Skip to main content

Cyware Threat Intelligence eXchange

CrowdStrike

Connector Category: API Feed Source

About CrowdStrike

CTIX integrates with CrowdStrike Threat Intelligence to ingest intel feeds related to IP addresses, domains, URLs, email addresses, threat actors, hashes, and finished intel reports with the associated contextual information.

Use Cases 

  • Correlate with other sources to get better intelligence.

  • Get contextual information against incidents or intrusions detected on the network and make an informed decision on the offensive and defensive mechanisms.

  • Utilize the finished intel reports to get a comprehensive understanding of the latest trending cyber events.

Benefits 

Take proactive action on intel with high confidence, such as blocking IOCs on the firewall.

Configure CrowdStrike as an API Feed Source

Configure CrowdStrike as an API feed source in CTIX to retrieve IP address, domain, URL, hash, finished intel report, email, and threat actor data feeds from CrowdStrike.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.

  • You must have the base URL, client ID, and client secret key of your CrowdStrike account.

    Important

    Ensure that the client ID includes the permissions to retrieve the IP address, domain, URL, hash, finished intel report, email, and threat actor data feeds. If the client ID does not have permission to retrieve a threat data feed, then the respective feed channel is disabled automatically and displays a connection error.

Steps 

To configure a CrowdStrike as an API feed source in CTIX, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Click Add API Source.

  3. Search and select the CrowdStrike app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance. For example, Prod-Crowdstrike.

  6. Enter the base URL of your CrowdStrike instance. The default base URL is https://api.crowdstrike.com/.

  7. Enter the client ID and secret key to authenticate communication between the CTIX and CrowdStrike servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and CrowdStrike servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

After the CrowdStrike instance is configured successfully, you can view the CrowdStrike feed channels. You can configure multiple instances by clicking Manage > Add More.

Configure CrowdStrike Feed Channels

Configure the feed channels to retrieve threat data feeds from CrowdStrike and store the feeds in a collection in the platform.

Steps 

To configure a feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the CrowdStrike app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel, and turn on the toggle.

  6. Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

  7. Enter the name of the collection to group the feed data. For example, CS Feeds. CTIX creates the collection and stores all the feeds from the feed channel.

  8. Select from one of the following Polling Cron Schedule types to define when to poll the data:

    • Manual: Allows you to manually poll from the source collection.

    • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.

      • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  9. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  10. Select Retain Source Provided Confidence Score to keep the confidence score reported by CrowdStrike without undergoing recalculation using the CTIX confidence score engine. Cyware recommends you retain the source-provided confidence score for faster ingestion of feeds.

    Note

    If you choose to retain the source-provided confidence score, the default confidence score will not be applied.

  11. Select the tags to identify and categorize the feeds.

  12. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Note

The relationship details of the IP addresses, domains, URLs, and email addresses retrieved from CrowdStrike do not include MD5, SHA1, and SHA256 data. To include one of the MD5, SHA1, or SHA256 relationship details, enable the Retrieve Hash Feed channel and select the hash type to include in the relationship details of the indicators. To retrieve the complete hash relations, enrich hashes using the CrowdStrike enrichment tool.

How is the CrowdStrike confidence mapped with the CTIX confidence scores? 

If you choose to retain the source confidence score, the confidence score received from CrowdStrike is normalized to the CTIX  scoring scale as per the following mapping.

CrowdStrike Score 

CTIX Score 

HIGH

85

MEDIUM

50

LOW

15

UNVERIFIED

5

Note

If the confidence score is unverified, a new tag is created as MaliciousConfidence/Unverified and added to the threat data object.

Test CrowdStrike Feed Channel Connectivity

Test the connectivity of the CrowdStrike API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.

Before you Start 

  • Ensure that the CrowdStrike API integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the CrowdStrike app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity testing results in an error, then the working status shows Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When the connectivity of a feed channel breaks, CTIX disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, CTIX enables the feed channel automatically.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

CrowdStrike Feed Channels

The following table lists all the feed channels and the CrowdStrike API endpoints used for each feed channel.

Feed Channel

API URL

Retrieve Threat Actors Feeds

{{base_url}}intel/combined/actors/v1 

Retrieve IP Feeds

{{base_url}}intel/combined/indicators/v1?filter=type:'ip_address' 

Retrieve Domain Feeds

{{base_url}}intel/combined/indicators/v1?filter=type:'domain' 

Retrieve URL Feeds

{{base_url}}intel/combined/indicators/v1?filter=type:'url' 

Retrieve Hash Feeds

For SHA1 hash feeds: {{base_url}}intel/combined/indicators/v1?filter=type:'hash_sha1' 

For MD5 hash feeds: {{base_url}}intel/combined/indicators/v1?filter=type:'hash_md5' 

For SHA256 hash feeds: {{base_url}}intel/combined/indicators/v1?filter=type:'hash_sha256' 

Retrieve E-mail Feeds

{{base_url}}intel/combined/indicators/v1?filter=type:'email_address' 

Retrieve Report feeds

{{base_url}}intel/combined/reports/v1