CrowdStrike#

# Release History

# 3.4.1, 3.3.4
Release date: 12 Nov 2024

**Fixed:**

- Now we don't use stash to keep the token. It will be created every run.

# 3.3.3, 3.2.5
Release date: 14 Aug 2024

**Fixed:**

- Issue with Yara Rule Feed where it fails when it can't parse latest rules file content.

**Changed:**

- Yara Rule Feed now skips latest rules file blocks that it fails to parse.


# 3.3.2, 3.2.4, 3.1.8
Release date: 24 May 2024

**Fixed:**

- Issue with incoming feed runs failing because of locked database.
- Issue where reports didn't have a description.


# 3.3.1, 3.2.3, 3.1.7
Release date: 29 Mar 2024

**Added:**

- Now provides Crowdstrike Vulnerability Intelligence (Related Threat Actors) Enricher.
- Now provides Crowdstrike Vulnerability Intelligence (Related Reports) Enricher.


# 3.2.2, 3.1.6, 2.14.8
Release date: 21 Feb 2024

**Fixed:**

- Updated endpoints and added mandatory fields to outgoing feed.
- Issue where outgoing feed deleted all data from CrowdStrike.
- Separated data in outgoing feed into data for update and data for upload.


# 3.2.1, 3.1.5, 2.14.7
Release date: 06 Dec 2023

**Fixed:**

- Issue where consecutive feed runs don't download data.


# 3.1.4, 3.0.5, 2.14.6
Release date: 10 Oct 2023

**Added:**

- Now provides Crowdstrike Falcon Intelligence Yara Rule Feed.



## 3.1.3, 3.0.4, 2.14.5
Release date: 3 Oct 2023

**Changed:**

- CrowdStrike Falcon Intelligence Indicators Feed is updated.
  EclecticIQ Indicators produced by this feed now include:

  - The following CrowdStrike indicator fields ingested as related observables:

    | -------------------------------- | ------------------------------- |
    | CrowdStrike indicator field name | Resulting EclecticIQ observable |
    | -------------------------------- | ------------------------------- |
    | `actors`                         | `actor-id`(new)                 |
    | `malware_families`               | `malware`(new)                  |
    | `reports`                        | `name`(new)                     |
    | -------------------------------- | ------------------------------- |

  - Updated CrowdStrike indicator fields ingested as tags:
    - `malware_families`: Resulting tags now do not have the `Malware Family -` prefix.
  - Now also ingests these CrowdStrike indicator fields as tags:
    - `threat_types`
    - `actors`

- CrowdStrike Falcon Intelligence Reports Feed is updated.
  Now:

  - Contents of CrowdStrike `actors` field are processed as 
    EclecticIQ `actor-id` observables.
  - Name of CrowdStrike report is ingested as a tag.

- CrowdStrike Falcon Intelligence Threat Actor Feed is updated.
  Now:

  - If the `kill_chain` field is present, we check its contents
    for the following keys. If the key exists,
    an EclecticIQ kill chain taxonomy is added to the resulting threat actor entity.

    |------------------------------|------------------------------------------|
    | CrowdStrike kill_chain field | EclecticIQ kill chain taxonomy           |
    |------------------------------|------------------------------------------|
    | actions_and_objectives       | Kill chain phase - Actions On Objectives |
    | command_and_control          | Kill chain phase - Command and Control   |
    | delivery                     | Kill chain phase - delivery              |
    | exploitation                 | Kill chain phase - Exploitation          |
    | installation                 | Kill chain phase - Installation          |
    | reconnaissance               | Kill chain phase - Reconnaissance        |
    | weaponization                | Kill chain phase - Weaponization         |
    |------------------------------|------------------------------------------|

  - If `kill_chain` contains `exploitations`, these exploitations are
    processed as CVE observables.
  - Ingests the contents of these CrowdStrike fields as tags:

    - `motivations`
    - `capabilities`
    - `objectives`
    - `target_industries`

  - When ingesting CrowdStrike `known_as` field,
    now only splits a given threat actor alias by
    commas to prevent splitting
    legitimate threat actor aliases that use periods,
    like `Temp.Zagros`.



Version(s): 3.1.2, 3.0.3, 2.14.4
Release date: 19 Sep 2023

**Changed:**

- When an observable is enriched with CrowdStrike Enricher,
  the enricher now finds CrowdStrike indicators related
  to the enriched observable and creates corresponding indicators
  in EclecticIQ Intelligence Center.

  If the enrichment finds CrowdStrike indicators
  that contain the following fields,
  the resulting EclecticIQ indicator will contain observables
  of the corresponding type:

  | -------------------------------- | ------------------------------- |
  | CrowdStrike indicator field name | Resulting EclecticIQ observable |
  | -------------------------------- | ------------------------------- |
  | `actors`                         | `actor-id`(new)                 |
  | `domain`                         | `domain`                        |
  | `email_address`                  | `email`                         |
  | `email_subject`                  | `email-subject`                 |
  | `file_name`                      | `file`                          |
  | `hash_md5`                       | `hash-md5`                      |
  | `hash_sha1`                      | `hash-sha1`                     |
  | `hash_sha256`                    | `hash-sha256`                   |
  | `ip_address`                     | `ipv4`                          |
  | `ip_address_block`               | `inetnum`                       |
  | `malware_families`               | `malware`(new)                  |
  | `persona_name`                   | `handle`                        |
  | `phone_number`                   | `telephone`                     |
  | `port`                           | `port`                          |
  | `registry`                       | `winregistry`                   |
  | `reports`                        | `name`(new)                     |
  | `url`                            | `uri`                           |
  | -------------------------------- | ------------------------------- |

  Previously, the CrowdStrike Enricher would only create related observables
  for a given enrichment.


## 2.14.3, 3.0.2, 3.1.1

Release date: 31 July 2023

**Added:**

- Adds these fields to allow users to set FQL (Falcon Query Language)
  filters for Crowdstrike object types in an incoming feed:

  Actors filter, Malware families filter, Vulnerabilities filter,
  Domain types filter, Indicator types filter, IP address types filter,
  Kill chain points filter, Malicious confidences filter, Statuses filter,
  Targets filter, Threat types filter.

**Changed:**

- No longer creates 'producer' extracts when
  'Skip extraction of observables from unstructured text' is not selected.


## 2.14.1, 3.0.1

Release date: 12 May 2022

**Fixed:**

- Issue where PDFs were silently being ignored because they exceed a given limit.
Now, this limit follows the MAX_BLOB_SIZE property in `/etc/eclecticiq/platform_settings.py`,
and can be configured there.
In addition, now When the extension encounters an attachment larger than MAX_BLOB_SIZE,
it logs a warning and does not ingest the attachment.
- Issue where MITRE ATT&CK techniques that belonged to multiple parent tactics would
result in multiple MITRE ATT&CK classifications being assigned to a given entity.


## 2.10.4, 2.11.3

Release date: 11 March 2022

**Fixed:**

- Issue where incoming feeds would fail when data from
CrowdStrike would contain tags with no values,
or if a CrowdStrike report contained no tags.


##Release versions: 2.11.2

Release date: 17 February 2022

**Changed:**

- Now processes ATT&CK information to produce ATT&CK classifications for ingested indicators.


##Release versions: 2.9.2, 2.10.3, 2.11.1

Release date: 17 November, 2021

**Changed:**

- Crowdstrike Falcon Intelligence indicator feed now provides the option to choose indicator 
types that are going to be ingested.


##Release versions: 2.10.2

Release date: 12 October, 2021

**Fixed:**

- Issue where incoming feeds would fail with a 'KeyError' when
attempting to process entities that have been marked as
'deleted' by CrowdStrike but have no existing tags.


##Release versions: 2.9.1, 2.10.1

Release date: 22 September, 2021

**Changed:**

- Intelligence marked as "deleted" on Crowdstrike Falcon are now ingested
by the incoming feed to produce corresponding indicators tagged as 'Crowdstrike - Deleted'
and their threat end time field set to zero.


## Initial release

Release date: 10 August, 2017

**Features:**

* Now provides the CrowdStrike Enricher.
* Now provides the Crowdstrike Falcon: Custom IOC upload outgoing feed.
* Now provides the Crowdstrike Falcon indicator JSON incoming feed.
* Now provides the Crowdstrike Falcon report JSON incoming feed.
* Now provides the Crowdstrike Falcon actor JSON incoming feed.