Crowdstrike Falcon Intelligence

by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of Crowdstrike can correlate reports in their TruSTAR enclaves with their Crowdstrike falcon intelligence feeds in the TruSTAR platform. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Feeds. User will also need access to their Crowdstrike API ID and API key.

Configure Integration

After you have retrieved your Crowdstrike API ID and key follow these steps:

Note: Only TruSTAR admins can activate closed source integrations.
  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on subscribe button on the Crowdstrike logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable the Crowdstrike integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.


After the integration in enabled you should see it reports from Crowdstrike being submitted into an enclave you control on TruSTAR.

How it works

After a user has activated the Crowdstrike Integration, any new report submitted into the users enclave in TruSTAR will have all indicators in that report extracted and queried against the Crowdstrike falcon intel database. The associated responses will be shown as reports correlated to the users original report through the associated indicators

    FAQ

    What data do you currently pull from Crowdstrike? 

    Our integration currently queries indicators from newly submitted reports in users  enclave against Crowdstrike's indicators API. 

      TruSTAR currently queries Crowdstrike with over 13 TruSTAR indicator types :

      • IP
      • URL
      • MD5 
      • SHA1
      • SHA256
      • CVE 
      • BITCOIN ADDRESSES
      • SOFTWARE
      • EMAIL ADDRESS
      • MALWARE


          How often is the data pulled?

          Our integration retrieves data from the Crowdstrike every 15mins.


          Technical Details on Queries

          Crowdstrike Indicator API 

          Credentials:

          API ID

          API Key

          Headers:

          X-CSIX-CUSTID: API IDX-CSIX-CUSTKEY: API Key

          Indicator types we query:

          ALL (13 Indicator types - IP's, Hashes, URL, Bitcoin addresses etc)

          Query URL for all indicator types 

          https://intelapi.crowdstrike.com/indicator/v1/search/indicator?equal={VALUE}

          Returns Full JSON Response



          Please reach out to support@trustar.co for any additional questions.


          How Did We Do?