Skip to main content

CrowdStrike Falcon Intel v2

This Integration is part of the CrowdStrike Falcon Intel Pack.#

Threat intelligence service by CrowdStrike focused on delivering a technical feed to help organizations better defend themselves against adversary activity.

Configure CrowdStrike Falcon Intel v2 in Cortex#

ParameterDescriptionRequired
Server URLThe server URL to which you want to connectTrue
credentialsClient IDTrue
thresholdIndicator Threshold. Minimum malicious confidence from Falcon Intel to consider the indicator malicious.(low, medium, high)False
proxyUse system proxy settingsFalse
insecureTrust any certificate (not secure)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Check file reputation.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA comma-separated list of file hashes (MD5/SHA1/SHA256) to check.Required

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
FalconIntel.Indicator.IDStringThe indicator ID.
FalconIntel.Indicator.TypeStringThe indicator type.
FalconIntel.Indicator.ValueStringThe indicator value.
FalconIntel.Indicator.LastUpdateDateThe last time the indicator was updated.
FalconIntel.Indicator.PublishDateDateThe time the indicator was published.
FalconIntel.Indicator.MaliciousConfidenceStringThe confidence level by which an indicator is considered to be malicious
FalconIntel.Indicator.ReportsStringThe report ID that the indicator is associated with
FalconIntel.Indicator.ActorsStringActors that the indicator is associated
FalconIntel.Indicator.MalwareFamiliesStringA list of malware families that an indicator has been associated. An indicator may be associated with more than one malware family.
FalconIntel.Indicator.KillChainsStringThe point in the kill chain at which an indicator is associated
FalconIntel.Indicator.DomainTypesStringThe domain type of domain indicators
FalconIntel.Indicator.IPAddressTypesStringThe address type of ip_address indicators
FalconIntel.Indicator.Relations.IndicatorStringRelated Indicators
FalconIntel.Indicator.TypeStringThe indicator type
FalconIntel.Indicator.LabelsStringAdditional labels

Command Example#

!file file=sha256_value

Context Example#

{
"DBotScore": {
"Indicator": "sha256_value",
"Score": 3,
"Type": "file",
"Vendor": "FalconIntel"
},
"FalconIntel": {
"Indzicator": {
"Actors": [
"CIRCUSSPIDER"
],
"ID": "hash_sha256_id",
"Labels": [
"CSD/CSA-201011",
"ThreatType/Criminal",
"CSD/CSWR-20018",
"CSD/CSWR-20023",
"CSD/CSDR-20035",
"CSD/CSWR-20020",
"CSD/CSWR-20024",
"CSD/CSWR-20021",
"MaliciousConfidence/High",
"Malware/NetWalker"
],
"MaliciousConfidence": "high",
"MalwareFamilies": [
"NetWalker"
],
"Relations": [
"hash_md5: 0432b62130ca06c04d5a12a5e9841300",
"hash_sha1: fd2b8fff2c583a1af1b86f150be8f611a2292197"
],
"Reports": [
"CSA-201011",
"CSWR-20018",
"CSWR-20023",
"CSDR-20035",
"CSWR-20020",
"CSWR-20024",
"CSWR-20021",
"CSA-200605",
"CSA-200385",
"CSDR-20090",
"CSWR-20017",
"CSIT-20081",
"CSWR-20011"
],
"Type": "hash_sha256",
"Value": "sha256_value"
}
},
"File": {
"Actors": [
"CIRCUSSPIDER"
],
"Malicious": {
"Description": "High confidence",
"Vendor": "FalconIntel"
},
"MalwareFamilies": [
"NetWalker"
],
"Reports": [
"CSA-201011",
"CSWR-20018",
"CSWR-20023",
"CSDR-20035",
"CSWR-20020",
"CSWR-20024",
"CSWR-20021",
"CSA-200605",
"CSA-200385",
"CSDR-20090",
"CSWR-20017",
"CSIT-20081",
"CSWR-20011"
],
"SHA256": "sha256_value"
}
}

Human Readable Output#

Falcon Intel file reputation:#

ActorsIDLabelsMalicious ConfidenceMalware FamiliesRelationsReportsTypeValue
CIRCUSSPIDERhash_sha256_sha256_valueCSD/CSA-201011,
ThreatType/Criminal,
CSD/CSWR-20018,
CSD/CSWR-20023,
CSD/CSDR-20035,
CSD/CSWR-20020,
CSD/CSWR-20024,
CSD/CSWR-20021,
MaliciousConfidence/High,
Malware/NetWalker
highNetWalkerhash_md5: 0432b62130ca06c04d5a12a5e9841300,
hash_sha1: fd2b8fff2c583a1af1b86f150be8f611a2292197
CSA-201011,
CSWR-20018,
CSWR-20023,
CSDR-20035,
CSWR-20020,
CSWR-20024,
CSWR-20021,
CSA-200605,
CSA-200385,
CSDR-20090,
CSWR-20017,
CSIT-20081,
CSWR-20011
hash_sha256sha256_value

url#


Check the given URL reputation.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs to check.Required

Context Output#

PathTypeDescription
URL.DataStringThe URL
URL.Malicious.VendorStringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionStringA description of the malicious URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
FalconIntel.Indicator.IDStringThe indicator ID.
FalconIntel.Indicator.TypeStringThe indicator type.
FalconIntel.Indicator.ValueStringThe indicator value.
FalconIntel.Indicator.LastUpdateDateThe last time the indicator was updated.
FalconIntel.Indicator.PublishDateDateThe time the indicator was published.
FalconIntel.Indicator.MaliciousConfidenceStringThe confidence level by which an indicator is considered to be malicious
FalconIntel.Indicator.ReportsStringThe report ID that the indicator is associated with
FalconIntel.Indicator.ActorsStringActors that the indicator is associated
FalconIntel.Indicator.MalwareFamiliesStringA list of malware families that an indicator has been associated. An indicator may be associated with more than one malware family.
FalconIntel.Indicator.KillChainsStringThe point in the kill chain at which an indicator is associated
FalconIntel.Indicator.DomainTypesStringThe domain type of domain indicators
FalconIntel.Indicator.IPAddressTypesStringThe address type of ip_address indicators
FalconIntel.Indicator.Relations.IndicatorStringRelated Indicators
FalconIntel.Indicator.TypeStringThe indicator type
FalconIntel.Indicator.LabelsStringAdditional labels

Command Example#

!url url=https://withifceale.top/treusparq.php

Context Example#

{
"DBotScore": {
"Indicator": "https://withifceale.top/treusparq.php",
"Score": 3,
"Type": "url",
"Vendor": "FalconIntel"
},
"FalconIntel": {
"Indicator": {
"ID": "url_https://withifceale.top/treusparq.php",
"KillChains": [
"C2"
],
"Labels": [
"CSD/CSA-200342",
"KillChain/C2",
"Malware/Zloader",
"CSD/CSDR-20011",
"CSD/CSIT-20009",
"CSD/CSA-191551",
"MaliciousConfidence/High",
"ThreatType/Criminal",
"CSD/CSA-200038",
"ThreatType/Banking"
],
"MaliciousConfidence": "high",
"MalwareFamilies": [
"Zloader"
],
"Relations": [
"hash_sha256: sha256_value",
"hash_sha256: sha256_value",
"hash_sha256: sha256_value",
"hash_md5: md5_value",
"hash_md5: md5_value",
"hash_sha1: sha1_value",
"hash_sha1: sha1_value",
"hash_md5: md5_value",
"hash_sha1: sha1_value",
"hash_sha1: sha1_value"
],
"Reports": [
"CSA-200342",
"CSDR-20011",
"CSIT-20009",
"CSA-191551",
"CSA-200038",
"CSIT-17112",
"CSA-200149"
],
"Type": "url",
"Value": "https://withifceale.top/treusparq.php"
}
},
"URL": {
"Data": "https://withifceale.top/treusparq.php",
"KillChains": [
"C2"
],
"Malicious": {
"Description": "High confidence",
"Vendor": "FalconIntel"
},
"MalwareFamilies": [
"Zloader"
],
"Reports": [
"CSA-200342",
"CSDR-20011",
"CSIT-20009",
"CSA-191551",
"CSA-200038",
"CSIT-17112",
"CSA-200149"
]
}
}

Human Readable Output#

Falcon Intel URL reputation:#

IDKill ChainsLabelsMalicious ConfidenceMalware FamiliesRelationsReportsTypeValue
url_https://withifceale.top/treusparq.phpC2CSD/CSA-200342,
KillChain/C2,
Malware/Zloader,
CSD/CSDR-20011,
CSD/CSIT-20009,
CSD/CSA-191551,
MaliciousConfidence/High,
ThreatType/Criminal,
CSD/CSA-200038,
ThreatType/Banking
highZloaderhash_sha256: sha256_value,
hash_sha256: sha256_value,
hash_sha256: sha256_value,
hash_md5: md5_value,
hash_md5: md5_value,
hash_sha1: sha1_value,
hash_sha1: sha1_value,
hash_md5: md5_value,
hash_sha1: sha1_value,
hash_sha1: sha1_value
CSA-200342,
CSDR-20011,
CSIT-20009,
CSA-191551,
CSA-200038,
CSIT-17112,
CSA-200149
urlhttps://withifceale.top/treusparq.php

domain#


Check the given URL reputation.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainA comma-seperated list of domains to check.Required

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
FalconIntel.Indicator.IDStringThe indicator ID.
FalconIntel.Indicator.TypeStringThe indicator type.
FalconIntel.Indicator.ValueStringThe indicator value.
FalconIntel.Indicator.LastUpdateDateThe last time the indicator was updated.
FalconIntel.Indicator.PublishDateDateThe time the indicator was published.
FalconIntel.Indicator.MaliciousConfidenceStringThe confidence level by which an indicator is considered to be malicious
FalconIntel.Indicator.ReportsStringThe report ID that the indicator is associated with
FalconIntel.Indicator.ActorsStringActors that the indicator is associated
FalconIntel.Indicator.MalwareFamiliesStringA list of malware families that an indicator has been associated. An indicator may be associated with more than one malware family.
FalconIntel.Indicator.KillChainsStringThe point in the kill chain at which an indicator is associated
FalconIntel.Indicator.DomainTypesStringThe domain type of domain indicators
FalconIntel.Indicator.IPAddressTypesStringThe address type of ip_address indicators
FalconIntel.Indicator.Relations.IndicatorStringRelated Indicators
FalconIntel.Indicator.TypeStringThe indicator type
FalconIntel.Indicator.LabelsStringAdditional labels

Command Example#

!domain domain=xeemoquo.top

Context Example#

{
"DBotScore": {
"Indicator": "xeemoquo.top",
"Score": 3,
"Type": "domain",
"Vendor": "FalconIntel"
},
"Domain": {
"KillChains": [
"C2"
],
"Malicious": {
"Description": "High confidence",
"Vendor": "FalconIntel"
},
"Name": "xeemoquo.top",
"Reports": [
"CSA-191551",
"CSA-200038",
"CSDR-20011",
"CSA-200149"
]
},
"FalconIntel": {
"Indicator": {
"ID": "domain_xeemoquo.top",
"KillChains": [
"C2"
],
"Labels": [
"CSD/CSA-191551",
"CSD/CSA-200038",
"MaliciousConfidence/High",
"KillChain/C2",
"CSD/CSDR-20011",
"CSD/CSA-200149"
],
"MaliciousConfidence": "high",
"Relations": [
"hash_md5: md5_value",
"hash_sha1: sha1_value",
"hash_sha1: sha1_value",
"hash_md5: md5_value",
"hash_sha1: sha1_value",
"hash_md5: md5_value",
"hash_md5: md5_value",
"hash_sha256: sha256_value",
"hash_sha256: sha256_value",
"hash_sha1: sha1_value"
],
"Reports": [
"CSA-191551",
"CSA-200038",
"CSDR-20011",
"CSA-200149"
],
"Type": "domain",
"Value": "xeemoquo.top"
}
}
}

Human Readable Output#

Falcon Intel domain reputation:#

IDKill ChainsLabelsMalicious ConfidenceRelationsReportsTypeValue
domain_xeemoquo.topC2CSD/CSA-191551,
CSD/CSA-200038,
MaliciousConfidence/High,
KillChain/C2,
CSD/CSDR-20011,
CSD/CSA-200149
highhash_md5: md5_value,
hash_sha1: sha1_value,
hash_sha1: sha1_value,
hash_md5: md5_value,
hash_sha1: sha1_value,
hash_md5: md5_value,
hash_md5: md5_value,
hash_sha256: sha256_value,
hash_sha256: sha256_value,
hash_sha1: sha1_value
CSA-191551,
CSA-200038,
CSDR-20011,
CSA-200149
domainxeemoquo.top

ip#


Check IP reputation.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IP addresses to check.Required

Context Output#

PathTypeDescription
IP.AddressStringIP address
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
FalconIntel.Indicator.IDStringThe indicator ID.
FalconIntel.Indicator.TypeStringThe indicator type.
FalconIntel.Indicator.ValueStringThe indicator value.
FalconIntel.Indicator.LastUpdateDateThe last time the indicator was updated.
FalconIntel.Indicator.PublishDateDateThe time the indicator was published.
FalconIntel.Indicator.MaliciousConfidenceStringThe confidence level by which an indicator is considered to be malicious
FalconIntel.Indicator.ReportsStringThe report ID that the indicator is associated with
FalconIntel.Indicator.ActorsStringActors that the indicator is associated
FalconIntel.Indicator.MalwareFamiliesStringA list of malware families that an indicator has been associated. An indicator may be associated with more than one malware family.
FalconIntel.Indicator.KillChainsStringThe point in the kill chain at which an indicator is associated
FalconIntel.Indicator.DomainTypesStringThe domain type of domain indicators
FalconIntel.Indicator.IPAddressTypesStringThe address type of ip_address indicators
FalconIntel.Indicator.Relations.IndicatorStringRelated Indicators
FalconIntel.Indicator.TypeStringThe indicator type
FalconIntel.Indicator.LabelsStringAdditional labels

Command Example#

!ip ip=8.8.8.8

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 3,
"Type": "ip",
"Vendor": "FalconIntel"
},
"FalconIntel": {
"Indicator": {
"Actors": [
"QUILTEDTIGER"
],
"ID": "ip_address_8.8.8.8",
"KillChains": [
"C2"
],
"Labels": [
"KillChain/C2",
"Malware/Badnews",
"Actor/QUILTEDTIGER",
"ThreatType/Targeted",
"MitreATTCK/CommandAndControl/StandardApplicationLayerProtocol",
"MaliciousConfidence/High",
"MitreATTCK/CommandAndControl/CommonlyUsedPort"
],
"MaliciousConfidence": "high",
"MalwareFamilies": [
"Badnews"
],
"Relations": [
"hash_sha1: sha1_value",
"hash_sha256: sha256_value",
"hash_md5: md5_value",
"hash_md5: md5_value",
"hash_sha256: sha256_value",
"hash_sha1: sha1_value",
"hash_md5: md5_value",
"hash_sha1: sha1_value",
"hash_sha256: sha256_value",
"hash_sha1: sha1_value"
],
"Type": "ip_address",
"Value": "8.8.8.8"
}
},
"IP": {
"Actors": [
"QUILTEDTIGER"
],
"Address": "8.8.8.8",
"KillChains": [
"C2"
],
"Malicious": {
"Description": "High confidence",
"Vendor": "FalconIntel"
},
"MalwareFamilies": [
"Badnews"
]
}
}

Human Readable Output#

Falcon Intel IP reputation:#

ActorsIDKill ChainsLabelsMalicious ConfidenceMalware FamiliesRelationsTypeValue
QUILTEDTIGERip_address_8.8.8.8C2KillChain/C2,
Malware/Badnews,
Actor/QUILTEDTIGER,
ThreatType/Targeted,
MitreATTCK/CommandAndControl/StandardApplicationLayerProtocol,
MaliciousConfidence/High,
MitreATTCK/CommandAndControl/CommonlyUsedPort
highBadnewshash_sha1: sha1_value,
hash_sha256: sha256_value,
hash_md5: md5_value,
hash_md5: md5_value,
hash_sha256: sha256_value,
hash_sha1: sha1_value,
hash_md5: md5_value,
hash_sha1: sha1_value,
hash_sha256: sha256_value,
hash_sha1: sha1_value
ip_address8.8.8.8

cs-actors#


Search known actors based on the given parameters.

Base Command#

cs-actors

Input#

Argument NameDescriptionRequired
querySearch based on a query written in FQL (Falcon Query Language, See https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql for more information).Optional
free_searchSearch across all fields in an Actor object.Optional
nameSearch based on actor name.Optional
descriptionSearch based on description.Optional
created_dateSearch range from created date. Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
max_last_modified_dateSearch range to modified date. Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
min_last_activity_dateSearch range from activity date. Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
max_last_activity_dateSearch range to activity date. Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
originsSearch by origins separated by ",".Optional
target_countriesSearch by target countries separated by ",".Optional
target_industriesSearch by target industries separated by ",".Optional
motivationsSearch by motivations separated by ",".Optional
offsetWhich page of the results to retrieve. It is 0 based.Optional
limitThe maximum number of actors to retrieve. The default is 10.Optional
sortSort by field and direction.Optional
slugSearch by 'slug' or short descriptive name. Ex: "anchor-panda"Optional
display_full_fieldsWhether to display the full fields result from CS API. Default is FalseOptional

Context Output#

PathTypeDescription
FalconIntel.Actor.ImageURLStringThe URL of the actor image
FalconIntel.Actor.NameStringThe actor name.
FalconIntel.Actor.IDStringThe actor ID.
FalconIntel.Actor.URLStringThe url of the actor
FalconIntel.Actor.SlugStringSlug name ofactor
FalconIntel.Actor.ShortDescriptionStringThe actor short description.
FalconIntel.Actor.DescriptionStringThe actor full description.
FalconIntel.Actor.FirstActivityDateDateThe actor first activity date.
FalconIntel.Actor.LastActivityDateDateThe actor last activity date.
FalconIntel.Actor.ActiveBooleanThe actor active status.
FalconIntel.Actor.KnowsAsStringNicknames the actor is known as.
FalconIntel.Actor.TargetIndustriesStringA list of targeted industries associated with this actor
FalconIntel.Actor.TargetCountriesStringA list of targeted countries associated with this actor
FalconIntel.Actor.OriginsStringThe actor's country of origin. Ex: Afghanistan
FalconIntel.Actor.MotivationsStringThe actor's motivations. Ex: Criminal
FalconIntel.Actor.CapabilityStringThe actor's capability. Ex: Average
FalconIntel.Actor.GroupStringThe actor's group. Ex: panda gang
FalconIntel.Actor.RegionStringThe actor's region. Ex: Eastern Europe
FalconIntel.Actor.KillChainsStringKill chain fields.

Command Example#

!cs-actors limit=1 target_industries="Entertainment,Healthcare"

Context Example#

{
"FalconIntel": {
"Actor": {
"Active": false,
"Capability": "Average",
"FirstActivityDate": "2019-05-01T00:00:00.000Z",
"ID": 76078,
"KnownAs": "Maze Team",
"LastActivityDate": "2020-09-01T00:00:00.000Z",
"Motivations": [
"Criminal"
],
"Name": "TWISTED SPIDER",
"Origins": [
"Eastern Europe",
"Russian Federation"
],
"ShortDescription": "TWISTED SPIDER is the criminal group behind the development and operation of Maze ransomware. While the ransomware was first observed in May 2019, the group gained notoriety in November 2019 with their brazen attitude toward victims and their willingness to speak with security researchers as they began using Big Game Hunting (BGH) tactics to target ...",
"Description": "TWISTED SPIDER is the criminal group behind the development and operation of Maze ransomware. While the ransomware was first observed in May 2019, the group gained notoriety in November 2019 with their brazen attitude toward victims and their willingness to speak with security researchers as they began using Big Game Hunting (BGH) tactics to target organizations and businesses.",
"Slug": "twisted-spider",
"TargetCountries": [
"Algeria",
"Argentina",
"Australia",
"Austria",
"Belgium",
"Brazil",
"Canada",
"China",
"Colombia",
"Costa Rica",
"Czech Republic",
"Egypt",
"France",
"Germany",
"Hong Kong",
"India",
"Italy",
"Japan",
"Luxembourg",
"Macedonia",
"Netherlands",
"Nigeria",
"North America",
"Norway",
"Oman",
"Puerto Rico",
"Saudi Arabia",
"Singapore",
"South Africa",
"South Korea",
"Spain",
"Sri Lanka",
"Switzerland",
"Thailand",
"United Arab Emirates",
"United Kingdom",
"United States",
"Vietnam"
],
"TargetIndustries": [
"Academic",
"Agriculture",
"Automotive",
"Aviation",
"Biomedical",
"Chemicals",
"Consulting & Professional Services",
"Consumer Goods",
"Energy",
"Entertainment",
"Financial Management & Hedge Funds",
"Financial Services",
"Food and Beverage",
"Government",
"Healthcare",
"Hospitality",
"Industrials and Engineering",
"Insurance",
"Legal",
"Logistics",
"Manufacturing",
"Media",
"NGOs and Nonprofits",
"Oil and Gas",
"Opportunistic",
"Pharmaceuticals",
"Real Estate",
"Retail",
"State & Municipal Government",
"Technology",
"Telecommunications",
"Transportation",
"Travel",
"Utilities"
],
"URL": "https://falcon.crowdstrike.com/intelligence/actors/twisted-spider/"
}
}
}

Human Readable Output#

Falcon Intel Actor search:#

ActiveCapabilityFirst Activity DateIDKnown AsLast Activity DateMotivationsNameOriginsShort DescriptionSlugTarget CountriesTarget IndustriesURL
falseAverage2019-05-01T00:00:00.000Z76078Maze Team2020-09-01T00:00:00.000ZCriminalTWISTED SPIDEREastern Europe,
Russian Federation
TWISTED SPIDER is the criminal group behind the development and operation of Maze ransomware. While the ransomware was first observed in May 2019, the group gained notoriety in November 2019 with their brazen attitude toward victims and their willingness to speak with security researchers as they began using Big Game Hunting (BGH) tactics to target organizations and businesses. While other actors ...twisted-spiderAlgeria,
Argentina,
Australia,
Austria,
Belgium,
Brazil,
Canada,
China,
Colombia,
Costa Rica,
Czech Republic,
Egypt,
France,
Germany,
Hong Kong,
India,
Italy,
Japan,
Luxembourg,
Macedonia,
Netherlands,
Nigeria,
North America,
Norway,
Oman,
Puerto Rico,
Saudi Arabia,
Singapore,
South Africa,
South Korea,
Spain,
Sri Lanka,
Switzerland,
Thailand,
United Arab Emirates,
United Kingdom,
United States,
Vietnam
Academic,
Agriculture,
Automotive,
Aviation,
Biomedical,
Chemicals,
Consulting & Professional Services,
Consumer Goods,
Energy,
Entertainment,
Financial Management & Hedge Funds,
Financial Services,
Food and Beverage,
Government,
Healthcare,
Hospitality,
Industrials and Engineering,
Insurance,
Legal,
Logistics,
Manufacturing,
Media,
NGOs and Nonprofits,
Oil and Gas,
Opportunistic,
Pharmaceuticals,
Real Estate,
Retail,
State & Municipal Government,
Technology,
Telecommunications,
Transportation,
Travel,
Utilities
https://falcon.crowdstrike.com/intelligence/actors/twisted-spider/

cs-indicators#


Search known indicators based on the given parameters.

Base Command#

cs-indicators

Input#

Argument NameDescriptionRequired
querySearch based on a query written in FQL (Falcon Query Language, See https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql for more information).Optional
typeThe indicator type.Optional
malicious_confidenceIndicates a confidence level by which an indicator is considered to be malicious.Optional
offsetUsed to paginate the response. You can then use limit to set the number of results for the next page.Optional
last_updatedThe date the indicator was last updated.Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
indicatorThe value for the given indicator type.Optional
sortSort by field and direction.Optional
idThe indicator's ID, in the following format <type>_<indicator>.Optional
limitThe maximum number of indicators to retrieve. The default is 10.Optional

Context Output#

PathTypeDescription
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA1 hash of the file.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.ReportsStringFor malicious files, the associated reports describing the hash
File.ActorsStringFor malicious files, the associated actors
File.MalwareFamiliesStringFor malicious files, the associated malware family
File.KillChainsStringFor malicious files, the associated kill chain
URL.DataStringThe URL
URL.Malicious.VendorStringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.ReportsStringFor malicious URL, the associated reports describing the URL
URL.ActorsStringFor malicious URL, the associated actors
URL.MalwareFamiliesStringFor malicious URL, the associated malware family
URL.KillChainsStringFor malicious URL, the associated kill chain
Domain.NameStringThe domain name, for example: "google.com".
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
Domain.ReportsStringFor malicious domain, the associated reports describing the domain
Domain.ActorsStringFor malicious domain, the associated actors
Domain.MalwareFamiliesStringFor malicious domain, the associated malware family
Domain.KillChainsStringFor malicious domain, the associated kill chain
IP.AddressStringIP address
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.ReportsStringFor malicious IP, the associated reports describing the IP
IP.ActorsStringFor malicious IP, the associated actors
IP.MalwareFamiliesStringFor malicious IP, the associated malware family
IP.KillChainsStringFor malicious IP, the associated kill chain
DBotScore.IndicatorStringThe indicator we tested
DBotScore.TypeStringThe type of the indicator
DBotScore.VendorStringVendor used to calculate the score
DBotScore.ScoreNumberThe actual score
FalconIntel.Indicator.IDStringThe indicator ID.
FalconIntel.Indicator.TypeStringThe indicator type.
FalconIntel.Indicator.ValueStringThe indicator value.
FalconIntel.Indicator.LastUpdateDateThe last time the indicator was updated.
FalconIntel.Indicator.PublishDateDateThe time the indicator was published.
FalconIntel.Indicator.MaliciousConfidenceStringThe confidence level by which an indicator is considered to be malicious
FalconIntel.Indicator.ReportsStringThe report ID that the indicator is associated with
FalconIntel.Indicator.ActorsStringActors that the indicator is associated
FalconIntel.Indicator.MalwareFamiliesStringA list of malware families that an indicator has been associated. An indicator may be associated with more than one malware family.
FalconIntel.Indicator.KillChainsStringThe point in the kill chain at which an indicator is associated
FalconIntel.Indicator.DomainTypesStringThe domain type of domain indicators
FalconIntel.Indicator.IPAddressTypesStringThe address type of ip_address indicators
FalconIntel.Indicator.Relations.IndicatorStringRelated Indicators
FalconIntel.Indicator.TypeStringThe indicator type
FalconIntel.Indicator.LabelsStringAdditional labels

Command Example#

!cs-indicators limit=1 type=ip_address malicious_confidence=high

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 3,
"Type": "ip",
"Vendor": "FalconIntel"
},
"FalconIntel": {
"Indicator": {
"ID": "ip_address_id",
"KillChains": [
"C2"
],
"Labels": [
"CSD/CSA-191023",
"CSD/CSA-191350",
"CSD/CSA-181072",
"CSD/CSWR-17018",
"CSD/CSWR-20022",
"CSD/CSWR-19024",
"MaliciousConfidence/High",
"KillChain/C2",
"CSD/CSIT-16091",
"ThreatType/Commodity"
],
"MaliciousConfidence": "high",
"MalwareFamilies": [
"njRAT"
],
"Reports": [
"CSA-191023",
"CSA-191350",
"CSA-181072",
"CSWR-17018",
"CSWR-20022",
"CSWR-19024",
"CSIT-16091",
"CSA-201008",
"CSWR-20014"
],
"Type": "ip_address",
"Value": "8.8.8.8"
}
},
"IP": {
"Address": "8.8.8.8",
"KillChains": [
"C2"
],
"Malicious": {
"Description": "High confidence",
"Vendor": "FalconIntel"
},
"MalwareFamilies": [
"njRAT"
],
"Reports": [
"CSA-191023",
"CSA-191350",
"CSA-181072",
"CSWR-17018",
"CSWR-20022",
"CSWR-19024",
"CSIT-16091",
"CSA-201008",
"CSWR-20014"
]
}
}

Human Readable Output#

Falcon Intel Indicator search:#

IDKill ChainsLabelsMalicious ConfidenceMalware FamiliesReportsTypeValue
ip_address_idC2CSD/CSA-191023,
CSD/CSA-191350,
CSD/CSA-181072,
CSD/CSWR-17018,
CSD/CSWR-20022,
CSD/CSWR-19024,
MaliciousConfidence/High,
KillChain/C2,
CSD/CSIT-16091,
ThreatType/Commodity
highnjRATCSA-191023,
CSA-191350,
CSA-181072,
CSWR-17018,
CSWR-20022,
CSWR-19024,
CSIT-16091,
CSA-201008,
CSWR-20014
ip_address8.8.8.8

cs-reports#


The Falcon Intel Reports API allows to query CrowdStrike intelligence publications.

Base Command#

cs-reports

Input#

Argument NameDescriptionRequired
querySearch based on a query written in FQL (Falcon Query Language, See https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql for more information).Optional
free_searchSearch across all fields in an Report object.Optional
nameSearch for keywords across report names (i.e. the report’s title).Optional
actorsSearch for a report related to a particular actors. Actors should be comma separated. - For example - actor1,actor2,...Optional
target_countriesSearch reports by targeted country/countriesOptional
target_industriesSearch reports by targeted industry/industriesOptional
motivationsSearch by motivationOptional
slugSearch by report 'slug' or short descriptive nameOptional
descriptionSearch the body of the reportOptional
typeThe type of object to search for.Optional
sub_typeThe sub-type to search for.Optional
tagsTags associated with a report (managed internally by CS).Optional
created_dateConstrain results to those created on a certain date. Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
max_last_modified_dateConstrain results to those modified on or before a certain date. Supported formats: ISO 8601 (for example, 2020-07-28T10:00:00Z) and time period (for example, 24 hours).Optional
offsetUsed to paginate the response. You can then use limit to set the number of results for the next page.Optional
limitThe maximum number of reports to retrieve. The default is 10.Optional
sortSort by field and direction.Optional
display_full_fieldsWhether to display the full fields result from CS API. Default is FalseOptional

Context Output#

PathTypeDescription
FalconIntel.Report.IDStringThe report ID.
FalconIntel.Report.URLStringThe report URL.
FalconIntel.Report.NameStringThe report name.
FalconIntel.Report.TypeStringThe report type.
FalconIntel.Report.SubTypeStringThe report sub type.
FalconIntel.Report.SlugStringSlug name of the report
FalconIntel.Report.CreatedDateDateThe date the report was created.
FalconIntel.Report.LastModifiedSateDateThe date the report was last modified.
FalconIntel.Report.ShortDescriptionStringThe report short description.
FalconIntel.Report.DescriptionStringThe report full description.
FalconIntel.Report.TargetIndustriesStringTargeted industries included in the report. Ex: aerospace
FalconIntel.Report.TargetCountriesStringTargeted countries included in the report. Ex: afghanistan
FalconIntel.Report.MotivationsStringMotivations included in the report. Ex: criminal
FalconIntel.Report.TagsStringThe report's tags. Ex: intel_feed

Command Example#

!cs-reports limit=1 created_date="2016-09-30T19:15:53.000Z"

Context Example#

{
"FalconIntel": {
"Report": {
"CreatedDate": "2016-09-30T19:15:53.000Z",
"ID": 7448,
"LastModifiedSate": "2020-07-24T10:15:02.000Z",
"Name": "Snort Changelog",
"ShortDescription": "Added one additional rule to detect Hancitor ...",
"Description": "Added one additional rule to detect Hancitor malware traffic decsribed in CSIT-16107. ",
"Slug": "slug_value",
"SubType": "Snort/Suricata",
"Type": "Feeds",
"URL": "https://falcon.crowdstrike.com/intelligence/reports/snort-changelog-9-5-2016-6/"
}
}
}

Human Readable Output#

Falcon Intel Report search:#

Created DateIDLast Modified SateNameShort DescriptionSlugSub TypeTypeURL
2016-09-30T19:15:53.000Z74482020-07-24T10:15:02.000ZSnort ChangelogAdded one additional rule to detect Hancitor malware traffic decsribed in CSIT-16107.snort-changelog-9-5-2016-6Snort/SuricataFeedshttps://falcon.crowdstrike.com/intelligence/reports/snort-changelog-9-5-2016-6/