Skip to main content

CrowdStrike Indicator Feed

This Integration is part of the Crowdstrike Falcon Intel Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

CrowdStrike Falcon Intel Indicator Feed

Configure CrowdStrike Indicator Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for CrowdStrike Indicator Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Fetch indicatorsFalse
    CrowdStrike Base URLTrue
    CrowdStrike API Client IDFor non 6.1 - enter your CrowdStrike API Client Secret in the password field.True
    TypeThe indicator types to fetch. Out-of-the-box indicator types supported in XSOAR are: "Account", "Domain", "Email", "File MD5", "File SHA256", "IP", "Registry Key", and "URL". The default is "ALL".False
    First fetch timeThe time range to consider for the initial data fetch. Leave empty to fetch from the first available indicator.False
    Max. indicators per fetchMaximum number of indicators per fetch. Value should be between 1 - 10000. A large value may result in a timeout.False
    Malicious confidenceMalicious confidence level to filter by.False
    Include deleted indicatorsFalse
    FilterAdvanced: FQL query. For more information visit the CrowdStrike documentation.False
    Generic phrase matchGeneric phrase match search across all indicator fields.False
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    Indicator Expiration MethodThe feed's expiration method.False
    Feed Fetch IntervalThe interval after which the feed expires.False
    TagsSupports CSV values.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

crowdstrike-indicators-list#


Gets indicators from the CrowdStrike Falcon Intel Feed.

Base Command#

crowdstrike-indicators-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 50.Optional
offsetThe index of the first indicator to fetch.Optional

Context Output#

PathTypeDescription
CrowdStrikeFalconIntel.Indicators.idStringIndicator ID.
CrowdStrikeFalconIntel.Indicators.valueStringIndicator value.
CrowdStrikeFalconIntel.Indicators.typeStringIndicator type.
CrowdStrikeFalconIntel.Indicators.fields.reportsUnknownIndicator reports.
CrowdStrikeFalconIntel.Indicators.fields.actorsUnknownActors related to the indicator.
CrowdStrikeFalconIntel.Indicators.fields.malwarefamilyUnknownIndicator malware families.
CrowdStrikeFalconIntel.Indicators.fields.stixkillchainphasesUnknownIndicator kill chains.
CrowdStrikeFalconIntel.Indicators.fields.maliciousconfidenceStringIndicator malicious confidence.
CrowdStrikeFalconIntel.Indicators.fields.tagsUnknownIndicator labels.
CrowdStrikeFalconIntel.Indicators.fields.targetsUnknownTargets of the indicator.
CrowdStrikeFalconIntel.Indicators.fields.threattypesUnknownIndicator threat types.
CrowdStrikeFalconIntel.Indicators.fields.vulnerabilitiesUnknownIndicator vulnerabilities.
CrowdStrikeFalconIntel.Indicators.fields.ipaddressUnknownIndicator related IP address.
CrowdStrikeFalconIntel.Indicators.fields.domainnameUnknownIndicator related domains.
CrowdStrikeFalconIntel.Indicators.fields.updateddateDateIndicator update date.
CrowdStrikeFalconIntel.Indicators.fields.creationdateUnknownIndicator creation date.
CrowdStrikeFalconIntel.Indicators.rawJSONUnknownRaw response.

Command Example#

!crowdstrike-indicators-list limit=3

Context Example#

{
"CrowdStrikeFalconIntel": {
"Indicators": [
{
"fields": {
"actor": [],
"creationdate": 1600080520,
"domainname": [],
"ipaddress": [],
"confidence": "low",
"malwarefamily": [
"Remcos"
],
"reports": [],
"stixkillchainphases": [
"C2"
],
"threattypes": [
{
"threatcategory": "Criminal"
}
],
"tags": [
"MaliciousConfidence/Low",
"KillChain/C2",
"ThreatType/Commodity",
"ThreatType/Criminal",
"ThreatType/CredentialHarvesting",
"Malware/Remcos"
],
"targets": [],
"trafficlightprotocol": "AMBER",
"updateddate": 1608207378,
"vulnerabilities": []
},
"id": "ip_address_1.1.1.1",
"rawJSON": {
"_marker": "1608207378159fc77935511a2f0c9541511bd936f8",
"actors": [],
"deleted": false,
"domain_types": [],
"id": "ip_address_1.1.1.1",
"indicator": "1.1.1.1",
"ip_address_types": [],
"kill_chains": [
"C2"
],
"labels": [
{
"created_on": 1600080520,
"last_valid_on": 1608207377,
"name": "MaliciousConfidence/Low"
},
{
"created_on": 1600080520,
"last_valid_on": 1608207377,
"name": "KillChain/C2"
}
],
"last_updated": 1608207378,
"malicious_confidence": "low",
"malware_families": [
"Remcos"
],
"published_date": 1600080520,
"relations": [
{
"created_date": 1608207377,
"id": "hash_sha256_9bb12d611cb19e84f2f22791cb86a43841e95020b1e113469e5cad95b97a8d42",
"indicator": "9bb12d611cb19e84f2f22791cb86a43841e95020b1e113469e5cad95b97a8d42",
"last_valid_date": 1608207377,
"type": "hash_sha256"
},
{
"created_date": 1608207377,
"id": "hash_sha256_58a3e65de35d8da1f7955680e07a82ede43a1e677e0abc200923b484a7615494",
"indicator": "58a3e65de35d8da1f7955680e07a82ede43a1e677e0abc200923b484a7615494",
"last_valid_date": 1608207377,
"type": "hash_sha256"
}
],
"reports": [],
"targets": [],
"threat_types": [
"Criminal"
],
"type": "ip_address",
"vulnerabilities": []
},
"type": "IP",
"value": "1.1.1.1"
},
{
"fields": {
"actor": [],
"creationdate": 1608208087,
"domainname": [],
"ipaddress": [],
"confidence": "low",
"malwarefamily": [
"Remcos"
],
"reports": [],
"stixkillchainphases": [
"C2"
],
"tags": [
"MaliciousConfidence/Low",
"KillChain/C2",
"Malware/Remcos",
"ThreatType/Commodity",
"ThreatType/Criminal",
"ThreatType/CredentialHarvesting"
],
"threattypes": [
{
"threatcategory": "Criminal"
}
],
"targets": [],
"trafficlightprotocol": "AMBER",
"updateddate": 1608208109,
"vulnerabilities": []
},
"id": "ip_address_2.2.2.2",
"rawJSON": {
"_marker": "16082081092644654ac0f7738b7086d25532d38ec1",
"actors": [],
"deleted": false,
"domain_types": [],
"id": "ip_address_2.2.2.2",
"indicator": "2.2.2.2",
"ip_address_types": [],
"kill_chains": [
"C2"
],
"labels": [
{
"created_on": 1608208087,
"last_valid_on": 1608208108,
"name": "MaliciousConfidence/Low"
},
{
"created_on": 1608208087,
"last_valid_on": 1608208108,
"name": "KillChain/C2"
}
],
"last_updated": 1608208109,
"malicious_confidence": "low",
"malware_families": [
"Remcos"
],
"published_date": 1608208087,
"relations": [
{
"created_date": 1608208090,
"id": "hash_sha256_b90713f3b31f29ceb64355b3c016aa0a74e1ce90dca5570db04aff27e12b343c",
"indicator": "b90713f3b31f29ceb64355b3c016aa0a74e1ce90dca5570db04aff27e12b343c",
"last_valid_date": 1608208090,
"type": "hash_sha256"
},
{
"created_date": 1483468884,
"id": "domain_holmann02.ddns.net",
"indicator": "holmann02.ddns.net",
"last_valid_date": 1483468884,
"type": "domain"
}
],
"reports": [],
"targets": [],
"threat_types": [
"Criminal"
],
"type": "ip_address",
"vulnerabilities": []
},
"type": "IP",
"value": "1.2.3.4"
},
{
"fields": {
"actor": [
"MUMMYSPIDER"
],
"creationdate": 1592473928,
"domainname": [],
"ipaddress": [],
"confidence": "low",
"malwarefamily": [],
"reports": [],
"stixkillchainphases": [
"C2"
],
"threattypes": [],
"tags": [
"KillChain/C2",
"MaliciousConfidence/Low",
"Actor/MUMMYSPIDER"
],
"targets": [],
"trafficlightprotocol": "AMBER",
"updateddate": 1608208626,
"vulnerabilities": []
},
"id": "ip_address_1.2.3.4",
"rawJSON": {
"_marker": "1608208626d02e40678e554f71fd6c3c33cc71c5c0",
"actors": [
"MUMMYSPIDER"
],
"deleted": false,
"domain_types": [],
"id": "ip_address_1.2.3.4",
"indicator": "1.2.3.4",
"ip_address_types": [],
"kill_chains": [
"C2"
],
"labels": [
{
"created_on": 1592473928,
"last_valid_on": 1592473930,
"name": "KillChain/C2"
},
{
"created_on": 1592473928,
"last_valid_on": 1592473930,
"name": "MaliciousConfidence/Low"
},
{
"created_on": 1592473930,
"last_valid_on": 1592473930,
"name": "Actor/MUMMYSPIDER"
}
],
"last_updated": 1608208626,
"malicious_confidence": "low",
"malware_families": [],
"published_date": 1592473928,
"relations": [
{
"created_date": 1597858281,
"id": "url_http://1.1.1.1:80",
"indicator": "http://1.1.1.1:80",
"last_valid_date": 1597858281,
"type": "url"
},
{
"created_date": 1592473931,
"id": "hash_md5_6d795170965336a9006f059dd444fc8f",
"indicator": "6d795170965336a9006f059dd444fc8f",
"last_valid_date": 1592473931,
"type": "hash_md5"
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "ip_address",
"vulnerabilities": []
},
"type": "IP",
"value": "1.2.3.4"
}
]
}
}

Human Readable Output#

Indicators from CrowdStrike Falcon Intel#

TypeValueId
IP1.1.1.1ip_address_1.1.1.1
IP2.2.2.2ip_address_2.2.2.2
IP1.2.3.4ip_address_1.2.3.4

crowdstrike-reset-fetch-indicators#


WARNING: This command will reset your fetch history.

Base Command#

crowdstrike-reset-fetch-indicators

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!crowdstrike-reset-fetch-indicators

Human Readable Output#

Fetch history deleted successfully