Crowdstrike Falcon Reports

Updated 2 months ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of Crowdstrike can correlate reports in their TruSTAR enclaves with their Crowdstrike falcon intelligence reports  in the TruSTAR platform. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Reports. User will also need access to their Crowdstrike API ID and API key for the reports API.

Configure Integration

After you have retrieved your Crowdstrike API ID and key follow these steps:

Note: Only TruSTAR admins can activate closed source integrations.

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on subscribe button on the Crowdstrike logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable the Crowdstrike integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.


After the integration in enabled you should see it reports from Crowdstrike being submitted into an enclave you control on TruSTAR.

How it works

After a user has activated the Crowdstrike Integration, any new report submitted into the users enclave in TruSTAR will have all indicators in that report extracted and queried against the Crowdstrike falcon intel database. The associated responses will be shown as reports correlated to the users original report through the associated indicators

    FAQ

    What data do you currently pull from Crowdstrike? 

    Our integration queries newly created  reports from Crowdstrike and submits it to the users  enclave in TruSTAR where indicators from the report are correlated against other intelligence sources and the users data in their enclaves.

    How often is the data pulled?

    Our integration retrieves data from the Crowdstrike every 15mins.


    Technical Details 

    Crowdstrike Indicator API 

    Credentials:

    API ID

    API Key
    Returns Full JSON Response

    Reports Query Details 
    • Query for reports modified on or after some timestamp(stored in checkpoint file) and get individual report details and submit it to Trustar.

    Sample Response:

    {

    "meta": {

    "pagination": {

    "offset": 0,

    "limit": 10,

    "total": 3

    },

    "query_time": 0.363

    },

    "resources": [

    "7015",

    "9623",

    "2231"

    ]

    }

    Sample Response:

    {

    "meta": {

    "paging": {

    "total": 1,

    "offset": 0,

    "limit": 0

    },

    "query_time": 0.002

    },

    "resources": [{

    "short_description": "Originally released in June 2016, the ransomware Stampado has been growing in popularity among eCrime threat actors

    on underground forums. Stampado’s appeal is owing in large part to its price of $39 USD. Another popular strain of ransomware, Philadelphia, runs

    almost 10 times that cost at $400 USD, according to CrowdStrike sensitive source reporting. Additionally, Stampado provides a high level o...",

    "target_industries": [],

    "last_modified_date": 1487684292,

    "target_countries": [],

    "type": {

    "name": "Tipper",

    "id": 357,

    "slug": "tipper"

    },

    "url": "https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/",

    "tags": [{

    "id": 354,

    "value": "Criminal",

    "slug": "criminal"

    }

    ],

    "motivations": [{

    "id": 354,

    "value": "Criminal",

    "slug": "criminal"

    }

    ],

    "sub_type": {

    "name": "",

    "id": null,

    "slug": ""

    },

    "name": "CSIT-17023 Stampado 2.0 Released",

    "id": 9951,

    "created_date": 1487684292,

    "slug": "csit-17023-stampado-2-0-released"

    }

    ]

    }

    TruSTAR Report mapping 

    Report Title - 9951 CSIT-17023 Stampado 2.0 Released  (i.e. {id name} field of response)

    External ID - 9951  (i.e. id field of response)

    Report Body - The entire json body resources list of ii) response

    Time Begun - 1487684292 (i.e. created_date field of response)

    Report DeepLink - <url> (e.g - https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/)

    Tags - tags → slug (e.g - us)


    How Did We Do?