Automated Security Response: Falcon Orchestrator

CrowdStrike Falcon Orchestrator is an extendable Windows-based application that provides workflow automation, case management and security response functionality. The tool leverages the highly extensible APIs contained within the CrowdStrike Falcon Connect program.

System Dependencies

Falcon Orchestrator has only been tested on Windows Server 2012 R2, however it should also be functional on an older versions of Windows Server as long as .NET 4.5 framework is installed. It can be deployed on a single host running or across multiple servers.

Database Server – Ensure that a MS SQL Server database engine is installed on the server. It is suggested, although not required, to utilize an enterprise version as future updates will take advantage of SQL Server CDC functionality which is not available with the SQL Server Express editions. The software has only been tested with SQL Server 2014.

Web Server – The following Windows server roles must be installed:

  • Web Server (IIS) > Web Server > Security > Windows Authentication
  • Web Server (IIS) > Web Server > Application Development > ASP.NET 4.5
  • Application Server > .NET Framework 4.5#

System Clock – Ensure that the Windows system clock is synchronized. If it is not, you will receive a 401 error when initiating the client service. This is due to the fact hmac signature creation uses the current timestamp as part of the API authentication process.

Third Party Libraries

The following external libraries are used within the project. These are not provided via the GitHub repository, if building from source you will need to right click on the solution file in Visual Studio and select Restore NuGet Packages.

  • HighCharts
  • HighCharts.NET
  • DotNetZip
  • AutoMapper
  • Log4Net
  • WIX
  • JQuery
  • JQuery DataTables
  • Bootstrap



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s