Supported Cortex XSOAR versions: 5.5.0 and later.
The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more.
Configure Crowdstrike Falcon Intel Feed on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for Crowdstrike Falcon Intel Feed.
- Click Add instance to create and configure a new integration instance.
|client_id||The Crowdstrike API client ID||True|
|tlp_color||The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp||False|
|feedFetchInterval||Feed fetch interval||False|
|feedBypassExclusionList||Bypass exclusion list||False|
|insecure||Trust any certificate (not secure)||False|
|proxy||Use system proxy settings||False|
|client_secret||Crowdstrike API client secret||True|
|target_industries||Filter by threat actor's target industries.||False|
|target_countries||Filter by threat actor's target countries.||False|
|custom_filter||A custom filter by which to filter the indicators. If you pass the custom_filter argument it will override the custom_filter parameter from the integration instance configuration.||False|
- Click Test to validate the URLs, token, and connection.
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Gets indicators from Crowdstrike Falcon Intel Feed.
|limit||The maximum number of indicators to return. Default is 10.||Optional|
|offset||The index of the first indicator to fetch.||Optional|
|target_industries||A comma-separated list of the threat actor's target industries by which to filter the indicators.||Optional|
|target_countries||A comma-separated list of the threat actor's target countries by which to filter the indicators.||Optional|
|custom_filter||A custom filter by which to filter the indicators. If you pass the custom_filter argument it will override the custom_filter parameter from the integration instance configuration. For more information about custom filters and their structure, see the Crowdstrike Falcon documentation (https://falcon.crowdstrike.com/login/?next=%2Fsupport%2Fdocumentation%2F45%2Ffalcon-query-language-fql%3F).||Optional|
There is no context output for this command.