Crowdstrike Falcon Reports
Introduction
TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of Crowdstrike can correlate reports in their TruSTAR enclaves with their Crowdstrike falcon intelligence reports in the TruSTAR platform.
Prerequisites
This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Reports. User will also need access to their Crowdstrike API ID and API key for the reports API.
Configure Integration
After you have retrieved your Crowdstrike API ID and key follow these steps:
Note: Only TruSTAR admins can activate closed source integrations.
- Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Click on Closed Sources.
- Click on subscribe button on the Crowdstrike logo and fill in your API key.
- Click Submit.
TruSTAR will validate and enable the Crowdstrike integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration in enabled you should see it reports from Crowdstrike being submitted into an enclave you control on TruSTAR.
How it works
After a user has activated the Crowdstrike Integration, any new report submitted into the users enclave in TruSTAR will have all indicators in that report extracted and queried against the Crowdstrike falcon intel database. The associated responses will be shown as reports correlated to the users original report through the associated indicators
FAQ
What data do you currently pull from Crowdstrike?
Our integration queries newly created reports from Crowdstrike and submits it to the users enclave in TruSTAR where indicators from the report are correlated against other intelligence sources and the users data in their enclaves.
How often is the data pulled?
Our integration retrieves data from the Crowdstrike every 15mins.
Technical Details
Crowdstrike Indicator API
Credentials:
API ID
API Key
Returns Full JSON Response
Reports Query Details
- Query for reports modified on or after some timestamp(stored in checkpoint file) and get individual report details and submit it to Trustar.
- Query reports modified on or after some epoch(timestamp)
https://intelapi.crowdstrike.com/reports/queries/reports/v1?min_last_modified_date=1450191654
Sample Response:
{
"meta": {
"pagination": {
"offset": 0,
"limit": 10,
"total": 3
},
"query_time": 0.363
},
"resources": [
"7015",
"9623",
"2231"
]
}
- Query to get report details using resource id from above response.
https://intelapi.crowdstrike.com/reports/entities/reports/v1?ids=12345
Sample Response:
{
"meta": {
"paging": {
"total": 1,
"offset": 0,
"limit": 0
},
"query_time": 0.002
},
"resources": [{
"short_description": "Originally released in June 2016, the ransomware Stampado has been growing in popularity among eCrime threat actors
on underground forums. Stampado’s appeal is owing in large part to its price of $39 USD. Another popular strain of ransomware, Philadelphia, runs
almost 10 times that cost at $400 USD, according to CrowdStrike sensitive source reporting. Additionally, Stampado provides a high level o...",
"target_industries": [],
"last_modified_date": 1487684292,
"target_countries": [],
"type": {
"name": "Tipper",
"id": 357,
"slug": "tipper"
},
"url": "https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/",
"tags": [{
"id": 354,
"value": "Criminal",
"slug": "criminal"
}
],
"motivations": [{
"id": 354,
"value": "Criminal",
"slug": "criminal"
}
],
"sub_type": {
"name": "",
"id": null,
"slug": ""
},
"name": "CSIT-17023 Stampado 2.0 Released",
"id": 9951,
"created_date": 1487684292,
"slug": "csit-17023-stampado-2-0-released"
}
]
}
TruSTAR Report mapping
Report Title - 9951 CSIT-17023 Stampado 2.0 Released (i.e. {id name} field of response)
External ID - 9951 (i.e. id field of response)
Report Body - The entire json body resources list of ii) response
Time Begun - 1487684292 (i.e. created_date field of response)
Report DeepLink - <url> (e.g - https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/)
Tags - tags → slug (e.g - us)
