Enricher - Crowdstrike Vulnerability Intelligence (Related Threat Actors) Enricher

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

	Specification
Enricher name	Crowdstrike Vulnerability Intelligence (Related Threat Actors) Enricher
Supported observable types	cve
Output	Enriches supported observable types to produce: 1 Exploit Target entity per enriched cve 1 report entity per related report found
API endpoint	Default: https://api.crowdstrike.com/intel/entities/vulnerabilities/GET/v1

Note

This enricher can be used in conjunction with Enricher - Crowdstrike Vulnerability Intelligence (Related Reports) Enricher to enrich CVEs to find related CrowdStrike reports.

Requirements

Your CrowdStrike account requires these permissions:

• “Vulnerabilities (Falcon Intelligence)”

• “Actors (Falcon Intelligence)”

You must also retrieve a Client ID and Client Secret to use when configuring the enricher. See https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/.

Configure the enricher

Note

Required fields are marked with an asterisk (*).

1. Edit the enricher.

2. Set the Source reliability for this enricher. All objects produced by this enricher inherits this source reliability.

3. In the Parameters section, set the following fields:

   Field name	Description
   API URL*	Default: https://api.crowdstrike.com Change this to match your CrowdStrike account’s API URL.
   API ID*	Enter your CrowdStrike Client ID. To get a Client ID, see https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/.
   API key*	Enter your CrowdStrike Client Secret. To get a Client Secret, see https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/.
   SSL verification	Select to enforce SSL verification.
   Path to SSL certificate file	Enter the path to a SSL certificate file located on the EclecticIQ Intelligence Center host filesystem. To use an SSL certificate, it must be: Accessible on the EclecticIQ Intelligence Center host. Placed in a location that can be accessed by the eclecticiq user. Owned by eclecticiq:eclecticiq. To make sure that EclecticIQ Intelligence Center can access the SSL certificate: Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host. On the EclecticIQ Intelligence Center host, open the terminal. Change ownership of the SSL certificate by running as root in the terminal: chown eclecticiq:eclecticiq /path/to/cert.pem Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

4. Select Save to save your changes.