Enricher - Crowdstrike Falcon Intelligence Indicator enricher

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.


Specifications

Enricher name

CrowdStrike Enricher

Supported observable types

  • domain

  • email

  • hash-md5

  • hash-sha1

  • hash-sha256

  • ipv4

  • uri

Output

Enriches supported observable types.

API endpoint

  • https://api.crowdstrike.com/intel/queries/indicators/v1

Description

This enricher retrieves observables that are associated with the enriched observable. For more information, see Data mapping.

Requirements

  • CrowdStrike OAuth2 API ID

  • CrowdStrike OAuth2 API key

  • At least Read permissions for the Indicators (Falcon X) API scope

Automatic enrichment

Avoid setting up enrichment rules for the CrowdStrike enricher.

Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.

Instead, run the enricher manually.

Set up the enricher

Before using the enricher, configure it to add your CrowdStrike credentials:

  1. Go to Data configuration images/download/attachments/86441157/robot.svg-x24.png > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More images/download/attachments/86441157/ellipsis-v.svg-x24.png > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    API URL*

    By default, this is set to https://api.crowdstrike.com/.

    Check that this is set to the correct endpoint for your CrowdStrike cloud environment.

    For example, if you access your CrowdStrike cloud environment at falcon.us-2.crowdstrike.com, set this to api.us-2.crowdstrike.com.

    For more information, see CrowdStrike OAuth2 auth token API documentation.

    API ID*

    Set this to your CrowdStrike OAuth2 API ID.

    API key*

    Set this to your CrowdStrike OAuth2 API key.

  5. Click Save to store your changes.

Default configuration

These are the default configuration parameters for the CrowdStrike enricher:

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as “CrowdStrike Enricher”. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the CrowdStrike enricher:

  • domain

  • email

  • hash-md5

  • hash-sha1

  • hash-sha256

  • ipv4

  • uri

Enabled

Select to enable this enricher.

API URL*

By default, this is set to https://api.crowdstrike.com/.

Check that this is set to the correct endpoint for your CrowdStrike cloud environment.

For example, if you access your CrowdStrike cloud environment at falcon.us-2.crowdstrike.com, set this to api.us-2.crowdstrike.com.

For more information, see CrowdStrike OAuth2 auth token API documentation.

API ID*

Set this to your CrowdStrike OAuth2 API ID.

API key*

Set this to your CrowdStrike OAuth2 API key.

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Data mapping

When the CrowdStrike Enricher runs, it enriches observables by:

  1. Searching for indicators on Crowdstrike that contain information related to the enriched observable.

  2. Retrieves the name and type of these indicators, and ingests them as observables connected to the enriched observable.

The following table shows how CrowdStrike indicator types are mapped to resulting observable types.

CrowdStrike indicator types

Creates EclecticIQ Observable with type

binary_string


compile_time


device_name


domain

domain

email_address

email

email_subject


event_name


file_mapping


file_name


file_path


hash_ion


hash_md5

hash-md5

hash_sha1

hash-sha1

hash_sha256

hash-sha256

ip_address

Ipv4

ip_address_block


mutex_name


password


persona_name


phone_number


port


registry


semaphore_name


service_name


url

uri

user_agent


username


x509_serial


x509_subject


campaign_id