Crowdstrike Falcon Reports

Updated 1 month ago by TruSTAR

This document explains how to set up the Crowdstrike Falcon Reports premium intelligence source in theTruSTAR platform. 

Leveraging artificial intelligence, the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. 

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Parser: Yes
  • Time to Install: 10 minutes

Observables Supported

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Intelligence Reports.
  • Crowdstrike API ID and API key for the reports API.
TruSTAR Admin rights are required to activate this premium intelligence feed.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Premium Intel.
  4. Click Subscribe on the Crowdstrike Falcon Reports box.
  5. Enter your API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

TruSTAR Report Mapping 

The information retrieved from this intelligence source is stored in the CrowdStrike Falcon Reports Enclave using this format.

Field 

Explanation

Example

Report Title

The ID name field of the response.

99XX CSIT-17023 Stampado 2.0 Released  

External ID

The ID field of response.

99XX

Report Body

Entire JSON body resources list of the response.

Time Begun

The created_date field of the response.

1487684292

Report DeepLink

The URL of the report.

https://falcon.crowdstrike.com/intelligence/reports/...

Tags

Slugs of the response.

US

FAQ

Q: How do I find my Crowdstrike Falcon Report API keys?
  1. Navigate to API Clients and Keys in the Crowdstrike portal.
  2. If your keys have not already been created for the Indicators API scope, then select Add new API client.
  3. Select a Client Name and select the following API scopes:
  4. Copy the Client ID/ Secret and subscribe to the Crowdstrike Falcon Reports Marketplace source.

Known Issues

None reported.

Please contact support@trustar.co if you have issues with this integration.


How Did We Do?