Crowdstrike Falcon Intel Feed

The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more.

Configure Crowdstrike Falcon Intel Feed on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Crowdstrike Falcon Intel Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
feedFetch indicatorsFalse
client_idThe Crowdstrike API client IDTrue
feedReputationIndicator reputationFalse
feedReliabilitySource reliabilityTrue
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedIncrementalIncremental feedFalse
feedFetchIntervalFeed fetch intervalFalse
feedBypassExclusionListBypass exclusion listFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
feedTagsTagsFalse
client_secretCrowdstrike API client secretTrue
target_industriesFilter by threat actor's target industries.False
target_countriesFilter by threat actor's target countries.False
custom_filterA custom filter by which to filter the indicators. If you pass the custom_filter argument it will override the custom_filter parameter from the integration instance configuration.False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

crowdstrike-falcon-intel-get-indicators


Gets indicators from Crowdstrike Falcon Intel Feed.

Base Command

crowdstrike-falcon-intel-get-indicators

Input

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 10.Optional
offsetThe index of the first indicator to fetch.Optional
target_industriesA comma-separated list of the threat actor's target industries by which to filter the indicators.Optional
target_countriesA comma-separated list of the threat actor's target countries by which to filter the indicators.Optional
custom_filterA custom filter by which to filter the indicators. If you pass the custom_filter argument it will override the custom_filter parameter from the integration instance configuration. For more information about custom filters and their structure, see the Crowdstrike Falcon documentation (https://falcon.crowdstrike.com/login/?next=%2Fsupport%2Fdocumentation%2F45%2Ffalcon-query-language-fql%3F).Optional

Context Output

There is no context output for this command.

Command Example

Human Readable Output