Incoming feed - Crowdstrike Falcon X Threat Actor Feed

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

Specifications

Transport types

Crowdstrike Falcon X Threat Actor Feed

Content type

Crowdstrike Falcon X JSON

Ingested data

Ingests data about threat actors that Crowdstrike Falcon X tracks.

Endpoint(s)

https://api.crowdstrike.com

Processed data

Retrieves and processes threat actors.

Requirements

  • Crowdstrike Falcon X OAuth2 API ID

  • Crowdstrike Falcon X OAuth2 API key

  • At least Read permissions for the Actors (Falcon X) API scope

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Crowdstrike Falcon X Threat Actor Feed from the drop-down menu.

    Content type*

    Select Crowdstrike Falcon X JSON from the drop-down menu.

    API URL*

    By default, this is set to https://api.crowdstrike.com.

    Check that this is set to the correct endpoint for your Crowdstrike Falcon X cloud environment.

    For example, if you access your Crowdstrike Falcon X cloud environment at falcon.us-2.crowdstrike.com, set this to api.us-2.crowdstrike.com.

    For more information, see CrowdStrike OAuth2 auth token API documentation.

    API ID*

    Set this to your Crowdstrike Falcon X OAuth2 API ID.

    API key*

    Set this to your Crowdstrike Falcon X OAuth2 API key.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.