CrowdStrike Falcon intelligence

The same connection details are used for all CrowdStrike Falcon Integrations (formerly Falcon X) as long as it has the required access.

Attention

Downloading Suricata rules from CrowdStrike requires a Falcon Intelligence Premium subscription. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/entities/rules-latest-files/v1

Downloading intel indicators from CrowdStrike requires a Falcon Intelligence subscription or better. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/combined/indicators/v1

General CrowdStrike configuration settings:

crowdstrike_config:
  id:
  secret:
  member_cid:
  cloud:                     "us-1"
  host_override:             "api.crowdstrike.com"
  base_path_override:        "/"
  debug:                     false

CrowdStrike Suricata ruleset

The CrowdStrike Falcon Suricata ruleset file will only be downloaded if it has changed since the last interval.

If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings

CrowdStrike Suricata ruleset configuration settings:

crowdstrike_suricata:
  enabled:                   false
  interval_hours:            1

CrowdStrike Falcon indicators

The CrowdStrike Falcon Indicators integration will download all requested indicators at each interval.

There are several configurable options for CrowdStrike indicators. Select the malicious confidence level, how many days worth of history, and which indicators to collect.

Note

Due to the high number of hash indicators available, the length of history is configured separate from other types of indicators.

Intel Malicious confidence options are: “high”, “medium”, “low”, or “unverified”. The following definitions apply to malicious_confidence:

  • high: If indicator is an IP or domain, it has been associated with malicious activity within the last 60 days.

  • medium: If indicator is an IP or domain, it has been associated with malicious activity within the last 60-120 days.

  • low: If indicator is an IP or domain, it has been associated with malicious activity exceeding 120 days.

  • unverified: This indicator has not been verified by a CrowdStrike Intelligence analyst or an automated system.

    # CrowdStrike Integrations
    crowdstrike_indicators:
      enabled:                         false
      interval_hours:                  1
      request_limit:                   50000
      enable_do_notice:                true
      malicious_confidence:            high
      last_updated_days:               60
      hash_last_updated_days:          3
      indicator_type_ip_address:       true
      indicator_type_ip_address_block: true
      indicator_type_url:              true
      indicator_type_https_url:        false
      indicator_type_email_address:    true
      indicator_type_domain:           true
      indicator_type_x509_subject:     true
      indicator_type_username:         true
      indicator_type_hash_md5:         true
      indicator_type_hash_sha256:      false
      indicator_type_file_name:        true
      targets:
      threat_types:
    

Error

The default request limit is set to 50,000, which works for most customers. However, for some customer subscriptions the request limit cannot be more than 10,000 or an error is returned.

In addition to configuring which indicators to collect, you can also filter the indicators based on the type of target or the threat type.

  • To list a single Target or Threat Type, enter the string with both double quotes and single quotes.

  • To list multiple Targets or Threat Types, enter the string with both double quotes and square brackets around the entire string, and single quotes around each item.

Examples:

targets:         "'Aerospace'"
threat_types:    "['Commodity','Ransomware']"