Skip to main content

CrowdStrike Falcon Intel Feed Actors

This Integration is part of the Crowdstrike Falcon Intel Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more.

Configure Crowdstrike Falcon Intel Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Crowdstrike Falcon Intel Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
feedFetch indicatorsFalse
client_idThe Crowdstrike API client IDTrue
feedReputationIndicator reputationFalse
feedReliabilitySource reliabilityTrue
tlp_colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlpFalse
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedIncrementalIncremental feedFalse
feedFetchIntervalFeed fetch intervalFalse
feedBypassExclusionListBypass exclusion listFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
feedTagsTagsFalse
client_secretCrowdstrike API client secretTrue
target_industriesFilter by threat actor's target industries.False
target_countriesFilter by threat actor's target countries.False
custom_filterA custom filter by which to filter the indicators. If you pass the custom_filter argument it will override the custom_filter parameter from the integration instance configuration.False
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

crowdstrike-falcon-intel-get-indicators#


Gets indicators from Crowdstrike Falcon Intel Feed.

Base Command#

crowdstrike-falcon-intel-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 10.Optional
offsetThe index of the first indicator to fetch.Optional
target_industriesA comma-separated list of the threat actor's target industries by which to filter the indicators.Optional
target_countriesA comma-separated list of the threat actor's target countries by which to filter the indicators.Optional
custom_filterA custom filter by which to filter the indicators. If you pass the custom_filter argument it will override the custom_filter parameter from the integration instance configuration. For more information about custom filters and their structure, see the Crowdstrike Falcon documentation (https://falcon.crowdstrike.com/login/?next=%2Fsupport%2Fdocumentation%2F45%2Ffalcon-query-language-fql%3F).Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#