Outgoing feed - Crowdstrike EDR


This article describes the specific configuration options to set up the feed.

To configure the general options for the feed, see Configure outgoing feeds general options.

Specifications

Transport type

CrowdStrike Falcon: Custom IOC upload

Content type

CrowdStrike JSON model

Ingested data

Hashes (md5, sha1, sha256), IP addresses (ipv4 and ipv6), and domains.

Published data

CrowdStrike indicators created by the Crowdstrike Falcon: Custom IOC upload outgoing feed are pushed using CrowdStrike Falcon Query API.

Description

CrowdStrike Falcon: Custom IOC upload is the latest addition to the CrowdStrike extension.
It introduces the ability to use the CrowdStrike EDR Query API to push indicators from EclecticIQ Platform to CrowdStrike.

Configure the outgoing feed

  1. Create or edit an outgoing feed.

  2. From the Transport type drop-down menu, select CrowdStrike Falcon: Custom IOC upload.

  3. From the Content type drop-down menu, select CrowdStrike JSON model.

  4. From the Datasets drop-down menu, select one or more existing datasets to use as sources to populate the outgoing feed content.
    For the feed not to be empty, at least one selected dataset should contain entities and observables in the same format as the configured content type for the feed.

  5. The Update strategy field is automatically set to Replace.
    Every time the outgoing feed task runs, it fetches new and existing data to generate the content for publication.
    The published packages contain     new and existing entities and observables included also in the previous execution of the outgoing feed.

  6. The API URL field is automatically filled in with the default location on the CrowdStrike EDR server to upload the outgoing feed content to, so as to make it available for retrieval.

  7. In the Username field, enter your CrowdStrike EDR username.

  8. In the Password field, enter your CrowdStrike EDR password.

  9. To store your changes, click Save; to discard them, click Cancel.

View and retrieve outgoing feed content

  1. In the top navigation bar click Data configuration > Outgoing feeds.

  2. In the Outgoing feeds view, click anywhere in the row corresponding to the outgoing feed whose content you want to view or retrieve.

  3. In the selected outgoing feed detail pane, click the Created packages tab.

  4. In the Created packages tab, under the Download column header, click the name of a package to download it, and to save it to a target location.