation method"
-    Installing the falcon2thehive connector with Docker is the easiest and most reliable option. It helps keep your environment clean and makes deployment straightforward.
-
-!!! warning "Requirements"
-    Before you begin, make sure [Docker](https://docs.docker.com/get-started/get-docker/){target=_blank} is installed on your system.
+> **Note:** Installing the falcon2thehive connector with Docker is the easiest and most reliable option. It helps keep your environment clean and makes deployment straightforward.
 
-!!! tip "Quick testing"
-    If you just want to test the falcon2thehive connector, you can pass credentials directly as environment variables instead of using a `.env` file.
+> **Warning:** Before you begin, make sure [Docker](https://docs.docker.com/get-started/get-docker/) is installed on your system.
 
-    ```bash
-    docker run -d \
-        --restart unless-stopped \
-        -e CRWD_BASE_URL="<crowdstrike_base_url>" \
-        -e CRWD_CLIENT_ID="<crowdstrike_client_id>" \
-        -e CRWD_CLIENT_SECRET="<crowdstrike_client_secret>" \
-        -e THEHIVE_URL="<thehive_url>" \
-        -e THEHIVE_API_KEY="<thehive_api_key>" \
-        --name f2h falcon2thehive
-    ```
+> **Tip:** Quick testing
+> If you just want to test the falcon2thehive connector, you can pass credentials directly as environment variables instead of using a `.env` file.
+>
+> ```bash
+> docker run -d \
+>     --restart unless-stopped \
+>     -e CRWD_BASE_URL="<crowdstrike_base_url>" \
+>     -e CRWD_CLIENT_ID="<crowdstrike_client_id>" \
+>     -e CRWD_CLIENT_SECRET="<crowdstrike_client_secret>" \
+>     -e THEHIVE_URL="<thehive_url>" \
+>     -e THEHIVE_API_KEY="<thehive_api_key>" \
+>     --name f2h falcon2thehive
+> ```
 
 1. Build the Docker image.
 
@@ -101,7 +97,17 @@ You can install the falcon2thehive connector using either a [Docker deployment](
     APP_ID=falcon2thehive
     ```
 
-    {% include-markdown "includes/falcon2thehive-environment-variables-explained.md" %}
+    **Environment variables explained:**
+
+    | Variable | Required | Description |
+    |---|---|---|
+    | `CRWD_BASE_URL` | Yes | Your CrowdStrike Falcon base URL |
+    | `CRWD_CLIENT_ID` | Yes | API client ID from Step 1 |
+    | `CRWD_CLIENT_SECRET` | Yes | API client secret from Step 1 |
+    | `THEHIVE_URL` | Yes | URL of your TheHive instance |
+    | `THEHIVE_API_KEY` | Yes | API key for TheHive authentication |
+    | `THEHIVE_ORG` | No | Target organization in TheHive |
+    | `APP_ID` | No | Application ID for the CrowdStrike streaming API (default: `falcon2thehive`) |
 
     c. Run the container.
 
@@ -114,49 +120,43 @@ You can install the falcon2thehive connector using either a [Docker deployment](
 
 At this point, the connector should be live and syncing CrowdStrike Falcon detections and incidents with TheHive.
 
-!!! tip "Connector operation commands"
-
-    Here are some useful commands for managing the connector:
-
-    * View logs:
-    ```bash
-    docker logs -f f2h
-    ```
-
-    * Stop the connector:
-    ```bash
-    docker stop f2h
-    ```
-
-    * Restart the connector with the same configuration:
-    ```bash
-    docker start f2h
-    ```
-
-    * To change environment variables:
-
-
-        a. Stop and remove the container:
-
-        ```bash
-        docker stop f2h
-        docker rm f2h
-        ```
-
-        b. Start a new one with updated environment variables using `-e` flags or an updated `.env` file:
-
-        ```bash
-        docker run -d --restart unless-stopped --env-file .env --name f2h falcon2thehive
-        ```
+> **Tip:** Connector operation commands
+>
+> * View logs:
+>   ```bash
+>   docker logs -f f2h
+>   ```
+>
+> * Stop the connector:
+>   ```bash
+>   docker stop f2h
+>   ```
+>
+> * Restart the connector with the same configuration:
+>   ```bash
+>   docker start f2h
+>   ```
+>
+> * To change environment variables:
+>
+>     a. Stop and remove the container:
+>     ```bash
+>     docker stop f2h
+>     docker rm f2h
+>     ```
+>
+>     b. Start a new one with updated environment variables using `-e` flags or an updated `.env` file:
+>     ```bash
+>     docker run -d --restart unless-stopped --env-file .env --name f2h falcon2thehive
+>     ```
 
 ### Manual Python installation
 
-!!! warning "Requirements"
-    Before you begin, make sure the following tools are installed on your system:
-
-    * [Python 3.X](https://www.python.org/downloads/){target=_blank}
-    * [TheHive4py 2.X](https://github.com/TheHive-Project/TheHive4py){target=_blank}
-    * [FalconPy SDK](https://github.com/CrowdStrike/falconpy){target=_blank}
+> **Warning:** Before you begin, make sure the following tools are installed on your system:
+>
+> * [Python 3.X](https://www.python.org/downloads/)
+> * [TheHive4py 2.X](https://github.com/TheHive-Project/TheHive4py)
+> * [FalconPy SDK](https://github.com/CrowdStrike/falconpy)
 
 1. Clone the falcon2thehive repository.
 
@@ -167,7 +167,7 @@ At this point, the connector should be live and syncing CrowdStrike Falcon detec
 
 2. Recommended: Create and activate a virtual environment.
 
-    Using a virtual environment helps isolate dependencies so they don’t interfere with other Python projects.
+    Using a virtual environment helps isolate dependencies so they don't interfere with other Python projects.
 
     ```bash
     python3 -m venv .venv
@@ -193,13 +193,23 @@ At this point, the connector should be live and syncing CrowdStrike Falcon detec
     # Optional settings
     export THEHIVE_ORG="<organization_name>"
     export APP_ID="falcon2thehive"
-    ``` 
+    ```
+
+    **Environment variables explained:**
 
-    {% include-markdown "includes/falcon2thehive-environment-variables-explained.md" %}
+    | Variable | Required | Description |
+    |---|---|---|
+    | `CRWD_BASE_URL` | Yes | Your CrowdStrike Falcon base URL |
+    | `CRWD_CLIENT_ID` | Yes | API client ID from Step 1 |
+    | `CRWD_CLIENT_SECRET` | Yes | API client secret from Step 1 |
+    | `THEHIVE_URL` | Yes | URL of your TheHive instance |
+    | `THEHIVE_API_KEY` | Yes | API key for TheHive authentication |
+    | `THEHIVE_ORG` | No | Target organization in TheHive |
+    | `APP_ID` | No | Application ID for the CrowdStrike streaming API (default: `falcon2thehive`) |
 
 5. Run the connector.
 
-    Now it’s time to start the connector.
+    Now it's time to start the connector.
 
     * To run it in the background so it stays active while you continue working on other tasks:
 
@@ -213,8 +223,8 @@ At this point, the connector should be live and syncing CrowdStrike Falcon detec
     python falcon2thehive.py
     ```
 
-You should now start seeing CrowdStrike Falcon detections and incidents in your TheHive alert list. If you’re running it in the foreground, you should see log messages confirming a successful connection and alert ingestion.
+You should now start seeing CrowdStrike Falcon detections and incidents in your TheHive alert list. If you're running it in the foreground, you should see log messages confirming a successful connection and alert ingestion.
 
-<h2>Next steps</h2>
+## Next steps
 
 * [Synchronize Alert and Case Statuses from TheHive to CrowdStrike Falcon](synchronize-status-thehive-crowdstrike-falcon.md)

integrations/vendors/CrowdstrikeFalcon/use-cases/synchronize-status-thehive-crowdstrike-falcon.md

@@ -1,49 +1,47 @@
 ---
 title: Synchronise status between TheHive alerts/cases and CrowdStrike detections/incidents
 description: Keep case/alert status in sync between TheHive and CrowdStrike Falcon using notifications and the CrowdStrikeFalcon_Sync responder.
-tags: 
+tags:
   - status
   - sync
   - crowdstrike
   - thehive
   - automation
+thehive_version_required: "5.0"
+license_required: "platinum"
 ---
 # Tutorial: Synchronize Alert and Case Statuses from TheHive to CrowdStrike Falcon
 
-<!-- md:license Platinum -->
+In this tutorial, we're going to install and configure the Cortex responder *[Status Sync](https://thehive-project.github.io/Cortex-Analyzers/responders/CrowdstrikeFalcon/#crowdstrikefalcon_sync)*.
 
-In this tutorial, we're going to install and configure the Cortex responder *[Status Sync](https://thehive-project.github.io/Cortex-Analyzers/responders/CrowdstrikeFalcon/#crowdstrikefalcon_sync){target=_blank}*.
+By the end, you'll have a setup that automatically keeps alert and case statuses in sync between TheHive and CrowdStrike Falcon, so that your investigations stay aligned across both platforms.
 
-By the end, you’ll have a setup that automatically keeps alert and case statuses in sync between TheHive and CrowdStrike Falcon, so that your investigations stay aligned across both platforms.
+> **Warning:** Prerequisites
+> This tutorial assumes that you've already configured the ingestion of CrowdStrike Falcon detections and incidents into TheHive as alerts using [one of the available methods](crowdstrike-falcon-integrations.md#alert-ingestion).
 
-!!! warning "Prerequisites"
-    This tutorial assumes that you've already configured the ingestion of CrowdStrike Falcon detections and incidents into TheHive as alerts using [one of the available methods](crowdstrike-falcon-integrations.md#alert-ingestion).
+> **Note:** One-way sync
+> This synchronization only works from TheHive to CrowdStrike Falcon. If you want to sync statuses the other way around, you'll need to implement a polling mechanism using an alert feeder.
 
-!!! note "One-way sync"
-    This synchronization only works from TheHive to CrowdStrike Falcon. If you want to sync statuses the other way around, you’ll need to implement a polling mechanism using an [alert feeder](../../thehive/user-guides/organization/configure-organization/manage-feeders/about-feeders.md).
+**Status mapping:**
 
-!!! info "Status mapping"
+| TheHive stage  | CrowdStrike detection status | CrowdStrike incident status |
+| ----------- | ------------------------------------ | ------------------------------------ |
+| *New*       | *new*  | *20*  |
+| *In progress*       | *in_progress* | *30*  |
+| *Closed*    | *closed* | *40*  |
 
-    | TheHive stage  | CrowdStrike detection status                          | CrowdStrike incident status                          |
-    | ----------- | ------------------------------------ | ------------------------------------ |
-    | *New*       | *new*  | *20*  |
-    | *In progress*       | *in_progress* | *30*  |
-    | *Closed*    | *closed* | *40*  |
-
-!!! tip "More integration options"
-    For the complete list of integration options between CrowdStrike Falcon and TheHive, see [CrowdStrike Falcon Integration with TheHive](crowdstrike-falcon-integrations.md).
+> **Tip:** More integration options
+> For the complete list of integration options between CrowdStrike Falcon and TheHive, see [CrowdStrike Falcon Integration with TheHive](crowdstrike-falcon-integrations.md).
 
 ## Step 1: Create custom fields in TheHive
 
-<!-- md:permission `manageCase/update` --> <!-- md:permission `manageAlert/update` -->
-
-To make the link between TheHive and CrowdStrike Falcon, we’ll start by [creating two custom fields](../../thehive/administration/custom-fields/create-a-custom-field.md) that will hold detection and incident IDs.
+To make the link between TheHive and CrowdStrike Falcon, we'll start by creating two custom fields that will hold detection and incident IDs.
 
-1. {% include-markdown "includes/entities-management-view-go-to.md" %}
+1. Go to the **Entities management** view.
 
-2. {% include-markdown "includes/custom-fields-tab-go-to.md" %}
+2. Select the **Custom fields** tab.
 
-3. Select :fontawesome-solid-plus:.
+3. Select **+**.
 
 4. In the **Adding a custom field** drawer, enter the following information:
 
@@ -59,7 +57,7 @@ To make the link between TheHive and CrowdStrike Falcon, we’ll start by [creat
 
 5. Select **Confirm custom field creation**.
 
-6. Select :fontawesome-solid-plus: again.
+6. Select **+** again.
 
 7. In the **Adding a custom field** drawer, enter the following information:
 
@@ -77,9 +75,7 @@ To make the link between TheHive and CrowdStrike Falcon, we’ll start by [creat
 
 ## Step 2: Enable and configure the Status Sync responder in Cortex
 
-<!-- md:permission `orgAdmin` -->
-
-Now let’s enable and configure the *CrowdStrikeFalcon_Sync_1_0* responder in Cortex.
+Now let's enable and configure the *CrowdStrikeFalcon_Sync_1_0* responder in Cortex.
 
 1. Go to the **Organization** view.
 
@@ -89,26 +85,23 @@ Now let’s enable and configure the *CrowdStrikeFalcon_Sync_1_0* responder in C
 
 4. Select **Edit** next to *CrowdStrikeFalcon_HostContainment_1_0*.
 
-5. In the **Edit responder CrowdStrikeFalcon_HostContainment_1_0** drawer, enter the required details as described in the [Cortex Neurons documentation](https://thehive-project.github.io/Cortex-Analyzers/responders/CrowdstrikeFalcon/#crowdstrikefalcon_sync){target=_blank}.
+5. In the **Edit responder CrowdStrikeFalcon_HostContainment_1_0** drawer, enter the required details as described in the [Cortex Neurons documentation](https://thehive-project.github.io/Cortex-Analyzers/responders/CrowdstrikeFalcon/#crowdstrikefalcon_sync).
 
 The responder is now ready to run and synchronize statuses each time a change is detected in TheHive.
 
 ## Step 3: Create a notification in TheHive to trigger the responder
 
-<!-- md:permission `manageConfig` -->
+The last step is to automate the sync by triggering the responder when alert or case statuses change.
 
-The last step is to automate the sync by [triggering the responder](../../thehive/user-guides/organization/configure-organization/manage-notifications/create-a-notification.md) when alert or case statuses change.
-
-1. {% include-markdown "includes/organization-view-go-to.md" %}
+1. Go to the **Organization** view.
 
-2. {% include-markdown "includes/notifications-tab-go-to.md" %}
+2. Select the **Notifications** tab.
 
-3. Select :fontawesome-solid-plus:.
+3. Select **+**.
 
 4. In the **Add notification** drawer, enter the name of your notification.
 
-    !!! warning "Unique name"
-        This name must be unique, as two notifications can't have the same name.
+    > **Warning:** This name must be unique, as two notifications can't have the same name.
 
 5. Select the *FilteredEvent* trigger.
 
@@ -165,6 +158,6 @@ The last step is to automate the sync by [triggering the responder](../../thehiv
 
 Your system is now set up to synchronize statuses from TheHive to CrowdStrike Falcon whenever alert or case statuses are changed.
 
-<h2>Next steps</h2>
+## Next steps
 
-* [Cortex Responders GitHub repository](https://github.com/TheHive-Project/Cortex-Analyzers/tree/master/responders/CrowdstrikeFalcon){target=_blank}
+* [Cortex Responders GitHub repository](https://github.com/TheHive-Project/Cortex-Analyzers/tree/master/responders/CrowdstrikeFalcon)