Configure custom CrowdStrike feed

  • Release version: Xanadu
  • Updated January 30, 2025
  • 4 minutes to read

    • The CrowdStrike feed enables users to ingest indicators, actors, reports, and their associated context from the CrowdStrike Falcon Intelligence feed into TISC.

    Before you begin

    Role required: sn_sec_tisc.admin

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
    2. Select Custom.
    3. Click on the Edit button from the CrowdStrike Feed form page.
      Note:
      By default, the CrowdStrike feed is disabled, you must edit the configurations to enable the feed.
      CrowdStrike-Premium feed
    4. Drill down to the Configuration Details section.
    5. Enter the Client ID, and Client Secret.
      Note:
      1. You must generate your Client ID and Client Secret in case if you don't have it. For more information on the Client ID and Client Secret, see Defining your first API Client section.
      2. Get Client ID and Client Secret from CrowdStrike for required scopes. Below are the scopes that are required for the Client ID and Client Secret from CrowdStrike:
        • Indicators (Falcon intelligence)
        • Actors (Falcon Intelligence)
        • Reports (Falcon Intelligence)
    6. Navigate to Additional Settings to configure the filters that will be applied while ingesting indicators from CrowdStrike.
      CrowdStrike additional settings tab
    7. Click Edit Settings.
      CrowdStrike additional settings tab - Edit
    8. Select the required filters.
      Note:
      All the filters configured will be applied in conjunction while ingesting indicators from CrowdStrike.
    9. Select the required values from the below available filters.
      Table 1. Filters on indicator attributes
      Field Description
      Include deleted indicators for ingestion Select this check box to allow the ingestion of indicators that have been deleted.
      Note:
      Deleted indicators will be created as observables only if they were previously ingested. A Deleted in CrowdStrike tag is added to indicators that are removed from CrowdStrike.
      Indicator types to ingest Select the specific CrowdStrike indicator types you want to ingest. If none are selected, then all the available indicators will be retrieved by default.
      Malicious confidence of indicators to ingest Select the malicious confidence level of CrowdStrike indicators to ingest. If left blank, all indicators will be fetched from CrowdStrike regardless of their malicious confidence.
      Targeted industries of indicators to ingest Select the targeted industries associated with CrowdStrike indicators to ingest. If none is selected, all the indicators will be fetched from CrowdStrike regardless of targeted industry.
      Filters on associated actors
      Fetch indicators only if actors associated to it Select this check box to fetch indicators only if they are associated with actors.
      Ingest indicators only associated to these actors Specify comma-separated actor names related to the indicators for ingestion. If not provided, all the indicators will be fetched from CrowdStrike regardless of associated actors.
      Filters on associated reports
      Fetch indicators only if reports associated to it Select this check box to fetch indicators only if they are associated with reports.
      Ingest indicators only associated to these reports Enter comma-separated report names associated with the indicators for ingestion. If left blank, all the reports will be included in the ingestion process.

      If not provided, all the indicators will be fetched from CrowdStrike regardless of associated reports.
      Filters on associated malware families
      Fetch indicators only if malware families associated to it Select this check box to fetch indicators only if they are associated with malware families.
      Ingest indicators only associated to these malware families Enter comma-separated malware family names associated with the indicators for ingestion. If left blank, all malware families will be included in the ingestion process.

      If not provided, all the indicators will be fetched from CrowdStrike regardless of malware families.
      Mapping of Indicator Malicious confidence to TISC confidence
      Note:
      The High, Medium, and Low values are the source value or malicious confidence received from CrowdStrike.
      High Enter a confidence value (0–100) for indicators with high malicious confidence.
      Note:
      If a matching malicious confidence mapping is found in the Additional Settings, it will override the value provided in the Details section even if a confidence value is manually entered.
      Medium Enter a confidence value (0–100) for indicators with medium malicious confidence.
      Low Enter a confidence value (0–100) for indicators with low malicious confidence.
      Unverified Enter a confidence value (0–100) for indicators with unverified malicious confidence.
    10. Click Update on the Additional Settings dialog box to save the modified additional settings.
    11. Click Enable to enable CrowdStrike Feed for ingestion.
      Note:
      The premium feed is same as other feeds except the response that is parsed during the configuration. A specific response is parsed to CrowdStrike by adding the Client ID and Client Secret.
      What type of data is fetched from CrowdStrike:
      1. Indicators from CrowdStrike that are updated after the configured ingestion time and matching the filters configured as part of additional settings. These indicators from CrowdStrike will then be mapped to observables in TISC. Below are the indicator types that are ingested in TISC:
        • SHA256 Hash
        • MD5 Hash
        • SHA1 Hash
        • URL
        • Domain
        • IP Address
        • Mutex Name
        • File Name
        • Email Address
        • Username
        • IP Address Block
      2. Threat Actors from CrowdStrike that are updated after the configured ingestion time will be mapped to Threat Actors in TISC.
      3. Reports from CrowdStrike that are updated after the configured ingestion time will be mapped to threat reports in TISC based on the matching attributes.
      4. In addition to the entities mentioned above, the following related data is also fetched:
        1. Threat actors, reports, and indicators related to the previously ingested indicators.
        2. Threat actors and indicators associated with all reports ingested during the current ingestion process.
        Note:
        Filters configured in Additional Settings will also be applied when ingesting the indicators associated with the previously ingested indicators, reports, or actors.
    12. Optional: Click Duplicate to duplicate the feed.
      For more information, see Duplicate threat intelligence feeds.