Incoming feed - Crowdstrike Falcon Intelligence Indicator Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

Crowdstrike Falcon Intelligence Indicator Feed

Content type

Crowdstrike Falcon Intelligence JSON

Ingested data

Ingests Indicators from your Crowdstrike Falcon Intelligence environment.

Endpoint(s)

https://api.crowdstrike.com

Processed data

See Data mapping.

Requirements#

  • Crowdstrike Falcon Intelligence OAuth2 API ID

  • Crowdstrike Falcon Intelligence OAuth2 API key

  • At least Read permissions for the Indicators (Falcon Intelligence) API scope

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Crowdstrike Falcon Intelligence Indicator Feed from the drop-down menu.

    Content type*

    Select Crowdstrike Falcon Intelligence JSON from the drop-down menu.

    API URL*

    By default, this is set to https://api.crowdstrike.com.

    Check that this is set to the correct endpoint for your Crowdstrike Falcon Intelligence cloud environment.

    For example, if you access your Crowdstrike Falcon Intelligence cloud environment at falcon.us-2.crowdstrike.com, set this to api.us-2.crowdstrike.com.

    For more information, see CrowdStrike OAuth2 auth token API documentation.

    API ID*

    Set this to your Crowdstrike Falcon Intelligence OAuth2 API ID.

    API key*

    Set this to your Crowdstrike Falcon Intelligence OAuth2 API key.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data mapping#

Map indicators#

This table shows how each record from the Crowdstrike Falcon Intelligence Indicator Feed is mapped to Indicator on the platform:

Indicator field name

Mapped from feed source

Example value

Description

Title

Name

391196688aa55d3321deffa736f8d103b4813470952b748e9c2c9deb17fa60f5

Indicator found in your Crowdstrike Falcon Intelligence cloud environment.

Analysis

Various

  • It is believed the malicious actor is still in control of this Domain.

  • This indicator has been linked to the following MITRE ATT&CK techniques:

    • Input Capture

Crowdstrike Falcon Intelligence indicator labels are mapped to this section as specified in CrowdStrike documentation.

Types

type

File Hash Watchlist

See Supported CrowdStrike indicator types.

Confidence

malicious_confidence

Medium

Indicator Confidence is mapped directly from the malicious_confidence field in CrowdStrike JSON.

Estimated time

Various

Various

See Map indicator timestamps.

Map indicator timestamps#

The following table describes how Crowdstrike Falcon Intelligence Indicator timestamps are mapped to Indicator timestamps on the platform.

Indicator estimated time field

CrowdStrike JSON field

Start time

published_date

End time

N/A

Observed

published_date

Half-life

30 days

Ingested

Date and time ingested.

Map kill chain phases#

Crowdstrike Falcon Intelligence describes the kill chain phase that a given Indicator is involved by setting its kill_chains field. The following table shows how the value of an Indicator’s kill_chains field is mapped to an EclecticIQ Indicator tag.

CrowdStrike Indicator kill_chains value

EclecticIQ Indicator Tags

reconnaissance

Kill chain phase - Reconnaissance

weaponization

Kill chain phase - Weaponization

delivery

Kill chain phase - Delivery

exploitation

Kill chain phase - Exploitation

installation

Kill chain phase - Installation

c2

Kill chain phase – Command and Control

actionOnObjectives

Kill chain phase – Actions on Objectives

Map malware families#

When a Crowdstrike Falcon Intelligence Indicator is associated with a malware family, it has the name of the malware family set in the malware_families field. This is mapped to the following fields in the corresponding EclecticIQ Indicator:

  • Malware Artifact is added to the Indicator Types* field.

  • Malware Family - <malware_name> is added to the Indicator Tags field.

Supported CrowdStrike indicator types#

CrowdStrike indicator types

Creates EclecticIQ Indicator

Creates EclecticIQ Observable with type

binary_string

compile_time

device_name

domain

Yes

domain

email_address

Yes

email

email_subject

event_name

file_mapping

file_name

file_path

hash_ion

hash_md5

Yes

hash-md5

hash_sha1

Yes

hash-sha1

hash_sha256

Yes

hash-sha256

ip_address

Yes

Ipv4

ip_address_block

mutex_name

password

persona_name

phone_number

port

registry

semaphore_name

service_name

url

Yes

uri

user_agent

username

x509_serial

x509_subject

campaign_id