Skip to main content

CrowdStrike Falcon Intelligence

crowdstrike-falcon-intelligence

Version: 1.7
Updated: Mar 4, 2024

CrowdStrike® Falcon Intelligence™ is an automated threat intelligence service built on the CrowdStrike Falcon Platform. It automates incident investigations and streamlines breach response so you can make faster, more confident cyber security decisions. Organizations, regardless of size or sophistication, learn from the attacks in their environment applying that knowledge to proactively prevent future attacks. Falcon Intelligence provides insight into global threats, tracked by CrowdStrike’s elite team of intelligence experts.

  • Intelligence Automation
  • Custom IOCs
  • Threat Intelligence reports
  • CrowdStrike Indicator

Actions

  • Get Artifact (Enrichment) - Get IOC packs, PCAP files, and other analysis artifacts.
  • Get Full Report (Enrichment) - Get a full sandbox report.
  • Get Report Summary (Enrichment) - Get a short summary version of a sandbox report.
  • Intelligence Indicators Falcon Intelligence Daemon (Daemon) - Daemon to pull Intelligence Indicators.
  • Reports Falcon Intelligence Daemon*(Daemon)* - Daemon to pull sandbox reports.
  • Search Intelligence Indicators (Enrichment) - Get indicators that match provided FQL filter and query.
  • Search Reports (Enrichment) - Find sandbox reports by providing an FQL filter and paging details. Returns a set of a report that match your criteria.
  • Submission Status Polling (Enrichment) - Return the state of submission, this action will poll until the File/URL analysis are finished, Once this action is completed, you will be able to get a Report or Get Summary of the Submission.
  • Submit File (Enrichment) - Submit a file for sandbox analysis. The time required for analysis varies but is usually less than 15 minutes, by using the Submission Status Polling action.
  • Submit URL (Enrichment) - Submit a URL for sandbox analysis. The time required for analysis varies but is usually less than 15 minutes, by using the Submission Status Polling action.

CrowdStrike Falcon Intelligence configuration

Create API clients to grant various levels of API access for Falcon Intelligence.

  1. From the API Clients and Keys page, click Add new API client on the right of the OAuth2 API Clients table.
    crowdstrike-falcon-intelligence
  2. Provide details to define your API client:
    • Client Name (required)
    • Description (optional)
    • API Scopes (required):
      • Select the Read and/or Write boxes next to a scope to enable access to its endpoints.
      • A "–" displays in place of a checkbox when a Read/Write.
      • The scope already checked must be assigned.
        crowdstrike-falcon-intelligence
  3. Click Add to save the API client and generate the client ID and secret.
tip

Record your API client secret somewhere safe. After the credential window is closed, the secret is no longer visible.

Configure CrowdStrike Falcon Intelligence in Automation Service and Cloud SOAR

Before you can use this automation integration, you must configure its authentication settings so that the product you're integrating with can communicate with Sumo Logic. For general guidance, see Configure Authentication for Automation Integrations.

How to open the integration's configuration dialog
  1. Access App Central and install the integration. (You can configure at installation, or after installation with the following steps.)
  2. Go to the Integrations page.
    Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
    New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations.
  3. Select the installed integration.
  4. Hover over the resource name and click the Edit button that appears.
    Edit a resource

In the configuration dialog, enter information from the product you're integrating with. When done, click TEST to test the configuration, and click SAVE to save the configuration.

  • Label. The resource name.
  • API URL. The default Crowdstrike API URL is https://api.crowdstrike.com.
  • Client ID. The unique identifier of the API client. The client ID is visible from the API clients table in the Falcon console.
  • Client Secret. A secret code for an API client, equivalent to a password. The secret is only visible to you at the time the API client is created. After that, it is not retrievable. If your client secret is ever lost, you can reset it to generate a new one.
  • Member CID. For MSSP Master CIDs, optionally lock the token to act on behalf of this member CID.
    CrowdStrike Falcon Intelligence configuration

For information about CrowdStrike Falcon Intelligence, see CrowdStrike documentation.

Change Log

  • July 26, 2022 - First upload
  • February 23, 2023
    • Integration re-named from CrowdStrike Falcon X to CrowdStrike Falcon Intelligence
    • Updated integration: (Updated the integration Fields with Environmental Variables)
  • March 21, 2023 - Logo updated
  • June 30, 2023 (v1.5) - Updated the integration with Environmental Variables
  • March 4, 2024 (v1.7) - Updated code for compatibility with Python 3.12
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.