Skip to main content

Cyware Threat Intelligence eXchange

CrowdStrike

Connector Category: Enrichment Tool

About Integration

Intel Exchange (CTIX) integrates with CrowdStrike to enrich hashes, such as SHA1, SHA256, and MD5. This integration enables analysts to retrieve the complete threat data relationship details of the hashes. 

The CrowdStrike enrichment tool ingests the relationship objects that do not exist in the Intel Exchange platform with the source as CrowdStrike (APIs). If the CrowdStrike API feed source is disabled, then the relationship objects are ingested with the source as CrowdStrike (ENRICHMENT FEEDS).

Configure CrowdStrike as Enrichment Tool

Configure CrowdStrike to retrieve hash relationship details of threat data objects.

Before you Start 

  • You must have the view, create, and update permissions for Enrichment Management in CTIX.

  • You must have the base URL, API ID, and API key of your CrowdStrike account.

    Note

    Ensure that the API ID includes the permissions to retrieve hash relationship details of threat data objects.

Steps 

To configure CrowdStrike as an enrichment tool in CTIX, do the following:

  1. Sign in to CTIX and go to Administration > Enrichment Management > Enrichment Tools.

  2. Search and select the CrowdStrike enrichment tool.

  3. Click Add Account.

  4. Enter a unique account name to identify the instance. For example, Prod_CrowdStrike.

  5. Enter the base URL of your CrowdStrike instance. The default base URL is https://api.crowdstrike.com/.

  6. Enter the API ID and API key of your CrowdStrike account to authenticate communication between the CTIX and CrowdStrike servers.

  7. Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and CrowdStrike servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  8. Click Save.

After successfully adding an account, you can view and enable the CrowdStrike feed enrichment types. You can also configure quota to define a limit to the number of enrichment requests a CrowdStrike account makes. After the quota expires, you can not make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.

To understand the number of API calls and quota units consumed by the CrowdStrike enrichment tool per polling, refer to the following table.

Enrichment Tool

Feed Enrichment Type

No. of API calls

Quota Consumed

CrowdStrike

Retrieve Hash Detail

1

1