CrowdStrike Falcon Intel (Deprecated)
This Integration is part of the CrowdStrike Falcon Intel Pack.#
Deprecated
Use CrowdStrike Falcon Intel v2 integration instead.
Deprecated. Use the CrowdStrike Falcon Intelligence v2 integration instead.
This integration was integrated and tested with CrowdStrike Falcon Intel v2.
Use Cases
- Search files, URLs, domains, and IP addresses, for malware.
- Create indicator based reports.
Configure CrowdStrike Falcon Intelligence v2 on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Falcon Intel v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : A textual name for the integration instance.
- Server URL : URL of Falcon Intel server.
- API ID
- API Key
- Threshold : Minimum malicious confidence from Falcon Intel to consider the indicator malicious (low, medium, or high). Default is high.
- Use system proxy settings
- Allow self-signed SSL certificates
- Indicator API V2
- Click Test to validate the URLs and token.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Check file for malware: file
- Check URL for malware: url
- Check domain for malware: domain
- Check IP address for malware: ip
- Search for actors: cs-actors
- Indicator based report: cs-indicators
- Search summary and ID of Intelligence Reports: cs-reports
- Get report in PDF format:cs-report-pdf
1. Check file for malware
Returns malware report for specified file.
Base Command
file
Input
| Argument Name | Description |
| file | MD5, SHA-1, or SHA-256 hash of the file to check |
Context Output
| Path | Description |
| File.MD5 | Malicious MD5 hash file |
| File.SHA1 | Malicious SHA-1 hash file |
| File.SHA256 | Malicious SHA-256 hash file |
| File.Malicious.Vendor | For malicious files, the vendor that made the decision |
| File.Malicious.Description | For malicious files, the reason that the vendor made the decision |
| DBotScore.Indicator | The indicator tested |
| DBotScore.Type | Type of indicator tested |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!file file=369c8fc6532ba547d7ef5985bb5e880a using-brand="FalconIntel V2"
Raw Output
DBotScore
{
"Indicator":"369c8fc6532ba547d7ef5985bb5e880a",
"Score":3,
"Type":"hash",
"Vendor":"CrowdStrike"
}
File
{
"MD5":"369c8fc6532ba547d7ef5985bb5e880a",
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
}
}
Context Example
DBotScore:[] 2 items
1:{} 4 items
Indicator:369c8fc6532ba547d7ef5985bb5e880a
Score:3
Type:hash
Vendor:CrowdStrike
File:{} 2 items
MD5:369c8fc6532ba547d7ef5985bb5e880a
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
2. Check URL for malware
Returns a malware report for the specified URL.
Base Command
url
Input
| Argument Name | Description |
| url | URL to check |
Context Output
| Path | Description |
| URL.Data | Malicious URL |
| URL.Malicious.Vendor | For malicious URLs, the vendor that made the decision |
| URL.Malicious.Description | For malicious URLs, the reason that the vendor made that decision |
| DBotScore.Indicator | The indicator tested |
| DBotScore.Type | Type of indicator tested |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!url url="http://8.8.8.8/google.doc" using="FalconIntel V2_instance_1"
Raw Output
DBotScore
{
"Indicator":"http://8.8.8.8/google.doc",
"Score":3,
"Type":"url",
"Vendor":"CrowdStrike"
}
URL
{
"Data": "http://8.8.8.8/google.doc",
"Malicious": {
"Description": "High confidence",
"Vendor": "CrowdStrike"
}
}
Context Example
DBotScore:[] 3 items
2:{} 4 items
Indicator:http://8.8.8.8/google.doc
Score:3
Type:url
Vendor:CrowdStrike
URL:{} 2 items
Data:http://8.8.8.8/google.doc
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
3. Check Domain for malware
Returns malware report for specified domain.
Base Command
domain
Input
| Argument Name | Description |
| domain | Domain to check |
Context Output
| Path | Description |
| Domain.Name | Malicious domain |
| Domain.Malicious.Vendor | For malicious domains, the vendor that made the decision |
| Domain.Malicious.Description | For malicious domains, the reason that the vendor to made that decision |
| DBotScore.Indicator | The indicator tested |
| DBotScore.Type | Type of indicator tested |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!domain domain="dns02.hpupdat.net" using="FalconIntel V2_instance_1"
Raw Output
DBotScore
{
"Indicator": "dns02.hpupdat.net",
"Score": 3,
"Type": "domain",
"Vendor": "CrowdStrike"
}
Domain
{
"Malicious": {
"Description": "High confidence",
"Vendor": "CrowdStrike"
},
"Name": "dns02.hpupdat.net"
}
Context Example
DBotScore:[] 4 items
3:{} 4 items
Indicator:dns02.hpupdat.net
Score:3
Type:domain
Vendor:CrowdStrike
Domain:{} 2 items
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
Name:dns02.hpupdat.net
4. Check IP address for malware
Returns malware report for specified file.
Base Command
ip
Input
| Argument Name | Description |
| ip | IP address to check |
Context Output
| Path | Description |
| IP.Address | Malicious IP address |
| IP.Malicious.Vendor | For malicious IP addresses, the vendor that made the decision |
| IP.Malicious.Description | For malicious IP addresses, the reason that the vendor made that decision |
| DBotScore.Indicator | The indicator tested |
| DBotScore.Type | Type of indicator tested |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
ip ip="4.4.4.4" using="FalconIntel V2_instance_1"
Raw Output
DBotScore
{
"Indicator": "4.4.4.4",
"Score": 1,
"Type": "ip",
"Vendor": "CrowdStrike"
}
Context Example
DBotScore:{} 4 items
Indicator:4.4.4.4
Score:1
Type:ip
Vendor:CrowdStrike
5. Search for actors
Searches for actors.
Base Command
cs-actors
Input
| Argument Name | Description |
| q | Search all fields for the specified data. |
| name | Search based on actor name. |
| desc | Search based on description. |
| minLastModifiedDate |
Search range starts at modified date. Dates are formatted as YYYY-MM-DD. |
| maxLastModifiedDate |
Search range ends at modified date. Dates are formatted as YYYY-MM-DD. |
| minLastActivityDate |
Search range starts at activity date. Dates are formatted as YYYY-MM-DD. |
| maxLastActivityDate |
Search range ends at activity date. Dates are formatted as YYYY-MM-DD. |
| origins | Search by comma-separated list of origins. |
| targetCountries | Search by comma-separated list of target countries. |
| targetIndustries | Search by comma-separated list of target industries. |
| motivations | Search by comma-separated list of motivations. |
| offset | Which page of the results to retrieve. It is 0 based. |
| limit | Number of results displayed in the page. |
| sort |
Sort is field_name.order, field_name.order. order is either asc or desc . |
| slug |
Search by 'slug' or short descriptive name. Example: "anchor-panda" |
Context Output
There is no context output for this command.
Command Example
!cs-actors q="google" limit="2"
Raw Output
There is no raw output for this command.
Context Example
There is no context example for this command.
6. Indicator based report
Generates a report according to specified indicators.
Base Command
cs-indicators
Input
| Argument Name | Description |
| parameter |
What parameter to search. See CrowdStrike documentation for details. <hyperlink> Valid values are:
|
| filter |
Valid values are:
|
| value | The value for the given parameter |
| sort |
Sort by a field in the format of field_name.order. order is either asc or desc . Valid values for fields are:
|
| page | The page to retrieve - 1 based |
| pageSize | The size of the page to retrieve |
Context Output
| Path | Description |
| File.MD5 | Malicious MD5 hash file |
| File.SHA1 | Malicious SHA-1 hash file |
| File.SHA256 | Malicious SHA-256 hash file |
| Malicious.Vendor | For malicious files, the vendor that made the decision |
| File.Malicious.Description | For malicious files, the reason that the vendor made that decision |
| File.Reports | For malicious files, the associated reports describing the hash |
| File.Actors | For malicious files, the associated actors |
| File.MalwareFamilies | For malicious files, the associated malware family |
| File.KillChains | For malicious files, the associated kill chain |
| URL.Data | Malicious URL |
| URL.Malicious.Vendor | For malicious URLs, the vendor that made the decision |
| URL.Malicious.Description | For malicious URLs, the reason that the vendor made that decision |
| URL.Reports | For malicious URLs, the associated reports describing the URL |
| URL.Actors | For malicious URLs, the associated actors |
| URL.MalwareFamilies | For malicious URLs, the associated malware family |
| URL.KillChains | For malicious URLs, the associated kill chain |
| Domain.Name | Malicious domain |
| Domain.Malicious.Vendor | For malicious domains, the vendor that made the decision |
| Domain.Malicious.Description | For malicious domains, the reason that the vendor made that decision |
| Domain.Reports | For malicious domains, the associated reports describing the domain |
| Domain.Actors | For malicious domains, the associated actors |
| Domain.MalwareFamilies | For malicious domains, the associated malware family |
| Domain.KillChains | For malicious domains, the associated kill chain |
| IP.Address | IP Indicators |
| IP.Malicious.Vendor | For malicious IP addresses, the vendor that made the decision |
| IP.Malicious.Description | For malicious IP addresses, the reason that the vendor made that decision |
| IP.Reports | For malicious IP addresses, the associated reports describing the IP |
| IP.Actors | For malicious IP addresses, the associated actors |
| IP.MalwareFamilies | For malicious IP addresses, the associated malware family |
| IP.KillChains | For malicious IP addresses, the associated kill chain |
| DBotScore.Indicator | The indicator tested |
| DBotScore.Type | Type of indicator tested |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!cs-indicators filter=match parameter=indicator value="panda"
Raw Output
DBotScore
[
{
"Indicator":"nadazpanda.publicvm.com",
"Score":3,
"Type":"domain",
"Vendor":"CrowdStrike"
},
{
"Indicator":"pandadefender.com",
"Score":3,
"Type":"domain",
"Vendor":"CrowdStrike"
},
{
"Indicator":"http://panda.tech/tw.com/panda.rtf",
"Score":3,
"Type":"url",
"Vendor":"CrowdStrike"
},
{
"Indicator":"panda1.hopto.org",
"Score":3,
"Type":"domain",
"Vendor":"CrowdStrike"
},
{
"Indicator":"http://suliparwarda.com/includes/panda.php?c=",
"Score":3,
"Type":"url",
"Vendor":"CrowdStrike"
},
{
"Indicator":"http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=",
"Score":3,
"Type":"url",
"Vendor":"CrowdStrike"
},
{
"Indicator":"balvinnew.pandabearsunited.xyz",
"Score":3,
"Type":"domain",
"Vendor":"CrowdStrike"
},
{
"Indicator":"panda3.ddns.net",
"Score":3,
"Type":"domain",
"Vendor":"CrowdStrike"
},
{
"Indicator":"panda.tech-tw.com",
"Score":2,
"Type":"domain",
"Vendor":"CrowdStrike"
},
{
"Indicator":"http://panda.tech-tw.com/panda.rtf",
"Score":3,
"Type":"url",
"Vendor":"CrowdStrike"
}
]
Domain
[
{
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"njRAT"
],
"Name":"nadazpanda.publicvm.com"
},
{
"Actors":[
"FANCYBEAR"
],
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"X-Agent"
],
"Name":"pandadefender.com",
"Reports":[
"CSIR-17010"
]
},
{
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"CybergateRAT"
],
"Name":"panda1.hopto.org"
},
{
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"XtremeRAT"
],
"Name":"balvinnew.pandabearsunited.xyz"
},
{
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"njRAT"
],
"Name":"panda3.ddns.net"
},
{
"KillChains":[
"Delivery"
],
"Name":"panda.tech-tw.com"
}
]
URL
[
{
"Data":"http://panda.tech/tw.com/panda.rtf",
"KillChains":[
"Delivery"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
}
},
{
"Actors":[
"STATICKITTEN"
],
"Data":"http://suliparwarda.com/includes/panda.php?c=",
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"NTSTATS"
],
"Reports":[
"CSIR-18002"
]
},
{
"Actors":[
"STATICKITTEN"
],
"Data":"http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=",
"KillChains":[
"C2"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
},
"MalwareFamilies":[
"NTSTATS"
],
"Reports":[
"CSIR-18002"
]
},
{
"Data":"http://panda.tech-tw.com/panda.rtf",
"KillChains":[
"Delivery"
],
"Malicious":{
"Description":"High confidence",
"Vendor":"CrowdStrike"
}
}
]
Context Example
DBotScore:[] 10 items
0:{} 4 items
Indicator:nadazpanda.publicvm.com
Score:3
Type:domain
Vendor:CrowdStrike
1:{} 4 items
Indicator:pandadefender.com
Score:3
Type:domain
Vendor:CrowdStrike
2:{} 4 items
Indicator:http://panda.tech/tw.com/panda.rtf
Score:3
Type:url
Vendor:CrowdStrike
3:{} 4 items
Indicator:panda1.hopto.org
Score:3
Type:domain
Vendor:CrowdStrike
4:{} 4 items
Indicator:http://suliparwarda.com/includes/panda.php?c=
Score:3
Type:url
Vendor:CrowdStrike
5:{} 4 items
Indicator:http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=
Score:3
Type:url
Vendor:CrowdStrike
6:{} 4 items
Indicator:balvinnew.pandabearsunited.xyz
Score:3
Type:domain
Vendor:CrowdStrike
7:{} 4 items
Indicator:panda3.ddns.net
Score:3
Type:domain
Vendor:CrowdStrike
8:{} 4 items
Indicator:panda.tech-tw.com
Score:2
Type:domain
Vendor:CrowdStrike
9:{} 4 items
Indicator:http://panda.tech-tw.com/panda.rtf
Score:3
Type:url
Vendor:CrowdStrike
Domain:[] 6 items
0:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:njRAT
Name:nadazpanda.publicvm.com
1:{} 6 items
Actors:[] 1 item
0:FANCYBEAR
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:X-Agent
Name:pandadefender.com
Reports:[] 1 item
0:CSIR-17010
2:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:CybergateRAT
Name:panda1.hopto.org
3:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:XtremeRAT
Name:balvinnew.pandabearsunited.xyz
4:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:njRAT
Name:panda3.ddns.net
5:{} 2 items
KillChains:[] 1 item
0:Delivery
Name:panda.tech-tw.com
URL:[] 4 items
0:{} 3 items
Data:http://panda.tech/tw.com/panda.rtf
KillChains:[] 1 item
0:Delivery
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
1:{} 6 items
Actors:[] 1 item
0:STATICKITTEN
Data:http://suliparwarda.com/includes/panda.php?c=
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:NTSTATS
Reports:[] 1 item
0:CSIR-18002
2:{} 6 items
Actors:[] 1 item
0:STATICKITTEN
Data:http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:NTSTATS
Reports:[] 1 item
0:CSIR-18002
3:{} 3 items
Data:http://panda.tech-tw.com/panda.rtf
KillChains:[] 1 item
0:Delivery
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
7. Search summary and ID of Intelligence Reports
Searches for summary and ID of Intelligence Reports.
Base Command
cs-reports
Input
| Argument Name | Description |
| q | Performs a generic substring search across all fields in a report. |
| name | Search for keywords across report names (for example, the report’s title). |
| actor |
Search for a report related to a specified actor. For a list of actors, refer to the Intel Actors API. <hyperlink> |
| targetCountries | Search reports by targeted country or countries. |
| targetIndustries | Search reports by targeted industry or industries. |
| motivations | Search reports by motivation. |
| slug | Search reports by report 'slug' or short descriptive name. |
| description | Search the body of the report. |
| type | The type of object to search for. |
| subType | The sub-type of object to search for. |
| tags | Tags associated with a report (managed internally by CrowdStrike). |
| minLastModifiedDate |
Search range starts at modified date. Dates are formatted as YYYY-MM-DD. |
| maxLastModifiedDate |
Search range ends at modified date. Dates are formatted as YYYY-MM-DD. |
| offset |
Used to number the responses. You can then use limit to set the number of results for the next page. |
| limit | Limits the number of results to return |
| sort |
The field and direction to sort results on in the format of: . or .. Valid values are:
|
Context Output
There is no context output.
Command Example
!cs-reports actor=panda limit=10
Raw Output
There is no raw output.
Context Example
There is no context example.
8. Get report in PDF format
Returns a full summary of a specified report in PDF format.
Base Command
cs-report-pdf
Input
| Argument Name | Description |
| id | The ID of the report to return |
Context Output
There is no context output for this command.
Command Example
!cs-report-pdf id=588
Raw Output
There is no raw output for this command.
Context Example
There is no context example for this command.