CrowdStrike Falcon Threat Intelligence¶
The CrowdStrike Falcon Indicators integration uses a local database so it only has to download new and updated indicators at each interval.
There are several configurable options for CrowdStrike indicators. In addition to selecting which indicator types to collect, you can also set how many days worth of indicators to use, based on published_days, and the number of days to keep indicators in the local DB (database_retention). Confidence level filters and do notice settings are also available for each indicator type.
Intel Malicious confidence options are: “high”, “medium”, “low”, or “unverified”. The following definitions apply to malicious_confidence:
high: If indicator is an IP or domain, it has been associated with malicious activity within the last 60 days.
medium: If indicator is an IP or domain, it has been associated with malicious activity within the last 60-120 days.
low: If indicator is an IP or domain, it has been associated with malicious activity exceeding 120 days.
unverified: This indicator has not been verified by a CrowdStrike Intelligence analyst or an automated system.
Once downloaded and processed, the data will be merged with all other intel files (if there are any), and published. If “intel” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Attention
Downloading intel indicators from CrowdStrike requires a Falcon Intelligence subscription or better. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/combined/indicators/v1
Settings¶
crowdstrike_indicators:
id: # Falcon API Client ID
secret: # Falcon API Secret
encrypted_secret: # Encrypted Falcon API Secret (use either secret or encrypted_secret)
member_cid: # Falcon API Member_CID (multi-tenant only)
cloud: us-1 # Falcon Cloud (us-1, us-2, eu-1, us-gov-1, us-gov-2)
host_override: # Optional: Override the default host for the Falcon API
base_path_override: # Optional: Override the default base path for the Falcon API
debug: false # Debug logging will expose the Client ID and Secret in the logs
enabled: false
interval_hours: 0
request_limit: 10000 # This setting should only be changed if directed by support
published_days: 30 # How many days worth of indicators to use in the Intel file
database_retention: 90 # How many days to keep indicators in the local DB
type_ip_address: true
type_ip_address_do_notice: true
type_ip_address_confidence: high
type_ip_address_block: true
type_ip_address_block_do_notice: true
type_ip_address_block_confidence: high
type_url: true # Includes http, https and TCP URLs
type_https_url: false # This should only be enabled if TLS decryption is in use
type_url_do_notice: true
type_url_confidence: high
type_email_address: true
type_email_address_do_notice: true
type_email_address_confidence: high
type_domain: true
type_domain_do_notice: true
type_domain_confidence: high
type_x509_subject: true
type_x509_subject_do_notice: true
type_x509_subject_confidence: high
type_username: true
type_username_do_notice: true
type_username_confidence: high
type_hash_md5: true # There is no confidence level filter for hash indicators, they are always considered high confidence
type_hash_md5_do_notice: true
type_hash_sha256: true # There is no confidence level filter for hash indicators, they are always considered high confidence
type_hash_sha256_do_notice: true
type_file_name: true
type_file_name_do_notice: true
type_file_name_confidence: high
targets:
threat_types:
In addition to configuring which indicators to collect, you can also filter the indicators based on the type of target or the threat type.
To list a single Target or Threat Type, enter the string with both double quotes and single quotes.
To list multiple Targets or Threat Types, enter the string with both double quotes and square brackets around the entire string, and single quotes around each item.
Examples:
targets: "'Aerospace'"
threat_types: "['Commodity','Ransomware']"
The following is a sample input file created by this integration, using tab-separated values.
#fields indicator indicator_type meta.source meta.desc meta.url meta.do_notice meta.confidence meta.threat_score meta.risk_score meta.verdict meta.verdict_source meta.firstseen meta.lastseen meta.associated meta.category meta.campaigns meta.kill_chain meta.reports
141.10.232.21 Intel::ADDR CrowdStrike CrowdStrike Threat Intelligence https://api.us-2.crowdstrike.com T high - - - - - - - - - C2 -
41.65.243.190 Intel::ADDR CrowdStrike CrowdStrike Threat Intelligence https://api.us-2.crowdstrike.com T high - - - - - - - - - C2 -
12.22.202.26 Intel::ADDR CrowdStrike CrowdStrike Threat Intelligence https://api.us-2.crowdstrike.com T high - - - - - - - - - Installation,C2,ActionOnObjectives -
Intel log¶
This integration will enrich the intel.log with content like the following:
{
"@path":"intel",
"@sensor":"Lab-AP200",
"@timestamp":"2023-01-06T05:13:38.841292Z",
"ts":"2023-01-06T05:13:38.841292Z",
"uid":"CNh51N3dSRfMZG1Pt4",
"id.orig_h":"195.133.40.86",
"id.orig_p":64910,
"id.resp_h":"192.168.13.20",
"id.resp_p":80,
"seen.indicator":"77.247.181.165",
"seen.indicator_type":"Intel::ADDR",
"seen.where":"Conn::IN_ORIG",
"matched": [
"Intel::ADDR"
],
"sources": [
"blocklist_de",
"cinsscore_ci_badguys",
"blocklist_net_ua",
"Mandiant",
"dshield_block"
],
}
If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following: (all indicators will not have all fields)
{
"confidence": [99],
"threat_score": [100],
"verdict": ["malicious"],
"verdict_source": ["analystVerdict"],
"desc": ["Mandiant Threat Intellegence"]
"lastseen": ["2023-01-03T16:10:54Z"],
"firstseen": ["2021-03-20T10:10:01Z"],
"url": ["https://advantage.mandiant.com/"],
"reports": ["ID:23-00000242, Type:News Analysis"],
"campaigns": [],
"associated": [
"ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
],
"category": [
"exploit",
"exploit/vuln-scanning, exploit"
],
}