--- title: "CrowdStrike Falcon Intelligence Engine Integration User Guide" slug: "crowdstrike-falcon-intelligence-engine-integration-user-guide" description: "This article is a user guide for the CrowdStrike Falcon Intelligence Engine integration with ThreatConnect." updated: 2025-06-26T15:15:55Z published: 2025-06-26T15:15:55Z canonical: "knowledge.threatconnect.com/crowdstrike-falcon-intelligence-engine-integration-user-guide" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # CrowdStrike Falcon Intelligence Engine Integration User Guide Software VersionThis guide applies to the **CrowdStrike Falcon Intelligence Engine**App version 1.0.*x*. ## Overview The CrowdStrike Falcon® Intelligence Engine integration with ThreatConnect® lets you ingest Group (Actor, Malware, Report, and Vulnerability) and Indicator data, along with all of their context, from the CrowdStrike Falcon Intelligence feed into ThreatConnect. The following ThreatConnect Indicator types are supported for import from CrowdStrike Falcon Intelligence: Address, CIDR, Email Address, Email Subject, File, Host, Mutex, Registry Key, URL, and User Agent. Indicators are associated with Report and Intrusion Set Groups when imported into ThreatConnect. Reports Groups are also associated with Intrusion Set Groups when imported into ThreatConnect. In both cases, the Intrusion Set Groups represent related Actor Groups imported from CrowdStrike Falcon Intelligence. ## Dependencies ### ThreatConnect Dependencies - Active ThreatConnect Application Programming Interface (API) Key NoteAll ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the **Account Settings**screen within their ThreatConnect instance. ### CrowdStrike Dependencies - Active subscription to CrowdStrike Falcon Intelligence with API key with the following permissions: - **Actors**: Read=Yes - **Indicators**: Read=Yes - **Malware Families**: Read=Yes - **Reports**: Read=Yes ## Application Setup and Configuration Follow these steps to install the **CrowdStrike Falcon Intelligence Engine** App via TC Exchange™: 1. Log into ThreatConnect with a System Administrator account. 2. Hover over **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)on the top navigation bar and select **TC Exchange Settings**. Then select the **Catalog** tab on the **TC Exchange Settings** screen. 3. Locate the **CrowdStrike Falcon Intelligence Engine** App on the **Catalog** tab. Then click **Install**![Plus icon_Dark blue](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Plus%20icon_Dark%20blue.png) in the **Options** column to install the App. 4. After you install the **CrowdStrike Falcon Intelligence Engine** App, the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) will open automatically. Use the Feed Deployer to [set up and configure](https://knowledge.threatconnect.com/docs/feed-api-services) the App. See the [“Configuration Parameters”](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#configuration-parameters) section for more information on the parameters available during the configuration and deployment process. ## Configuration Parameters ### Parameter Definitions The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the **CrowdStrike Falcon Intelligence Engine** App. | Name | Description | Required? | | --- | --- | --- | | **Source**Tab | | Sources to Create | Enter the name of the Source for the feed. | Required | | Owner | Select the Organization in which the Source will be created. | Required | | Activate Deprecation | Select this checkbox to allow [confidence deprecation](https://knowledge.threatconnect.com/docs/indicator-confidence-deprecation) rules to be created and applied to Indicators in the Source. | Optional | | Create Attributes | Select this checkbox to allow [custom Attribute Types](https://knowledge.threatconnect.com/docs/creating-custom-attribute-types) to be created in the Source. | Optional | | **Parameters**Tab | | Launch Server | Select **tc-job**as the launch server for the Service corresponding to the Feed API Service App. | Required | | CrowdStrike API Endpoint | Select the CrowdStrike® API endpoint from which to retrieve data. Available choices include the following: - US-1 (api.crowdstrike.com) - US-Gov-1 (api.laggar.gcw.crowdstrike.com) - EU-1 (api.eu-1.crowdstrike.com) - US-2 (api.us-2.crowdstrike.com) | Required | | Group Types | Select the Group types to import from CrowdStrike Falcon Intelligence. Available options include the following: - actor (default) - malware - report (default) - vulnerability | Required | | Indicator Types | Select the Indicator types to import from CrowdStrike Falcon Intelligence. Available options include the following: - domain (default) - email_address (default) - email_subject (default) - ip_address (default) - ip_address-block (default) - mutex_name (default) - registry (default) - url (default) - user_agent (default) - hash_md5 - hash_sha1 - hash_sha256 (default) | Required | | **Variables**Tab | | CrowdStrike Falcon Intelligence API Secret | Enter the CrowdStrike API secret. | Required | | CrowdStrike Falcon Intelligence API ID | Enter the CrowdStrike API ID. | Required | | **Confirm**Tab | | Run Feeds after deployment | Select this checkbox to run the **CrowdStrike Falcon Intelligence Engine** App immediately after the deployment configuration is complete (i.e., after you click **DEPLOY** on the **Feed Deployer** window. | Optional | | Confirm Deployment Over Existing Source | This checkbox will be displayed if the Source entered in the **Sources to Create** field has previously been deployed to the Organization selected in the **Owner** dropdown on the **Source** tab. Select this checkbox to confirm that you want the **CrowdStrike Falcon Intelligence Engine** App to write data to the same Source. This process will create a new Service for the **CrowdStrike Falcon Intelligence Engine** App. As such, it is recommended that you delete the old Service associated with the **CrowdStrike Falcon Intelligence****Engine**App after the new one is created.ImportantIf you do not select this checkbox, the **DEPLOY** button will be grayed out, and you will not be able to deploy the Service. Return to the **Source** tab and enter a different Source or select a different Organization and then proceed through the tabs of the **Feed Deployer** window again. | Optional | ## CrowdStrike Falcon Intelligence Engine UI After successfully configuring and activating the [Feed API Service](https://knowledge.threatconnect.com/docs/feed-api-services), you can access the CrowdStrike Falcon Intelligence Engine user interface (UI). This UI allows you to interact with and manage the CrowdStrike Falcon Intelligence integration. Follow these steps to access the CrowdStrike Falcon Intelligence Engine UI: 1. Log into ThreatConnect with a System Administrator account. 2. On the top navigation bar, hover over **Playbooks**and select **Services**. 3. Locate the **CrowdStrike Falcon Intelligence Engine** Feed API Service. 4. Click the link in the Service’s **API Path**field. The **CrowdStrike Falcon Intelligence Engine** UI will open in a new browser tab. The following screens are available in the **CrowdStrike Falcon Intelligence Engine** UI: - [**Dashboard**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#dashboard) - [**Jobs**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#jobs) - [**Tasks**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#tasks) - [**Download**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#download) - [**Batch Errors**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#batch-errors) - [**Attachment Status**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#attachment-status) ### Dashboard The **Dashboard**screen (Figure 1) provides an overview of the total number of each Group and Indicator type retrieved from CrowdStrike Falcon Intelligence. Depending on the available data, cards representing all or a subset of these objects will be displayed on the **Dashboard** screen. ![Figure 1_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ### Jobs The **Jobs******screen (Figure 2) breaks down the ingestion of CrowdStrike Falcon Intelligence data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The **⋯** menu in a Job’s row provides the following options: - **Details**: View details for the Job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators. - **Download Files**: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs. - **Batch Errors**: View errors that have occurred for the Job on the [**Batch Errors**](/v1/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide#batch-errors) screen. ![Figure 2_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) You can filter **CrowdStrike Falcon Intelligence Engine** App Jobs by the following elements: - **Job ID**: Enter text into this box to search for a Job by its Job ID. - **Job Type**: Select Job types to display on the **Jobs** screen. - **Status**: Select Job statuses to display on the **Jobs** screen. ### Add a Job You can add ad-hoc Jobs on the **Jobs** screen. Follow these steps to create a request for an ad-hoc Job for the **CrowdStrike Falcon Intelligence Engine** App: 1. Click the **Add Job** button at the upper right of the **Jobs** screen (Figure 2). 2. Fill out the fields on the **Add Job** drawer (Figure 3) as follows: ![Figure 3_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) - **Start Time**: (Optional) Enter the time at which the Job should start. - **End Time**: (Optional) Enter the time by which the Job should end. - **Group Types**: (Optional) Select the CrowdStrike Falcon Intelligence Group types to include in the ad-hoc Job. - **Indicator Types**: (Optional) Select the CrowdStrike Falcon Intelligence Indicator types to include in the ad-hoc Job. 3. Click **Submit** to submit the request for the ad-hoc Job. ### Tasks The **Tasks** screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the **CrowdStrike Falcon Intelligence Engine** App, such as Monitor, Scheduler, and Cleaner. The current status (**Idle**, **Paused**, or **Running**), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The **⋯** menu in a Task’s row provides the following options, depending on the Task’s status: - **Run** (idle and paused Tasks only) - **Pause** (idle and running Tasks only) - **Resume** (paused Tasks only) - **Kill** (running Tasks only) Under the table is a dashboard where you can view runtime analytics. ![Figure 4_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ### Download The **Download**screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for CrowdStrike Falcon Intelligence objects and then upload the data into ThreatConnect. ![Figure 5_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) Follow these steps to download JSON data for a CrowdStrike Falcon Intelligence object on the **Download** screen and then upload the data into ThreatConnect: 1. **Intel Type**: Select a CrowdStrike Falcon Intelligence Group type (**Actor**, **Malware**, **Report**, or **Vulnerability**), or **Indicator** for all available CrowdStrike Falcon Intelligence Indicator types, to download. 2. **ID(s)**: Enter one or more CrowdStrike External IDs for the objects to download, separating each ID with a comma. The Actor, Malware, and Vulnerability types can also take a name as input.ImportantWhen entering multiple IDs or names, do not add a space before or after the comma.ImportantIf you enter a name that has a space in it (e.g., `cobalt strike`) and no results are returned, remove the space and try again (e.g., `cobaltstrike`). Actor types usually allow, but do not require, spaces (e.g., `fancy bear` and `fancybear` both yield results), whereas Malware types usually do not allow spaces. 3. Click **Download**. The JSON data will be displayed in two columns: **Results** (raw JSON data) and **Converted** (JSON data in ThreatConnect batch format) (Figure 6). ![Figure 6_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) 4. Click **Upload** to submit the converted threat intelligence data via the [ThreatConnect Batch API](https://docs.threatconnect.com/en/latest/rest_api/v2/batch_api/batch_api.html). ### Batch Errors The **Batch Errors** screen (Figure 7) displays an overview of the batch error types that have occurred for Job requests. You can enter keywords to filter by Job ID. ![Figure 7_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) Click on an error type to open a drawer containing a table with details on all batch errors of that type (Figure 8). You can enter keywords to filter by reason for error. ![Figure 8_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%208_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ### Attachment Status The **Attachment Status**screen (Figure 9) displays a table with details on ThreatConnect's attempts to download Report attachments from CrowdStrike Falcon Intelligence. You can enter CrowdStrike External IDs for Groups to filter the table by Group ID, which can be useful if you do not see a CrowdStrike Falcon Intelligence attachment in ThreatConnect as expected, or by status. ![Figure 9_CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%209_CrowdStrike%20Falcon%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ## Data Mappings The data mappings in Table 2 through Table 10 illustrate how data are mapped from CrowdStrike Falcon Intelligence API endpoints to the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model). ### Reports ThreatConnect object type: Report Group | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | resources.id | Attribute: "Report ID" | | resources.name | Attribute: "Report Title" | | resource.slug | N/A | | resources.type | Attribute: "Report Type" | | resources.sub_type | N/A | | resources.url | Attribute: "Source" | | resources.short_description | Attribute: "Description" | | resources.created_date | Attribute: "External Date Created" | | resources.last_modified_date | Attribute: "External Date Last Modified" | | resources.thumbnail.url | N/A | | resources.actor.id | N/A | | resources.actor.name | (Actor Association)NoteActor Association refers to the association between the Report Group object and its related Actor object, which is imported into ThreatConnect as an Intrusion Set Group object. In ThreatConnect, you can see the Actor as an associated Intrusion Set Group object on the **Associations** tab of the Report Group's **Details** screen. | | resources.actor.url | N/A | | resources.tags | Tag | | resources.target_industries | Attribute: "Target Industry Sector" | | resources.target_countries | Attribute: "Target Country" | | resources.motivations | Attribute: "Adversary Motivation Type" | ### Actors ThreatConnect object type: Intrusion Set Group | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | resources.name | Name/Summary | | resources.id | Attribute: "External ID" | | resources.url | Attribute: "Source" | | resources.description | Attribute: "Description" | | resources.created_date | Attribute: "External Date Created" | | resources.last_modified_date | Attribute: "External Date Last Modified" | | resources.first_activity_date | Attribute: "First Seen" | | resources.last_activity_date | Attribute: "Last Seen" | | resources.active | Attribute: "Active" | | resources.known_as | Attribute: "Aliases" (/n Separated) | | resources.motivations | Attribute: "Adversary Motivation Type" | | resources.objectives | Attribute: "Goals" | | resources.capabilities | Attribute: "Capabilities" | | resources.origins | Attribute: "Origin Country" | | resources.target_countries | Attribute: "Target Country" | | resources.target_industries | Attribute: "Targeted Industry Sector" | | resources.kill_chain | Attribute: "Reconnaissance" | | Attribute: "Weaponization" | | Attribute: "Delivery" | | Attribute: "Actions and Objectives" | | resources.group | N/A | ### Actors-MITRE ThreatConnect object type: Intrusion Set Group | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | technique_id | [ATT&CK® Tag](https://knowledge.threatconnect.com/docs/attack-tags) | ### Indicators ThreatConnect object type: Indicator (all types) | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | resources.id | Attribute: "External ID" | | resources.indicator | Name/Summary | | resources.type | Indicator TypeNoteTable 6 shows how CrowdStrike Falcon Intelligence Indicator types are mapped to ThreatConnect Indicator types. | | resources.last_updated | Attribute: "External Date Last Modified" | | resources.published_date | Attribute: "External Date Created" | | resources.malicious_confidence | Confidence RatingNoteTable 7 shows how CrowdStrike Falcon Intelligence malicious confidence values are mapped to ThreatConnect Threat Rating and Confidence Rating. | | resources._marker | N/A | | resources.reports | (Report Association)NoteReport Association refers to the association between the Indicator and its related Report Group object. In ThreatConnect, you can see the Report Group object on the **Associations** tab of the Indicator’s **Details** screen. | | resources.actors | (Actor Association)NoteActor Association refers to the association between the Indicator and its related Actor object, which is imported into ThreatConnect as an Intrusion Set Group object. In ThreatConnect, you can see the Actor as an associated Intrusion Set Group object on the **Associations** tab of the Indicator’s **Details** screen. | | resources.malware_families | N/A | | resources.kill_chains | Attribute: "Phase of Intrusion" | | resources.labels | Tag (If **resources.labels.name**starts with "MitreATTCK," an [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) will be applied to the Indicator.) | | resources.domain_types | Tag | | resources.ip_address_types | Tag | | resources.relations | Attribute: "File Occurrence" | | resources.targets | Attribute: "Targeted Industry Sector" | | resources.threat_types | Tag | | resources.vulnerabilities | Tag | | CrowdStrike Indicator Type | ThreatConnect Indicator Type | | --- | --- | | Domain | Host | | Email Address | Email Address | | Email Subject | Email Subject | | IP Address | Address | | IP Address Block | CIDR | | Mutex Name | Mutex | | Registry | Registry Key | | URL | URL | | User Agent | User Agent | | Hash MD5 | File | | Hash SHA1 | | Hash SHA256 | | CrowdStrike malicious_confidence | ThreatConnect Threat Rating and Confidence Rating | | --- | --- | | Unverified | 1 skull and 10 Confidence Rating | | Low | 2 skulls and 40 Confidence Rating | | Medium | 4 skulls and 75 Confidence Rating | | High | 5 skulls and 95 Confidence Rating | ### Malware Families ThreatConnect object type: Malware Group | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | malware_families | - Attribute: "Name" - Tag | | all_systems[] | Attribute: "Affected Systems" | | associated_actors[].name | Tag: "Intrusion Set: " | | capabilities[] | Attribute: "Capabilities" | | community_identifiers[] | Attribute: "Identifier" | | created_timestamp | - Attribute: "External Date Created" - dateAdded | | description | Attribute: "Description" | | developed_by[].name | - Attribute: "Developer" - Tag: "Intrusion Set: " | | kill_chain[] | Attribute: "Phase of Intrusion" | | last_updated | - Attribute: "External Date Last Modified" - externalLastModified | | mitre[].technique_id | Tag | | motivation[] | Attribute: "Motivation" | | name | - Tag: "Malware: " - name - xid | | next_stages[].name | Tag: "Malware: " | | sold_by[].name | - Attribute: "Sold By" - Tag: "Intrusion Set: " | | status | status | | successor_of[].name | - Attribute: "Successor" - Tag: "Malware: " | | target_industries[].name | Attribute: "Targeted Industry Sector" | | targeting_profile[] | Attribute: "Targeted Information" | | targets_systems[].customer_target | Attribute: "Targeted System" | | threat_properties[] | Attribute: "Malware Threat Type" | | used_by[].name | - Attribute: "User" - Tag: "Intrusion Set: " | | variant_of[].name | - Attribute: "Aliases" - Tag: "Malware: " | | variants[].name | - Attribute: "Aliases" - Tag: "Malware: " | ### Malware Families-MITRE ThreatConnect object type: Malware Group | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | resources | [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) | ### Vulnerabilities ThreatConnect object type: Vulnerability Group | CrowdStrike API Field | ThreatConnect Field | | --- | --- | | resources.vulnerabilities | Tag | | affected_products[].product | Tag: "CPE Product: " | | affected_products[].vendor | Tag: "CPE Vendor: " | | affected_products[] | Attribute: "Vulnerable Product" | | cve | - Tag: "Vulnerability: " - name - xid | | cvss_v2_base.access_complexity | Attribute: "CVSS v2 Access Complexity" | | cvss_v2_base.access_vector | Attribute: "CVSS v2 Access Vector" | | cvss_v2_base.authentication | Attribute: "CVSS v2 Authentication" | | cvss_v2_base.availability_impact | Attribute: "CVSS v2 Availability Impact" | | cvss_v2_base.confidentiality_impact | Attribute: "CVSS v2 Confidentiality Impact" | | cvss_v2_base.integrity_impact | Attribute: "CVSS v2 Integrity Impact" | | cvss_v2_base.score | Attribute: "CVSS Score v2" | | cvss_v2_base.severity | Attribute: "CVSS v2 Base Severity" | | cvss_v3_base.attack_complexity | Attribute: "CVSS v3 Attack Complexity" | | cvss_v3_base.attack_vector | Attribute: "CVSS v3 Attack Vector" | | cvss_v3_base.availability_impact | Attribute: "CVSS v3 Availability Impact" | | cvss_v3_base.confidentiality_impact | Attribute: "CVSS v3 Confidentiality Impact" | | cvss_v3_base.integrity_impact | Attribute: "CVSS v3 Integrity Impact" | | cvss_v3_base.privileges_required | Attribute: "CVSS v3 Privileges Required" | | cvss_v3_base.scope | Attribute: "CVSS v3 Scope" | | cvss_v3_base.score | Attribute: "CVSS Score v3" | | cvss_v3_base.severity | Attribute: "CVSS v3 Base Severity" | | cvss_v3_base.user_interaction | Attribute: "CVSS v3 User Interaction" | | exploit_status | Attribute: "Exploitation State" | | publish_date | externalDateAdded | | Severity | Attribute: "Threat Level" | | updated_timestamp | externalLastModified | | {description: description, cvss_v2_score: cvss_v2_base.score, cvss_v3_score: cvss_v3_base.score} | Attribute: "Description" | ## Troubleshooting The **CrowdStrike Falcon Intelligence Engine** App is a Python®-based App that requires certificate verification. Organizations using SSL inspection solutions will need to import their internal CA certificate to the OS-trusted root certificate store in order for the connection to CrowdStrike to be initiated. ## Frequently Asked Questions (FAQ) **Why are some ATT&CK techniques represented as standard Tags instead of ATT&CK Tags in ThreatConnect?** ThreatConnect converts Tags that match an active ATT&CK technique name or ID into [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) automatically. When ThreatConnect ingests deprecated or inactive ATT&CK techniques from CrowdStrike, they are mapped to [standard Tags](https://knowledge.threatconnect.com/docs/applying-tags) to keep the data consistent between ThreatConnect and CrowdStrike. Note that standard Tags representing deprecated or inactive ATT&CK techniques will be applied only to Indicators in ThreatConnect, as these ATT&CK techniques are dropped for Actors and Malware. --- **Why are there no ATT&CK Tags applied to Reports?** ATT&CK Tag support for Reports is planned for a future update of the **CrowdStrike Falcon Intelligence Engine** App. If you need this update sooner, please contact your Customer Success Manager (CSM) or submit feedback via Productboard. --- *ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *CrowdStrike® and CrowdStrike Falcon® are registered trademarks of CrowdStrike, Inc. JavaScript® is a registered trademark of Oracle Corporation. Python® is a registered trademark of the Python Software Foundation.* *MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.* 30039-010 EN Rev. A ## Related - [CrowdStrike Falcon Insight Extract Integration Configuration Guide](/crowdstrike-falcon-insight-extract-integration-configuration-guide.md) ## Attachments - [CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.pdf](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/CrowdStrike Falcon Intelligence Engine Integration User Guide_Software Version 1.0.pdf)