CrowdStrike Falcon Intelligence Engine Integration User Guide
- 08 Aug 2024
- 6 Minutes to read
-
Print
-
DarkLight
CrowdStrike Falcon Intelligence Engine Integration User Guide
- Updated on 08 Aug 2024
- 6 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Software Version
This guide applies to the CrowdStrike Falcon Intelligence Engine App version 1.0.x.
Overview
The ThreatConnect® integration with CrowdStrike Falcon® Intelligence allows ThreatConnect customers to import information Reports, Indicators, Signatures, Vulnerabilities, Malware, and Actors, along with all of their context, from the CrowdStrike Falcon Intelligence feed into ThreatConnect.
The following Indicator types are currently supported: Address, Email Address, File, Host, URL, Email Subject, Mutex, and Registry Key. Indicators are associated with Report and Intrusion Set Groups in ThreatConnect. Reports are also associated with Intrusion Set Groups in ThreatConnect.
Dependencies
ThreatConnect Dependencies
- Active ThreatConnect Application Programming Interface (API) Key
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.
CrowdStrike Dependencies
- Active subscription to CrowdStrike Falcon Intelligence with API key with the following permissions:
- Actors: Read=Yes
- Indicators: Read=Yes
- Malware Families: Read=Yes
- Reports: Read=Yes
Application Setup and Configuration
- Log into ThreatConnect with a System Administrator account.
- Install the CrowdStrike Falcon Intelligence Engine App via TC Exchange™.
- Use the ThreatConnect Feed Deployer to set up and configure the CrowdStrike Falcon Intelligence Engine App.
Configuration Parameters
Parameter Definitions
The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.
| Name | Description | Required? |
|---|---|---|
| Sources Tab | ||
| Sources to Create | The name of the Source to be created. | Yes |
| Owner | The Organization in which the Source will be created. | Yes |
| Activate Deprecation | Select this checkbox to allow the creation of depreciation rules for Indicators in the Source. | No |
| Create Attributes | Select this checkbox to allow the creation of custom Attribute Types in the Source. | No |
| Parameters Tab | ||
| Launch Server | Select tc-job as the launch server for the Service corresponding to the Feed API Service App. | Yes |
| CrowdStrike API Endpoint | Select the CrowdStrike® environment from which to retrieve data. | Yes |
| Group Types | Select the Group type(s) to import from CrowdStrike. | Yes |
| Indicator Types | Select the Indicator type(s) to import from CrowdStrike. | Yes |
| Variables Tab | ||
| CrowdStrike Falcon Intelligence API Secret | The CrowdStrike API secret. | Yes |
| CrowdStrike Falcon Intelligence API ID | The CrowdStrike API ID. | Yes |
CrowdStrike Falcon Intelligence Engine
After successfully configuring and activating the Feed API Service, you can access the CrowdStrike Falcon Intelligence Engine user interface (UI). This UI allows you to interact with and manage the CrowdStrike Falcon Intelligence integration.
Follow these steps to access the CrowdStrike Falcon Intelligence Engine UI:
- Log into ThreatConnect with a System Administrator account.
- On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed.
- Locate the CrowdStrike Falcon Intelligence Engine Feed API Service and then click the link in the Service’s API Path field. The DASHBOARD screen of the CrowdStrike Falcon Intelligence Engine UI will open in a new browser tab.
The following screens are available in the CrowdStrike Falcon Intelligence Engine UI:
- DASHBOARD
- JOBS
- TASKS
- DOWNLOAD
- REPORT
DASHBOARD
The DASHBOARD screen (Figure 1) provides an overview of the total number of Actors, Reports, Hashes, Domains, IP Addresses, and Email Addresses retrieved from CrowdStrike.
JOBS
The JOBS screen (Figure 2) breaks down the ingestion of CrowdStrike data into manageable Job-like tasks.
- Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled.
- Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
- Convert Complete
- Convert In Progress
- Download Complete
- Download In Progress
- Upload Complete
- Upload In Progress
- Request ID: If desired, enter text into this box to search for a specific Job by its request ID.
- + Add Request: Click this button to display the ADD REQUEST window (Figure 3). On this window, you can specify the date range, Group types, and Indicator types for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 2), and its Job type will be listed as ad-hoc.
TASKS
The TASKS screen (Figure 4) is where you can view and manage the Tasks for each Job.
DOWNLOADS
The DOWNLOADS screen (Figure 5) is where you can view data for Indicators, Actors, and Reports exactly as they appear in CrowdStrike.
- Type: Select the type of object to download. Available options include Actor, Indicators, and Reports.
- ID(s): Enter the CrowdStrike ID(s) for the object(s) to download. Data will be retrieved in JavaScript® Object Notation (JSON) format.
- Convert: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format.
- Enrich: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API.
REPORTS
The REPORTS screen provides two views: BATCH ERRORS and PDF TRACKER. The BATCH ERRORS screen (Figure 6) displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.
The PDF TRACKER screen (Figure 7) is where you can view attempts ThreatConnect made to download PDF reports from CrowdStrike. The table on this screen displays the most recent date on which ThreatConnect attempted to download a PDF report, the number of times an attempt to download the report was made, and whether the report was downloaded successfully. You can also search for reports by ID on this screen, which can be useful if you do not see a CrowdStrike PDF report in ThreatConnect as expected.
Data Mappings
The data mappings in Table 2 through Table 10 illustrate how data are mapped from CrowdStrike API endpoints to the ThreatConnect data model.
Reports
ThreatConnect object type: Report Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| resources.id | Attribute: "Report ID" |
| resources.name | Attribute: "Report Title" |
| resource.slug | N/A |
| resources.type | Attribute: "Report Type" |
| resources.sub_type | N/A |
| resources.url | Attribute: "Source" |
| resources.short_description | Attribute: "Description" |
| resources.created_date | Attribute: "External Date Created" |
| resources.last_modified_date | Attribute: "External Date Last Modified" |
| resources.thumbnail.url | N/A |
| resources.actor.id | N/A |
| resources.actor.name | (Actor Association) Note Actor Association refers to the association between the Report Group object and the Intrusion Set Group object. Customers should expect to see the Actor information as a Group association on the Report Group's Details screen. |
| resources.actor.url | N/A |
| resources.tags | Tag |
| resources.target_industries | Attribute: "Target Industry Sector" |
| resources.target_countries | Attribute: "Target Country" |
| resources.motivations | Attribute: "Adversary Motivation Type" |
Actors
ThreatConnect object type: Intrusion Set Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| resources.name | Name/Summary |
| resources.id | Attribute: "External ID" |
| resources.url | Attribute: "Source" |
| resources.description | Attribute: "Description" |
| resources.created_date | Attribute: "External Date Created" |
| resources.last_modified_date | Attribute: "External Date Last Modified" |
| resources.first_activity_date | Attribute: "First Seen" |
| resources.last_activity_date | Attribute: "Last Seen" |
| resources.active | Attribute: "Active" |
| resources.known_as | Attribute: "Aliases" (/n Separated) |
| resources.motivations | Attribute: "Adversary Motivation Type" |
| resources.objectives | Attribute: "Goals" |
| resources.capabilities | Attribute: "Capabilities" |
| resources.origins | Attribute: "Origin Country" |
| resources.target_countries | Attribute: "Target Country" |
| resources.target_industries | Attribute: "Targeted Industry Sector" |
| resources.kill_chain | Attribute: "Reconnaissance" |
| Attribute: "Weaponization" | |
| Attribute: "Delivery" | |
| Attribute: "Actions and Objectives" | |
| resources.group | N/A |
Actors-MITRE
ThreatConnect object type: Intrusion Set Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| technique_id | ATT&CK® Tag |
Indicators
ThreatConnect object type: Indicator (all types)
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| resources.id | Attribute: "External ID" |
| resources.indicator | Name/Summary |
| resources.type | Indicator Type |
| resources.last_updated | Attribute: "External Date Last Modified" |
| resources.published_date | Attribute: "External Date Created" |
| resources.malicious_confidence | Confidence Rating |
| resources._marker | N/A |
| resources.reports | (Report Association) Note Report Association refers to the association between the Indicator and the Report Group object. Customers should expect to see the Report information as a Group association on the Indicator’s Details screen. |
| resources.actors | (Actor Association) Note Actor Association refers to the association between the Indicator and the Intrusion Set Group object. Customers should expect to see the Actor information as a Group association on the Indicator’s Details screen. |
| resources.malware_families | N/A |
| resources.kill_chains | Attribute: "Phase of Intrusion" |
| resources.labels | Tag (If resources.labels.name starts with "MitreATTCK," an ATT&CK Tag will be applied to the Indicator.) |
| resources.domain_types | Tag |
| resources.ip_address_types | Tag |
| resources.relations | Attribute: "File Occurrence" |
| resources.targets | Attribute: "Targeted Industry Sector" |
| resources.threat_types | Tag |
| resources.vulnerabilities | Tag |
| malicious_confidence | Threat Rating and Confidence Rating |
|---|---|
| Unverified | 1 skull and 10 Confidence Rating |
| Low | 2 skulls and 40 Confidence Rating |
| Medium | 4 skulls and 75 Confidence Rating |
| High | 5 skulls and 95 Confidence Rating |
Malware Families
ThreatConnect object type: Malware Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| malware_families |
|
Malware Families-MITRE
ThreatConnect object type: Malware Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| resources | ATT&CK Tag |
Yara Signatures
ThreatConnect object type: Signature Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| resources.id | Attribute: "External ID" |
| resources.name | Tag |
| resources.type | N/A |
| resources.short_description | N/A |
| resources.description | Attribute: "Description" |
| resources.rich_text_description | N/A |
| resources.created_date | Attribute: "External Date Created" |
| resources.last_modified_date | Attribute: "External Date Last Modified" |
| resources.tags | Tag |
Vulnerabilities
ThreatConnect object type: Vulnerability Group
| CrowdStrike API Field | ThreatConnect Field |
|---|---|
| resources.vulnerabilities | Tag |
Troubleshooting
The CrowdStrike Falcon Intelligence Engine App is a Python®-based App that requires certificate verification. Organizations using SSL inspection solutions will need to import their internal CA certificate to the OS-trusted root certificate store in order for the connection to CrowdStrike to be initiated.
Frequently Asked Questions (FAQ)
Why are some ATT&CK techniques represented as standard Tags instead of ATT&CK Tags in ThreatConnect?
ThreatConnect converts Tags that match an active ATT&CK technique name or ID into ATT&CK Tags automatically. When ThreatConnect ingests deprecated or inactive ATT&CK techniques from CrowdStrike, they are mapped to standard Tags to keep the data consistent between ThreatConnect and CrowdStrike. Note that standard Tags representing deprecated or inactive ATT&CK techniques will be applied only to Indicators in ThreatConnect, as these ATT&CK techniques are dropped for Actors and Malware.
Why are there no ATT&CK Tags applied to Reports?
ATT&CK Tag support for Reports is planned for a future update of the CrowdStrike Falcon Intelligence Engine App. If you need this update sooner, please contact your Customer Success Manager (CSM) or submit feedback via Productboard.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CrowdStrike® and CrowdStrike Falcon® are registered trademarks of CrowdStrike, Inc.
JavaScript® is a registered trademark of Oracle Corporation.
Python® is a registered trademark of the Python Software Foundation.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
30039-09 EN Rev. A
Was this article helpful?
