Crowdstrike Falcon Reports
This document provides a description of how to integrate Crowdstrike Falcon Reports with a TruSTAR enclave.
- Time to Install: 10 minutes
- Type of Feed: Automatic updates
- Update Frequency: 15 minutes
- Source Type: Closed Feed (requires Crowdstrike license)
Requirements
- Licensed user of Crowdstrike
- Access to Crowdstrike Falcon Intelligence Reports.
- Crowdstrike API ID and API key for the reports API.
Getting Started
- Sign into TruSTAR Station
- Click the Marketplace icon on the left side icon list.
- Click Closed Sources.
- Click Subscribe on the Crowdstrike Falcon Reports box.
- Enter your API key and click Save Credentials & Request Subscription.
How It Works
After the Crowdstrike integration has been enabled, any new report submitted into your TruSTAR enclave will have all indicators in that report extracted and queried against the Crowdstrike Falcon intel database. The associated responses will be shown as reports correlated to your original report through the associated indicators.
Report Mapping
Report Title - 9951 CSIT-17023 Stampado 2.0 Released (i.e. {id name} field of response)
External ID - 9951 (i.e. id field of response)
Report Body - The entire json body resources list of ii) response
Time Begun - 1487684292 (i.e. created_date field of response)
Report DeepLink - <url> (e.g - https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/)
Tags - tags → slug (e.g - us)
FAQ
What data is pulled from Crowdstrike?
TruSTAR queries newly created reports from Crowdstrike and submits it to your TruSTAR enclave, where indicators from the report are correlated against other intelligence sources and the users data in their enclaves.
Technical Details
Reports Query Details
- Query for reports modified on or after some timestamp(stored in checkpoint file) and get individual report details and submit it to Trustar.
- Query reports modified on or after some epoch(timestamp)
https://intelapi.crowdstrike.com/reports/queries/reports/v1?min_last_modified_date=1450191654
Sample Response:
{
"meta": {
"pagination": {
"offset": 0,
"limit": 10,
"total": 3
},
"query_time": 0.363
},
"resources": [
"7015",
"9623",
"2231"
]
}
- Query to get report details using resource id from above response.
https://intelapi.crowdstrike.com/reports/entities/reports/v1?ids=12345
Sample Response:
{
"meta": {
"paging": {
"total": 1,
"offset": 0,
"limit": 0
},
"query_time": 0.002
},
"resources": [{
"short_description": "Originally released in June 2016, the ransomware Stampado has been growing in popularity among eCrime threat actors
on underground forums. Stampado’s appeal is owing in large part to its price of $39 USD. Another popular strain of ransomware, Philadelphia, runs
almost 10 times that cost at $400 USD, according to CrowdStrike sensitive source reporting. Additionally, Stampado provides a high level o...",
"target_industries": [],
"last_modified_date": 1487684292,
"target_countries": [],
"type": {
"name": "Tipper",
"id": 357,
"slug": "tipper"
},
"url": "https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/",
"tags": [{
"id": 354,
"value": "Criminal",
"slug": "criminal"
}
],
"motivations": [{
"id": 354,
"value": "Criminal",
"slug": "criminal"
}
],
"sub_type": {
"name": "",
"id": null,
"slug": ""
},
"name": "CSIT-17023 Stampado 2.0 Released",
"id": 9951,
"created_date": 1487684292,
"slug": "csit-17023-stampado-2-0-released"
}
]
}
