CrowdStrike Falcon intelligence¶
The same connection details are used for all CrowdStrike Falcon Integrations (formerly Falcon X) as long as it has the required access.
Attention
Downloading Suricata rules from CrowdStrike requires a Falcon Intelligence Premium subscription. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/entities/rules-latest-files/v1
Downloading intel indicators from CrowdStrike requires a Falcon Intelligence subscription or better. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/combined/indicators/v1
General CrowdStrike configuration settings:
crowdstrike_config: id: secret: member_cid: cloud: "us-1" host_override: "api.crowdstrike.com" base_path_override: "/" debug: false
CrowdStrike Suricata ruleset¶
The CrowdStrike Falcon Suricata ruleset file will only be downloaded if it has changed since the last interval.
If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings
CrowdStrike Suricata ruleset configuration settings:
crowdstrike_suricata: enabled: false interval_hours: 1
CrowdStrike Falcon indicators¶
The CrowdStrike Falcon Indicators integration will download all requested indicators at each interval.
There are several configurable options for CrowdStrike indicators. Select the malicious confidence level, how many days worth of history, and which indicators to collect.
Note
Due to the high number of hash indicators available, the length of history is configured separate from other types of indicators.
Intel Malicious confidence options are: “high”, “medium”, “low”, or “unverified”. The following definitions apply to malicious_confidence:
high: If indicator is an IP or domain, it has been associated with malicious activity within the last 60 days.
medium: If indicator is an IP or domain, it has been associated with malicious activity within the last 60-120 days.
low: If indicator is an IP or domain, it has been associated with malicious activity exceeding 120 days.
unverified: This indicator has not been verified by a CrowdStrike Intelligence analyst or an automated system.
# CrowdStrike Integrations crowdstrike_indicators: enabled: false interval_hours: 1 request_limit: 50000 enable_do_notice: true malicious_confidence: high last_updated_days: 60 hash_last_updated_days: 3 indicator_type_ip_address: true indicator_type_ip_address_block: true indicator_type_url: true indicator_type_https_url: false indicator_type_email_address: true indicator_type_domain: true indicator_type_x509_subject: true indicator_type_username: true indicator_type_hash_md5: true indicator_type_hash_sha256: false indicator_type_file_name: true targets: threat_types:
Error
The default request limit is set to 50,000, which works for most customers. However, for some customer subscriptions the request limit cannot be more than 10,000 or an error is returned.
In addition to configuring which indicators to collect, you can also filter the indicators based on the type of target or the threat type.
To list a single Target or Threat Type, enter the string with both double quotes and single quotes.
To list multiple Targets or Threat Types, enter the string with both double quotes and square brackets around the entire string, and single quotes around each item.
Examples:
targets: "'Aerospace'" threat_types: "['Commodity','Ransomware']"