CrowdStrike Indicator Feed

This Integration is part of the Crowdstrike Falcon Intel Feed Pack.

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

CrowdStrike Falcon Intel Indicator Feed

Configure CrowdStrike Indicator Feed on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services.

2. Search for CrowdStrike Indicator Feed.

3. Click Add instance to create and configure a new integration instance.

   Parameter	Description	Required
   Fetch indicators		False
   CrowdStrike Base URL		True
   CrowdStrike API Client ID	For non 6.1 - enter your CrowdStrike API Client Secret in the password field.	True
   Type	The indicator types to fetch. Out-of-the-box indicator types supported in XSOAR are: "Account", "Domain", "Email", "File MD5", "File SHA256", "IP", "Registry Key", and "URL". The default is "ALL".	False
   First fetch time	The time range to consider for the initial data fetch. Leave empty to fetch from the first available indicator.	False
   Max. indicators per fetch	Maximum number of indicators per fetch. Value should be between 1 - 10000. A large value may result in a timeout.	False
   Malicious confidence	Malicious confidence level to filter by.	False
   Include deleted indicators		False
   Filter	Advanced: FQL query. For more information visit the CrowdStrike documentation.	False
   Generic phrase match	Generic phrase match search across all indicator fields.	False
   Indicator Reputation	Indicators from this integration instance will be marked with this reputation.	False
   Source Reliability	Reliability of the source providing the intelligence data.	True
   Traffic Light Protocol Color	The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.	False
   Indicator Expiration Method	The feed's expiration method.	False
   Feed Fetch Interval	The interval after which the feed expires.	False
   Tags	Supports CSV values.	False
   Trust any certificate (not secure)		False
   Use system proxy settings		False
   Bypass exclusion list	When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.	False

4. Click Test to validate the URLs, token, and connection.

Note: To change the fetch start time , use the crowdstrike-reset-fetch-indicators command after setting the desired time in First Fetch Time parameter.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

crowdstrike-indicators-list

---

Gets indicators from the CrowdStrike Falcon Intel Feed.

Base Command

crowdstrike-indicators-list

Input

Argument Name	Description	Required
limit	The maximum number of indicators to return. Default is 50.	Optional
offset	The index of the first indicator to fetch.	Optional

Context Output

Path	Type	Description
CrowdStrikeFalconIntel.Indicators.id	String	Indicator ID.
CrowdStrikeFalconIntel.Indicators.value	String	Indicator value.
CrowdStrikeFalconIntel.Indicators.type	String	Indicator type.
CrowdStrikeFalconIntel.Indicators.fields.reports	Unknown	Indicator reports.
CrowdStrikeFalconIntel.Indicators.fields.actors	Unknown	Actors related to the indicator.
CrowdStrikeFalconIntel.Indicators.fields.malwarefamily	Unknown	Indicator malware families.
CrowdStrikeFalconIntel.Indicators.fields.stixkillchainphases	Unknown	Indicator kill chains.
CrowdStrikeFalconIntel.Indicators.fields.maliciousconfidence	String	Indicator malicious confidence.
CrowdStrikeFalconIntel.Indicators.fields.tags	Unknown	Indicator labels.
CrowdStrikeFalconIntel.Indicators.fields.targets	Unknown	Targets of the indicator.
CrowdStrikeFalconIntel.Indicators.fields.threattypes	Unknown	Indicator threat types.
CrowdStrikeFalconIntel.Indicators.fields.vulnerabilities	Unknown	Indicator vulnerabilities.
CrowdStrikeFalconIntel.Indicators.fields.ipaddress	Unknown	Indicator related IP address.
CrowdStrikeFalconIntel.Indicators.fields.domainname	Unknown	Indicator related domains.
CrowdStrikeFalconIntel.Indicators.fields.updateddate	Date	Indicator update date.
CrowdStrikeFalconIntel.Indicators.fields.creationdate	Unknown	Indicator creation date.
CrowdStrikeFalconIntel.Indicators.rawJSON	Unknown	Raw response.

Command Example

!crowdstrike-indicators-list limit=3

Context Example

{

"CrowdStrikeFalconIntel": {

"Indicators": [

{

"fields": {

"actor": [],

"creationdate": 1600080520,

"domainname": [],

"ipaddress": [],

"confidence": "low",

"malwarefamily": [

"Remcos"

],

"reports": [],

"stixkillchainphases": [

"C2"

],

"threattypes": [

{

"threatcategory": "Criminal"

}

],

"tags": [

"MaliciousConfidence/Low",

"KillChain/C2",

"ThreatType/Commodity",

"ThreatType/Criminal",

"ThreatType/CredentialHarvesting",

"Malware/Remcos"

],

"targets": [],

"trafficlightprotocol": "AMBER",

"updateddate": 1608207378,

"vulnerabilities": []

},

"id": "ip_address_1.1.1.1",

"rawJSON": {

"_marker": "1608207378159fc77935511a2f0c9541511bd936f8",

"actors": [],

"deleted": false,

"domain_types": [],

"id": "ip_address_1.1.1.1",

"indicator": "1.1.1.1",

"ip_address_types": [],

"kill_chains": [

"C2"

],

"labels": [

{

"created_on": 1600080520,

"last_valid_on": 1608207377,

"name": "MaliciousConfidence/Low"

},

{

"created_on": 1600080520,

"last_valid_on": 1608207377,

"name": "KillChain/C2"

}

],

"last_updated": 1608207378,

"malicious_confidence": "low",

"malware_families": [

"Remcos"

],

"published_date": 1600080520,

"relations": [

{

"created_date": 1608207377,

"id": "hash_sha256_9bb12d611cb19e84f2f22791cb86a43841e95020b1e113469e5cad95b97a8d42",

"indicator": "9bb12d611cb19e84f2f22791cb86a43841e95020b1e113469e5cad95b97a8d42",

"last_valid_date": 1608207377,

"type": "hash_sha256"

},

{

"created_date": 1608207377,

"id": "hash_sha256_58a3e65de35d8da1f7955680e07a82ede43a1e677e0abc200923b484a7615494",

"indicator": "58a3e65de35d8da1f7955680e07a82ede43a1e677e0abc200923b484a7615494",

"last_valid_date": 1608207377,

"type": "hash_sha256"

}

],

"reports": [],

"targets": [],

"threat_types": [

"Criminal"

],

"type": "ip_address",

"vulnerabilities": []

},

"type": "IP",

"value": "1.1.1.1"

},

{

"fields": {

"actor": [],

"creationdate": 1608208087,

"domainname": [],

"ipaddress": [],

"confidence": "low",

"malwarefamily": [

"Remcos"

],

"reports": [],

"stixkillchainphases": [

"C2"

],

"tags": [

"MaliciousConfidence/Low",

"KillChain/C2",

"Malware/Remcos",

"ThreatType/Commodity",

"ThreatType/Criminal",

"ThreatType/CredentialHarvesting"

],

"threattypes": [

{

"threatcategory": "Criminal"

}

],

"targets": [],

"trafficlightprotocol": "AMBER",

"updateddate": 1608208109,

"vulnerabilities": []

},

"id": "ip_address_2.2.2.2",

"rawJSON": {

"_marker": "16082081092644654ac0f7738b7086d25532d38ec1",

"actors": [],

"deleted": false,

"domain_types": [],

"id": "ip_address_2.2.2.2",

"indicator": "2.2.2.2",

"ip_address_types": [],

"kill_chains": [

"C2"

],

"labels": [

{

"created_on": 1608208087,

"last_valid_on": 1608208108,

"name": "MaliciousConfidence/Low"

},

{

"created_on": 1608208087,

"last_valid_on": 1608208108,

"name": "KillChain/C2"

}

],

"last_updated": 1608208109,

"malicious_confidence": "low",

"malware_families": [

"Remcos"

],

"published_date": 1608208087,

"relations": [

{

"created_date": 1608208090,

"id": "hash_sha256_b90713f3b31f29ceb64355b3c016aa0a74e1ce90dca5570db04aff27e12b343c",

"indicator": "b90713f3b31f29ceb64355b3c016aa0a74e1ce90dca5570db04aff27e12b343c",

"last_valid_date": 1608208090,

"type": "hash_sha256"

},

{

"created_date": 1483468884,

"id": "domain_holmann02.ddns.net",

"indicator": "holmann02.ddns.net",

"last_valid_date": 1483468884,

"type": "domain"

}

],

"reports": [],

"targets": [],

"threat_types": [

"Criminal"

],

"type": "ip_address",

"vulnerabilities": []

},

"type": "IP",

"value": "1.2.3.4"

},

{

"fields": {

"actor": [

"MUMMYSPIDER"

],

"creationdate": 1592473928,

"domainname": [],

"ipaddress": [],

"confidence": "low",

"malwarefamily": [],

"reports": [],

"stixkillchainphases": [

"C2"

],

"threattypes": [],

"tags": [

"KillChain/C2",

"MaliciousConfidence/Low",

"Actor/MUMMYSPIDER"

],

"targets": [],

"trafficlightprotocol": "AMBER",

"updateddate": 1608208626,

"vulnerabilities": []

},

"id": "ip_address_1.2.3.4",

"rawJSON": {

"_marker": "1608208626d02e40678e554f71fd6c3c33cc71c5c0",

"actors": [

"MUMMYSPIDER"

],

"deleted": false,

"domain_types": [],

"id": "ip_address_1.2.3.4",

"indicator": "1.2.3.4",

"ip_address_types": [],

"kill_chains": [

"C2"

],

"labels": [

{

"created_on": 1592473928,

"last_valid_on": 1592473930,

"name": "KillChain/C2"

},

{

"created_on": 1592473928,

"last_valid_on": 1592473930,

"name": "MaliciousConfidence/Low"

},

{

"created_on": 1592473930,

"last_valid_on": 1592473930,

"name": "Actor/MUMMYSPIDER"

}

],

"last_updated": 1608208626,

"malicious_confidence": "low",

"malware_families": [],

"published_date": 1592473928,

"relations": [

{

"created_date": 1597858281,

"id": "url_http://1.1.1.1:80",

"indicator": "http://1.1.1.1:80",

"last_valid_date": 1597858281,

"type": "url"

},

{

"created_date": 1592473931,

"id": "hash_md5_6d795170965336a9006f059dd444fc8f",

"indicator": "6d795170965336a9006f059dd444fc8f",

"last_valid_date": 1592473931,

"type": "hash_md5"

}

],

"reports": [],

"targets": [],

"threat_types": [],

"type": "ip_address",

"vulnerabilities": []

},

"type": "IP",

"value": "1.2.3.4"

}

]

}

}

Human Readable Output

Indicators from CrowdStrike Falcon Intel

Type	Value	Id
IP	1.1.1.1	ip_address_1.1.1.1
IP	2.2.2.2	ip_address_2.2.2.2
IP	1.2.3.4	ip_address_1.2.3.4

crowdstrike-reset-fetch-indicators

---

Resets the retrieving start time according to the First Fetch Time parameter, WARNING: This command will reset your fetch history.

Base Command

crowdstrike-reset-fetch-indicators

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!crowdstrike-reset-fetch-indicators

Human Readable Output

Fetch history deleted successfully