CrowdStrike Falcon Intelligence

Version: 1.7
Updated: Mar 4, 2024

CrowdStrike® Falcon Intelligence™ is an automated threat intelligence service built on the CrowdStrike Falcon Platform. It automates incident investigations and streamlines breach response so you can make faster, more confident cyber security decisions. Organizations, regardless of size or sophistication, learn from the attacks in their environment applying that knowledge to proactively prevent future attacks. Falcon Intelligence provides insight into global threats, tracked by CrowdStrike’s elite team of intelligence experts.

• Intelligence Automation
• Custom IOCs
• Threat Intelligence reports
• CrowdStrike Indicator

Actions

• Get Artifact (Enrichment) - Get IOC packs, PCAP files, and other analysis artifacts.
• Get Full Report (Enrichment) - Get a full sandbox report.
• Get Report Summary (Enrichment) - Get a short summary version of a sandbox report.
• Intelligence Indicators Falcon Intelligence Daemon (Daemon) - Daemon to pull Intelligence Indicators.
• Reports Falcon Intelligence Daemon*(Daemon)* - Daemon to pull sandbox reports.
• Search Intelligence Indicators (Enrichment) - Get indicators that match provided FQL filter and query.
• Search Reports (Enrichment) - Find sandbox reports by providing an FQL filter and paging details. Returns a set of a report that match your criteria.
• Submission Status Polling (Enrichment) - Return the state of submission, this action will poll until the File/URL analysis are finished, Once this action is completed, you will be able to get a Report or Get Summary of the Submission.
• Submit File (Enrichment) - Submit a file for sandbox analysis. The time required for analysis varies but is usually less than 15 minutes, by using the Submission Status Polling action.
• Submit URL (Enrichment) - Submit a URL for sandbox analysis. The time required for analysis varies but is usually less than 15 minutes, by using the Submission Status Polling action.

CrowdStrike Falcon Intelligence configuration

Create API clients to grant various levels of API access for Falcon Intelligence.

1. From the API Clients and Keys page, click Add new API client on the right of the OAuth2 API Clients table.
   
2. Provide details to define your API client:
   • Client Name (required)
   • Description (optional)
   • API Scopes (required):
     • Select the Read and/or Write boxes next to a scope to enable access to its endpoints.
     • A "–" displays in place of a checkbox when a Read/Write.
     • The scope already checked must be assigned.
       
3. Click Add to save the API client and generate the client ID and secret.

tip

Record your API client secret somewhere safe. After the credential window is closed, the secret is no longer visible.

Configure CrowdStrike Falcon Intelligence in Automation Service and Cloud SOAR

Before you can use this automation integration, you must configure its authentication settings so that the product you're integrating with can communicate with Sumo Logic. For general guidance, see Configure Authentication for Automation Integrations.

How to open the integration's configuration dialog

1. Access App Central and install the integration. (You can configure at installation, or after installation with the following steps.)
2. Go to the Integrations page.
   Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
   New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations.
3. Select the installed integration.
4. Hover over the resource name and click the Edit button that appears.
   

In the configuration dialog, enter information from the product you're integrating with. When done, click TEST to test the configuration, and click SAVE to save the configuration:

• Label. Enter the name you want to use for the resource.

• API URL. Enter your CrowdStrike API URL. The default value is https://api.crowdstrike.com

• Client ID. Enter the unique identifier of the API client. The client ID is visible from the API clients table in the Falcon console.

• Client Secret. Enter the secret code for the API client, equivalent to a password. The secret is only visible to you at the time the API client is created. After that, it is not retrievable. If your client secret is ever lost, you can reset it to generate a new one.

• Member CID. Enter the member CIS. For MSSP Master CIDs, optionally lock the token to act on behalf of this member CID.

• Connection Timeout (s). Set the maximum amount of time the integration will wait for a server's response before terminating the connection. Enter the connection timeout time in seconds (for example, 180).

• Verify Server Certificate. Select to validate the server’s SSL certificate.

• Automation Engine. Select Cloud execution for this certified integration. Select a bridge option only for a custom integration. See Cloud or Bridge execution.

• Proxy Options. Select whether to use a proxy. (Applies only if the automation engine uses a bridge instead of cloud execution.)

  • Use no proxy. Communication runs on the bridge and does not use a proxy.
  • Use default proxy. Use the default proxy for the bridge set up as described in Using a proxy.
  • Use different proxy. Use your own proxy service. Provide the proxy URL and port number.

For information about CrowdStrike Falcon Intelligence, see CrowdStrike documentation.

Change Log

• July 26, 2022 - First upload
• February 23, 2023
  • Integration re-named from CrowdStrike Falcon X to CrowdStrike Falcon Intelligence
  • Updated integration: (Updated the integration Fields with Environmental Variables)
• March 21, 2023 - Logo updated
• June 30, 2023 (v1.5) - Updated the integration with Environmental Variables
• March 4, 2024 (v1.7) - Updated code for compatibility with Python 3.12