CrowdStrike

The same connection details are used for all four CrowdStrike Integrations, as long as it has the required access.

Attention

Downloading Suricata rules from CrowdStrike requires a Falcon Intelligence Premium subscription. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/entities/rules-latest-files/v1

Downloading intel indicators from CrowdStrike requires a Falcon Intelligence subscription or better. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/combined/indicators/v1

General CrowdStrike configuration settings:

crowdstrike_config:
  id: "<FALCON_CLIENT_ID>"
  secret: "<FALCON_CLIENT_SECRET>"
  member_cid: "<FALCON_MEMBER_CID>"
  cloud: "<FALCON_CLOUD>"            # us-1, us-2, eu-1, us-gov-1
  host_override:
  base_path_override:
  debug:

See the following sections for more details on each integration:

Attention

The Spotlight integrations require an additional Zeek script to be loaded on the sensors. See Zeek package management. If you enable the integration, Corelight-update will upload the input file to the sensor. But if the required script isn’t available on the sensor, the input data won’t be used.