Falcon Suricata Ruleset

The CrowdStrike Falcon Suricata ruleset file will only be downloaded if it has changed since the last interval.

If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See General settings

Once downloaded, the ruleset will be processed with the rulesets from all other sources.

Attention

Downloading Suricata rules from CrowdStrike requires a Falcon Intelligence Premium subscription. The Client ID and Client Secret need access to the following API: https://api.crowdstrike.com/intel/entities/rules-latest-files/v1

Settings

crowdstrike_suricata:
  id:                               # Falcon API Client ID
  secret:                           # Falcon API Secret
  encrypted_secret:                 # Encrypted Falcon API Secret (use either secret or encrypted_secret)
  member_cid:                       # Falcon API Member_CID (multi-tenant only)
  cloud:                            # Falcon Cloud (us-1, us-2, eu-1, us-gov-1)
  host_override:
  base_path_override:
  debug: false
  enabled: false
  interval_hours: 0