Enricher - Crowdstrike Falcon Intelligence Indicator enricher
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
|
Specifications |
Enricher name |
CrowdStrike Enricher |
Supported observable types |
|
Output |
Enriches supported observable types. |
API endpoint |
|
Description |
This enricher retrieves observables that are associated with the enriched observable. For more information, see Data mapping. |
Requirements
CrowdStrike OAuth2 API ID
CrowdStrike OAuth2 API key
At least Read permissions for the Indicators (Falcon X) API scope
Automatic enrichment
Avoid setting up enrichment rules for the CrowdStrike enricher.
Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.
Instead, run the enricher manually.
Set up the enricher
Before using the enricher, configure it to add your CrowdStrike credentials:
Go to Data configuration > Enrichers.
Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More > Edit.
In the Edit enricher task view, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
API URL*
By default, this is set to https://api.crowdstrike.com/.
Check that this is set to the correct endpoint for your CrowdStrike cloud environment.
For example, if you access your CrowdStrike cloud environment at falcon.us-2.crowdstrike.com, set this to api.us-2.crowdstrike.com.
For more information, see CrowdStrike OAuth2 auth token API documentation.
API ID*
Set this to your CrowdStrike OAuth2 API ID.
API key*
Set this to your CrowdStrike OAuth2 API key.
Click Save to store your changes.
Default configuration
These are the default configuration parameters for the CrowdStrike enricher:
Required fields are marked with an asterisk (*).
Field |
Description |
Name |
Leave this as “CrowdStrike Enricher”. Set by default. |
Override TLP |
Forces all entities and observables produced by this extension to inherit this TLP value. |
Description* |
Enter a description for this enricher. |
Cache validity (sec)* |
Set to 2592000 seconds (30 days) by default. |
Rate limit (per sec)* |
Set to 1000 seconds by default. |
Monthly execution cap (runs)* |
Set to 1000000 runs by default. |
Source reliability* |
Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System. |
Observable types* |
Observable types to enrich. By default, this is set to the observables supported by the CrowdStrike enricher:
|
Enabled |
Select to enable this enricher. |
API URL* |
By default, this is set to https://api.crowdstrike.com/. Check that this is set to the correct endpoint for your CrowdStrike cloud environment. For example, if you access your CrowdStrike cloud environment at falcon.us-2.crowdstrike.com, set this to api.us-2.crowdstrike.com. For more information, see CrowdStrike OAuth2 auth token API documentation. |
API ID* |
Set this to your CrowdStrike OAuth2 API ID. |
API key* |
Set this to your CrowdStrike OAuth2 API key. |
SSL verification |
Selected by default. Select to enable SSL verification. |
Path to SSL certificate file |
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. |
Data mapping
When the CrowdStrike Enricher runs, it enriches observables by:
Searching for indicators on Crowdstrike that contain information related to the enriched observable.
Retrieves the name and type of these indicators, and ingests them as observables connected to the enriched observable.
The following table shows how CrowdStrike indicator types are mapped to resulting observable types.
CrowdStrike indicator types |
Creates EclecticIQ Observable with type |
binary_string |
|
compile_time |
|
device_name |
|
domain |
domain |
email_address |
|
email_subject |
|
event_name |
|
file_mapping |
|
file_name |
|
file_path |
|
hash_ion |
|
hash_md5 |
hash-md5 |
hash_sha1 |
hash-sha1 |
hash_sha256 |
hash-sha256 |
ip_address |
Ipv4 |
ip_address_block |
|
mutex_name |
|
password |
|
persona_name |
|
phone_number |
|
port |
|
registry |
|
semaphore_name |
|
service_name |
|
url |
uri |
user_agent |
|
username |
|
x509_serial |
|
x509_subject |
|
campaign_id |
|