Crowdstrike Falcon Intelligence
This document explains how to set up Crowdstrike Falcon Intelligence in the TruSTAR platform.
CrowdStrike Falcon Intelligence provides security teams with complete analysis and insights into the TTPs of adversary groups — allowing security professionals to diagnose and respond to incidents now, while more efficiently planning for events in the future — and preventing damage from advanced malware and targeted attacks.
- Source Type: Premium Intel
- Update Type: Feed-based
- Parser: Yes
- Time to Install: 10 minutes
Observables Supported
Requirements
- Licensed user of Crowdstrike
- Access to Crowdstrike Falcon Intelligence.
- Crowdstrike API ID and API key for the reports API.
Getting Started
- Log into the TruSTAR Web App.
- Click the Marketplace icon on the left side icon list.
- Choose Premium Intel.
- Click Subscribe on the Crowdstrike Falcon Intelligence box.
- Enter your API key and click Save Credentials & Request Subscription.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.
TruSTAR Report Mapping
The information retrieved from this intelligence source is stored in the CrowdStrike Falcon Intelligence Enclave using this format.
Field | Explanation | Example |
Report Title | IP <IOC Value> | IP XX.45.72.XX |
External ID | IP<IOC Value> | IPXX.45.72.XX |
Report Body | Merged response as - {“indicator_details”: response of a, “device_impacted”: response of c, “processes_affected”: response of e} | |
Time Begun | 1523030628 (i.e. published_date field of response a) |
FAQ
Q: How do I find my Crowdstrike Falcon Intelligence API keys?
- Navigate to API Clients and Keys in the Crowdstrike portal.
- If your keys have not already been created for the Indicators API scope, select Add new API client.
- Select a Client Name and select the following API scopes:
- Copy the Client ID/ Secret and subscribe to the Crowdstrike Falcon Intelligence Marketplace source
Known Issues
None reported.