Enricher - CrowdStrike Enricher#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specifications |
|
|---|---|
Enricher name |
CrowdStrike Enricher |
Supported observable types |
|
Output |
Enriches supported observable types. |
API endpoint |
|
Description |
This enricher retrieves observables that are associated with the enriched observable. For more information, see Data mapping. |
Requirements#
CrowdStrike OAuth2 API ID
CrowdStrike OAuth2 API key
At least Read permissions for the Indicators (Falcon Intelligence) API scope
Automatic enrichment#
Avoid setting up enrichment rules for the CrowdStrike enricher.
Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.
Instead, run the enricher manually.
Set up the enricher#
Before using the enricher, configure it to add your CrowdStrike credentials:
Go to Data configuration
> Enrichers.Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More
> Edit.In the Edit enricher task view, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
API URL*
By default, this is set to
https://api.crowdstrike.com/.Check that this is set to the correct endpoint for your CrowdStrike cloud environment.
For example, if you access your CrowdStrike cloud environment at
falcon.us-2.crowdstrike.com, set this toapi.us-2.crowdstrike.com.For more information, see CrowdStrike OAuth2 auth token API documentation.
API ID*
Set this to your CrowdStrike OAuth2 API ID.
API key*
Set this to your CrowdStrike OAuth2 API key.
Click Save to store your changes.
Default configuration#
These are the default configuration parameters for the CrowdStrike enricher:
Note
Required fields are marked with an asterisk (*).
Field |
Description |
|---|---|
Name |
Leave this as “CrowdStrike Enricher”. Set by default. |
Override TLP |
Forces all entities and observables produced by this extension to inherit this TLP value. |
Description* |
Enter a description for this enricher. |
Cache validity (sec)* |
Set to |
Rate limit (per sec)* |
Set to |
Monthly execution cap (runs)* |
Set to |
Source reliability* |
Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System. |
Observable types* |
Observable types to enrich. By default, this is set to the observables supported by the CrowdStrike enricher:
|
Enabled |
Select to enable this enricher. |
API URL* |
By default, this is set to
Check that this is set to the correct endpoint for your CrowdStrike cloud environment. For example,
if you access your CrowdStrike cloud environment
at For more information, see CrowdStrike OAuth2 auth token API documentation. |
API ID* |
Set this to your CrowdStrike OAuth2 API ID. |
API key* |
Set this to your CrowdStrike OAuth2 API key. |
SSL verification |
Selected by default. Select to enable SSL verification. |
Path to SSL certificate file |
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. |
Data mapping#
When the CrowdStrike Enricher runs, it enriches observables by:
Searching for indicators on Crowdstrike that contain information related to the enriched observable.
Retrieves the name and type of these indicators, and ingests them as observables connected to the enriched observable.
The following table shows how CrowdStrike indicator types are mapped to resulting observable types.
CrowdStrike indicator types |
Creates EclecticIQ Observable with type |
|---|---|
binary_string |
|
compile_time |
|
device_name |
|
domain |
domain |
email_address |
|
email_subject |
|
event_name |
|
file_mapping |
|
file_name |
|
file_path |
|
hash_ion |
|
hash_md5 |
hash-md5 |
hash_sha1 |
hash-sha1 |
hash_sha256 |
hash-sha256 |
ip_address |
Ipv4 |
ip_address_block |
|
mutex_name |
|
password |
|
persona_name |
|
phone_number |
|
port |
|
registry |
|
semaphore_name |
|
service_name |
|
url |
uri |
user_agent |
|
username |
|
x509_serial |
|
x509_subject |
|
campaign_id |