Crowdstrike Falcon Reports
This document explains how to set up and use Crowdstrike Falcon Reports with TruSTAR Station.
Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon delivers real-time protection and actionable intelligence from Day One.
- Source Type: Premium Intel
- Update Type: Feed-based
- Update Frequency: 15 minutes
- Time to Install: 10 minutes
Data Types
The integration pulls all observables supported by TruSTAR.
Requirements
- Licensed user of Crowdstrike
- Access to Crowdstrike Falcon Intelligence Reports.
- Crowdstrike API ID and API key for the reports API.
Getting Started
- Log into TruSTAR Station.
- Click the Marketplace icon on the left side icon list.
- Click Premium Intel.
- Click Subscribe on the Crowdstrike Falcon Reports box.
- Enter your API key and click Save Credentials & Request Subscription.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.
Report Mapping
Field | Explanation | Example |
Report Title | The ID name field of the response. | 99XX CSIT-17023 Stampado 2.0 Released |
External ID | The ID field of response. | 99XX |
Report Body | Entire JSON body resources list of the response. | |
Time Begun | The created_date field of the response. | 1487684292 |
Report DeepLink | The URL of the report. | https://falcon.crowdstrike.com/intelligence/reports/... |
Tags | Slugs of the response. | US |
FAQ
Q: How do I find my Crowdstrike Falcon Report API keys?
- Navigate to API Clients and Keys in the Crowdstrike portal
- If your keys have not already been created for the Indicators API scope then "Add new API client"
- From here select a Client Name and select the following API scope under the Read column
- Reports
- Copy the keys and subscribe to the Crowdstrike Falcon Reports Marketplace source
Known Issues
None reported.
