Crowdstrike Falcon Reports

Updated 1 day ago by Elvis Hovor

This document provides a description of how to integrate Crowdstrike Falcon Reports with a TruSTAR enclave. 

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Source Type: Closed Feed (requires Crowdstrike license)

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Intelligence Reports.
  • Crowdstrike API ID and API key for the reports API.

Getting Started

  1. Sign into TruSTAR Station
  2. Click the Marketplace icon on the left side icon list.
  3. Click Closed Sources.
  4. Click Subscribe on the Crowdstrike Falcon Reports box.
  5. Enter your API key and click Save Credentials & Request Subscription.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled. Once the integration has been enabled, you will see reports from Crowdstrike being submitted into your TruSTAR enclave every two hours.

How It Works

After the Crowdstrike integration has been enabled, any new report submitted into your TruSTAR enclave will have all indicators in that report extracted and queried against the Crowdstrike Falcon intel database. The associated responses will be shown as reports correlated to your original report through the associated indicators.

Report Mapping 

Report Title - 9951 CSIT-17023 Stampado 2.0 Released  (i.e. {id name} field of response)

External ID - 9951  (i.e. id field of response)

Report Body - The entire json body resources list of ii) response

Time Begun - 1487684292 (i.e. created_date field of response)

Report DeepLink - <url> (e.g - https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/)

Tags - tags → slug (e.g - us)

FAQ

What data is pulled from Crowdstrike? 

TruSTAR queries newly created reports from Crowdstrike and submits it to your TruSTAR enclave, where indicators from the report are correlated against other intelligence sources and the users data in their enclaves.

Please reach out to support@trustar.co if you have issues with this integration.

Technical Details 

Reports Query Details 

Sample Response:

{

"meta": {

"pagination": {

"offset": 0,

"limit": 10,

"total": 3

},

"query_time": 0.363

},

"resources": [

"7015",

"9623",

"2231"

]

}

Sample Response:

{

"meta": {

"paging": {

"total": 1,

"offset": 0,

"limit": 0

},

"query_time": 0.002

},

"resources": [{

"short_description": "Originally released in June 2016, the ransomware Stampado has been growing in popularity among eCrime threat actors

on underground forums. Stampado’s appeal is owing in large part to its price of $39 USD. Another popular strain of ransomware, Philadelphia, runs

almost 10 times that cost at $400 USD, according to CrowdStrike sensitive source reporting. Additionally, Stampado provides a high level o...",

"target_industries": [],

"last_modified_date": 1487684292,

"target_countries": [],

"type": {

"name": "Tipper",

"id": 357,

"slug": "tipper"

},

"url": "https://falcon.crowdstrike.com/intelligence/reports/csit-17023-stampado-2-0-released/",

"tags": [{

"id": 354,

"value": "Criminal",

"slug": "criminal"

}

],

"motivations": [{

"id": 354,

"value": "Criminal",

"slug": "criminal"

}

],

"sub_type": {

"name": "",

"id": null,

"slug": ""

},

"name": "CSIT-17023 Stampado 2.0 Released",

"id": 9951,

"created_date": 1487684292,

"slug": "csit-17023-stampado-2-0-released"

}

]

}


How Did We Do?