Crowdstrike Falcon: Import Indicators from TruSTAR

Updated 1 month ago by Sachit Soni

This script exports Indicators from specified TruSTAR Enclaves and imports them into Crowdstrike Falcon to aid in more robust endpoint protection.

Activating This Script

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID(s)
  • Crowdstrike API Key and API Secret
    • Please ensure your API client scope has read and write permissions enabled for IOCs (Indicators of compromise)
  • Frequency of script execution. The default is every 24 hours but you can request a different time interval to meet your organization's needs.

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.

How It Works

  1. Searches the specified TruSTAR Enclave(s) for Indicators that have been added since the script was last run. The default is 24 hours but you can request a customized interval.
  2. Converts Indicators to match Crowdstrike/s JSON format.
  3. Checks if the Indicators already exists in Crowdstrike Falcon and removes any that are matched in Crowdstrike. This avoids false positives.
  4. Imports the vetted Indicators to Crowdstrike Falcon.

Any issues or questions about this script, please contact support@notifications.trustar.co.


How Did We Do?