Crowdstrike Falcon Intelligence

Updated 5 days ago by Elvis Hovor

This document explains how to set up and use Crowdstrike Falcon Intelligence with TruSTAR Station. This integration uses Crowdstrike API version 2.0.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: Two hours
  • Source Type: Closed Feed (requires Crowdstrike license)

Requirements

  • Licensed user of Crowdstrike
  • Access to Crowdstrike Falcon Intelligence.
  • Crowdstrike API ID and API key for the reports API.

This integration requires TruSTAR users to be paying customers of Crowdstrike and users of Crowdstrike's Falcon Intelligence Feeds. User will also need access to their Crowdstrike API ID and API key.

TruSTAR Admin rights are required to activate this closed source feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side icon list.
  1. Choose Closed Sources.
  2. Click Subscribe on the Crowdstrike Falcon Reports box.
  1. Enter your API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

How It Works

After a user has activated the Crowdstrike Integration, every 15 mins the integration will query the Crowdstrike Falcon Intelligence endpoint and ingest all new indicators from Falcon into the users enclave in TruSTAR. 

FAQ

Q. What data is pulled from Crowdstrike? 

A. This intel feed queries Crowdstrike for these indicator types :

  • IP
  • URL
  • MD5 
  • SHA1
  • SHA256
  • CVE 
  • BITCOIN ADDRESSES
  • SOFTWARE
  • EMAIL ADDRESS
  • MALWARE

Known Issues

None reported.

Contact support@trustar.co if you have issues with this integration.

Technical Details

Crowdstrike Indicator API 

Headers:

X-CSIX-CUSTID: API IDX-CSIX-CUSTKEY: API Key

Indicator types we query:

ALL (13 Indicator types - IP's, Hashes, URL, Bitcoin addresses etc)

Query URL for all indicator types 

https://intelapi.crowdstrike.com/indicator/v1/search/indicator?equal={VALUE}
Returns Full JSON Response


How Did We Do?