Crowdstrike Falcon Intelligence
This document explains how to set up and use Crowdstrike Falcon Intelligence with TruSTAR Station. This integration uses Crowdstrike API version 2.0.
- Time to Install: 10 minutes
- Type of Feed: Automatic updates
- Update Frequency: Two hours
- Source Type: Closed Feed (requires Crowdstrike license)
Requirements
- Licensed user of Crowdstrike
- Access to Crowdstrike Falcon Intelligence.
- Crowdstrike API ID and API key for the reports API.
This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Feeds. User will also need access to their Crowdstrike API ID and API key.
Getting Started
- Log into TruSTAR Station.
- Click the Marketplace icon on the left side icon list.
- Choose Closed Sources.
- Click Subscribe on the Crowdstrike Falcon Reports box.
- Enter your API key and click Save Credentials & Request Subscription.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.
How It Works
After a user has activated the Crowdstrike Integration, every 15 mins the integration will query the Crowdstrike Falcon Intelligence endpoint and ingest all new indicators from Falcon into the users enclave in TruSTAR.
FAQ
Q. What data is pulled from Crowdstrike?
A. This intel feed queries Crowdstrike for these indicator types :
- IP
- URL
- MD5
- SHA1
- SHA256
- CVE
- BITCOIN ADDRESSES
- SOFTWARE
- EMAIL ADDRESS
- MALWARE
Known Issues
None reported.
Technical Details
Crowdstrike Indicator API
Headers:
X-CSIX-CUSTID: API IDX-CSIX-CUSTKEY: API Key
Indicator types we query:
ALL (13 Indicator types - IP's, Hashes, URL, Bitcoin addresses etc)
Query URL for all indicator types
https://intelapi.crowdstrike.com/indicator/v1/search/indicator?equal={VALUE}