Crowdstrike Falcon Intelligence
TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of Crowdstrike can correlate reports in their TruSTAR enclaves with their Crowdstrike falcon intelligence feeds in the TruSTAR platform.
This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Feeds. User will also need access to their Crowdstrike API ID and API key.
After you have retrieved your Crowdstrike API ID and key follow these steps:
- Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Click on Closed Sources.
- Click on subscribe button on the Crowdstrike logo and fill in your API key.
- Click Submit.
TruSTAR will validate and enable the Crowdstrike integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration in enabled you should see it reports from Crowdstrike being submitted into an enclave you control on TruSTAR.
How it works
After a user has activated the Crowdstrike Integration, any new report submitted into the users enclave in TruSTAR will have all indicators in that report extracted and queried against the Crowdstrike falcon intel database. The associated responses will be shown as reports correlated to the users original report through the associated indicators
What data do you currently pull from Crowdstrike?
Our integration currently queries indicators from newly submitted reports in users enclave against Crowdstrike's indicators API.
TruSTAR currently queries Crowdstrike with over 13 TruSTAR indicator types :
- BITCOIN ADDRESSES
- EMAIL ADDRESS
How often is the data pulled?
Our integration retrieves data from the Crowdstrike every 15mins.
Technical Details on Queries
Crowdstrike Indicator API
IDX-CSIX-CUSTKEY: API Key
Indicator types we query:
ALL (13 Indicator types - IP's, Hashes, URL, Bitcoin addresses etc)
Query URL for all indicator types
Please reach out to firstname.lastname@example.org for any additional questions.