View Premium Threat Feed for CrowdStrike

  • Release version: Australia
  • Updated May 18, 2026
  • 4 minutes to read

    • The CrowdStrike feed enables users to ingest indicators, actors, reports, and their associated context from the CrowdStrike Falcon Intelligence feed into TISC.

    Before you begin

    Role required: sn_sec_tisc.admin

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
    2. Select Custom.
    3. On the CrowdStrike Feed form page, select Edit.
      Note:
      By default, the CrowdStrike feed is disabled. Edit the configurations to enable the feed.
      CrowdStrike-Premium feed
    4. Navigate to the Configuration Details section.
    5. Enter the Client ID, and Client Secret.
      Note:
      1. You must generate your Client ID and Client Secret if you don't have them. For more information on the Client ID and Client Secret, see Defining your first API Client section.
      2. Get Client ID and Client Secret from CrowdStrike for required scopes. The following scopes are required for the Client ID and Client Secret from CrowdStrike:
        • Indicators (Falcon intelligence)
        • Actors (Falcon Intelligence)
        • Reports (Falcon Intelligence)
        • Malware Families (Falcon Intelligence)
    6. Navigate to Additional Settings to configure the filters that will be applied while ingesting indicators from CrowdStrike.

      CrowdStrike additional settings tab

      The Additional Settings tab is primarily used to configure the filters that control how data is ingested into the application.

      These filters allow you to customize the data integration process to meet your specific requirements, ensuring that only the most relevant information is included.

    7. Select Edit Settings.

      CrowdStrike additional settings tab - Edit

    8. Select the required filters.
      Note:
      All configured filters are applied together while ingesting indicators from CrowdStrike.
      The following section provides a detailed explanation of each available option. Review each option in the following table to understand how filters optimize data ingestion.
    9. Select the required values from the available filters.
      Table 1. Edit Additional Settings
      Field Description
      Record types to ingest
      Select record types to ingest Select the record types that you want to ingest. The available record types are:
      • Indicators
      • Reports
      • Actors
      • Malware
      Note:

      If you don't select a record type, all the record types are ingested.
      Filters on indicator attributes
      Include deleted indicators for ingestion Select this check box to allow the ingestion of indicators that have been deleted.
      Note:
      Deleted indicators are created as observables only if they were previously ingested. A Deleted in CrowdStrike tag is added to indicators removed from CrowdStrike.
      Indicator types to ingest Select the specific CrowdStrike indicator types you want to ingest. If none are selected, all available indicators are retrieved by default.
      Malicious confidence of indicators to ingest Select the malicious confidence level of CrowdStrike indicators to ingest. If left blank, all indicators are fetched from CrowdStrike regardless of malicious confidence.
      Targeted industries of indicators to ingest Select the targeted industries associated with CrowdStrike indicators to ingest. If none are selected, all indicators are fetched from CrowdStrike regardless of targeted industry.
      Filters on associated actors
      Fetch indicators only if actors associated to it Select this check box to fetch indicators only if they are associated with actors.
      Ingest indicators only associated to these actors Specify comma-separated actor names related to the indicators for ingestion. If not provided, all indicators are fetched from CrowdStrike regardless of associated actors.
      Filters on associated reports
      Fetch indicators only if reports associated to it Select this check box to fetch indicators only if they are associated with reports.
      Ingest indicators only associated to these reports Enter comma-separated report names associated with the indicators for ingestion. If left blank, all reports are included in the ingestion process.

      If not provided, all indicators are fetched from CrowdStrike regardless of associated reports.
      Filters on associated malware families
      Fetch indicators only if malware families associated to it Select this check box to fetch indicators only if they are associated with malware families.
      Ingest indicators only associated to these malware families Enter comma-separated malware family names associated with the indicators for ingestion. If left empty, all malware families are included in the ingestion process.

      If not provided, all indicators are fetched from CrowdStrike regardless of malware families.
      Mapping of Indicator Malicious confidence to TISC confidence
      Note:
      The High, Medium, and Low values are the source value or malicious confidence received from CrowdStrike.
      High Enter a confidence value (0–100) for indicators with high malicious confidence.
      Note:
      If a matching malicious confidence mapping is found in the Additional Settings, it overrides the value provided in the Details section even if a confidence value is manually entered.
      Medium Enter a confidence value (0–100) for indicators with medium malicious confidence.
      Low Enter a confidence value (0–100) for indicators with low malicious confidence.
      Unverified Enter a confidence value (0–100) for indicators with unverified malicious confidence.
      Note:
      With the same additional settings you have defined, you can duplicate the feed when creating a new one.
    10. Select Update on the Additional Settings dialog box to save the modified additional settings.
    11. Select Enable to enable CrowdStrike Feed for ingestion.
      Note:
      The premium feed is the same as other feeds except the response that is parsed during configuration. A specific response is parsed to CrowdStrike by adding the Client ID and Client Secret.
      What type of data is fetched from CrowdStrike:
      1. Indicators from CrowdStrike that are updated after the configured ingestion time and match the filters configured in additional settings. These indicators from CrowdStrike are then mapped to observables in TISC. The following indicator types are ingested in TISC:
        • SHA256 Hash
        • MD5 Hash
        • SHA1 Hash
        • URL
        • Domain
        • IP Address
        • Mutex Name
        • File Name
        • Email Address
        • Username
        • IP Address Block
      2. Threat Actors from CrowdStrike that are updated after the configured ingestion time are mapped to Threat Actors in TISC.
      3. Reports from CrowdStrike that are updated after the configured ingestion time are mapped to threat reports in TISC based on matching attributes.
      4. Malwares from CrowdStrike that are updated after the configured ingestion time are mapped to malwares in TISC based on matching attributes.
      5. Additionally, the following related data is also fetched:
        1. Threat actors, reports, and indicators related to the previously ingested indicators.
        2. Threat actors and indicators associated with all reports ingested during the current ingestion process.
        Note:
        Filters configured in Additional Settings are also applied when ingesting indicators associated with previously ingested indicators, reports, or actors.
    12. Optional: Select Duplicate to duplicate the feed.
      For more information, see Duplicate threat intelligence feeds.