CrowdStrike Falcon Intel

Use the CrowdStrike Falcon Intelligence v2 integration to identify threats.

This integration was integrated and tested with CrowdStrike Falcon Intel v2.

Use Cases

  • Search files, URLs, domains, and IP addresses, for malware.
  • Create indicator based reports.

Configure CrowdStrike Falcon Intelligence v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Falcon Intel v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • Server URL : URL of Falcon Intel server.
    • API ID
    • API Key
    • Threshold : Minimum malicious confidence from Falcon Intel to consider the indicator malicious (low, medium, or high). Default is high.
    • Use system proxy settings
    • Allow self-signed SSL certificates
    • Indicator API V2
  4. Click Test to validate the URLs and token.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Check file for malware: file
  2. Check URL for malware: url
  3. Check domain for malware: domain
  4. Check IP address for malware: ip
  5. Search for actors: cs-actors
  6. Indicator based report: cs-indicators
  7. Search summary and ID of Intelligence Reports: cs-reports
  8. Get report in PDF format:cs-report-pdf

1. Check file for malware

Returns malware report for specified file.

Base Command

file

Input
Argument Name Description
file MD5, SHA-1, or SHA-256 hash of the file to check

Context Output
Path Description
File.MD5 Malicious MD5 hash file
File.SHA1 Malicious SHA-1 hash file
File.SHA256 Malicious SHA-256 hash file
File.Malicious.Vendor For malicious files, the vendor that made the decision
File.Malicious.Description For malicious files, the reason that the vendor made the decision
DBotScore.Indicator The indicator tested
DBotScore.Type Type of indicator tested
DBotScore.Vendor Vendor used to calculate the score
DBotScore.Score The actual score

Command Example

!file file=369c8fc6532ba547d7ef5985bb5e880a using-brand="FalconIntel V2"

Raw Output
DBotScore
{  
   "Indicator":"369c8fc6532ba547d7ef5985bb5e880a",
   "Score":3,
   "Type":"hash",
   "Vendor":"CrowdStrike"
}
File { "MD5":"369c8fc6532ba547d7ef5985bb5e880a", "Malicious":{ "Description":"High confidence", "Vendor":"CrowdStrike" } }
Context Example
DBotScore:[] 2 items
1:{} 4 items
Indicator:369c8fc6532ba547d7ef5985bb5e880a
Score:3
Type:hash
Vendor:CrowdStrike
File:{} 2 items
MD5:369c8fc6532ba547d7ef5985bb5e880a
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike

2. Check URL for malware

Returns a malware report for the specified URL.

Base Command

url

Input
Argument Name Description
url URL to check

Context Output
Path Description
URL.Data Malicious URL
URL.Malicious.Vendor For malicious URLs, the vendor that made the decision
URL.Malicious.Description For malicious URLs, the reason that the vendor made that decision
DBotScore.Indicator The indicator tested
DBotScore.Type Type of indicator tested
DBotScore.Vendor Vendor used to calculate the score
DBotScore.Score The actual score

Command Example

!url url="http://8.8.8.8/google.doc" using="FalconIntel V2_instance_1"

Raw Output
 
DBotScore
{  
   "Indicator":"http://8.8.8.8/google.doc",
   "Score":3,
   "Type":"url",
   "Vendor":"CrowdStrike"
}

URL { "Data": "http://8.8.8.8/google.doc", "Malicious": { "Description": "High confidence", "Vendor": "CrowdStrike" } }
Context Example
DBotScore:[] 3 items
2:{} 4 items
Indicator:http://8.8.8.8/google.doc
Score:3
Type:url
Vendor:CrowdStrike
URL:{} 2 items
Data:http://8.8.8.8/google.doc
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
 

3. Check Domain for malware

Returns malware report for specified domain.

Base Command

domain

Input
Argument Name Description
domain Domain to check

Context Output
Path Description
Domain.Name Malicious domain
Domain.Malicious.Vendor For malicious domains, the vendor that made the decision
Domain.Malicious.Description For malicious domains, the reason that the vendor to made that decision
DBotScore.Indicator The indicator tested
DBotScore.Type Type of indicator tested
DBotScore.Vendor Vendor used to calculate the score
DBotScore.Score The actual score

Command Example

!domain domain="dns02.hpupdat.net" using="FalconIntel V2_instance_1"

Raw Output
DBotScore
{
"Indicator": "dns02.hpupdat.net",
"Score": 3,
"Type": "domain",
"Vendor": "CrowdStrike"
}
Domain
{
"Malicious": {
"Description": "High confidence",
"Vendor": "CrowdStrike"
},
"Name": "dns02.hpupdat.net"
}
 
Context Example
 
DBotScore:[] 4 items
3:{} 4 items
Indicator:dns02.hpupdat.net
Score:3
Type:domain
Vendor:CrowdStrike
Domain:{} 2 items
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
Name:dns02.hpupdat.net

4. Check IP address for malware

Returns malware report for specified file.

Base Command

ip

Input
Argument Name Description
ip IP address to check

Context Output
Path Description
IP.Address Malicious IP address
IP.Malicious.Vendor For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description For malicious IP addresses, the reason that the vendor made that decision
DBotScore.Indicator The indicator tested
DBotScore.Type Type of indicator tested
DBotScore.Vendor Vendor used to calculate the score
DBotScore.Score The actual score

Command Example

ip ip="4.4.4.4" using="FalconIntel V2_instance_1"

Raw Output
DBotScore
{
   "Indicator": "4.4.4.4",
   "Score": 1,
   "Type": "ip",
   "Vendor": "CrowdStrike"
} 
Context Example
DBotScore:{} 4 items
Indicator:4.4.4.4
Score:1
Type:ip
Vendor:CrowdStrike 

5. Search for actors

Searches for actors.

Base Command

cs-actors

Input
Argument Name Description
q Search all fields for the specified data.
name Search based on actor name.
desc Search based on description.
minLastModifiedDate

Search range starts at modified date.

Dates are formatted as YYYY-MM-DD.

maxLastModifiedDate

Search range ends at modified date.

Dates are formatted as YYYY-MM-DD.

minLastActivityDate

Search range starts at activity date.

Dates are formatted as YYYY-MM-DD.

maxLastActivityDate

Search range ends at activity date.

Dates are formatted as YYYY-MM-DD.

origins Search by comma-separated list of origins.
targetCountries Search by comma-separated list of target countries.
targetIndustries Search by comma-separated list of target industries.
motivations Search by comma-separated list of motivations.
offset Which page of the results to retrieve. It is 0 based.
limit Number of results displayed in the page.
sort

Sort is field_name.order, field_name.order.

order is either asc or desc .

slug

Search by 'slug' or short descriptive name.

Example: "anchor-panda"

Context Output

There is no context output for this command.

Command Example

!cs-actors q="google" limit="2"

Raw Output

There is no raw output for this command.

Context Example

There is no context example for this command.


6. Indicator based report

Generates a report according to specified indicators.

Base Command

cs-indicators

Input
Argument Name Description
parameter

What parameter to search.

See CrowdStrike documentation for details. <hyperlink>

Valid values are:

  • indicator
  • type
  • report
  • actor
  • malicious_confidence
  • published_date
  • last_updated
  • malware_family
  • kill_chain
  • labels
  • DomainType
  • EmailAddressType
  • IntelNews
  • IPAddressType
  • Malware
  • Status
  • Target
  • ThreatType
  • Vulnerability
filter

Valid values are:

  • match
  • equal
  • gt(e)
  • lt(e)
value The value for the given parameter
sort

Sort by a field in the format of field_name.order.

order is either asc or desc .

Valid values for fields are:

  • indicator
  • type
  • report
  • actor
  • malicious_confidence
  • published_date
  • last_updated
page The page to retrieve - 1 based
pageSize The size of the page to retrieve

Context Output
Path Description
File.MD5 Malicious MD5 hash file
File.SHA1 Malicious SHA-1 hash file
File.SHA256 Malicious SHA-256 hash file
Malicious.Vendor For malicious files, the vendor that made the decision
File.Malicious.Description For malicious files, the reason that the vendor made that decision
File.Reports For malicious files, the associated reports describing the hash
File.Actors For malicious files, the associated actors
File.MalwareFamilies For malicious files, the associated malware family
File.KillChains For malicious files, the associated kill chain
URL.Data Malicious URL
URL.Malicious.Vendor For malicious URLs, the vendor that made the decision
URL.Malicious.Description For malicious URLs, the reason that the vendor made that decision
URL.Reports For malicious URLs, the associated reports describing the URL
URL.Actors For malicious URLs, the associated actors
URL.MalwareFamilies For malicious URLs, the associated malware family
URL.KillChains For malicious URLs, the associated kill chain
Domain.Name Malicious domain
Domain.Malicious.Vendor For malicious domains, the vendor that made the decision
Domain.Malicious.Description For malicious domains, the reason that the vendor made that decision
Domain.Reports For malicious domains, the associated reports describing the domain
Domain.Actors For malicious domains, the associated actors
Domain.MalwareFamilies For malicious domains, the associated malware family
Domain.KillChains For malicious domains, the associated kill chain
IP.Address IP Indicators
IP.Malicious.Vendor For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description For malicious IP addresses, the reason that the vendor made that decision
IP.Reports For malicious IP addresses, the associated reports describing the IP
IP.Actors For malicious IP addresses, the associated actors
IP.MalwareFamilies For malicious IP addresses, the associated malware family
IP.KillChains For malicious IP addresses, the associated kill chain
DBotScore.Indicator The indicator tested
DBotScore.Type Type of indicator tested
DBotScore.Vendor Vendor used to calculate the score
DBotScore.Score The actual score

Command Example

!cs-indicators filter=match parameter=indicator value="panda"

Raw Output
 DBotScore
[  
   {  
      "Indicator":"nadazpanda.publicvm.com",
      "Score":3,
      "Type":"domain",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"pandadefender.com",
      "Score":3,
      "Type":"domain",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"http://panda.tech/tw.com/panda.rtf",
      "Score":3,
      "Type":"url",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"panda1.hopto.org",
      "Score":3,
      "Type":"domain",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"http://suliparwarda.com/includes/panda.php?c=",
      "Score":3,
      "Type":"url",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=",
      "Score":3,
      "Type":"url",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"balvinnew.pandabearsunited.xyz",
      "Score":3,
      "Type":"domain",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"panda3.ddns.net",
      "Score":3,
      "Type":"domain",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"panda.tech-tw.com",
      "Score":2,
      "Type":"domain",
      "Vendor":"CrowdStrike"
   },
   {  
      "Indicator":"http://panda.tech-tw.com/panda.rtf",
      "Score":3,
      "Type":"url",
      "Vendor":"CrowdStrike"
   }
]

Domain
[  
   {  
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "njRAT"
      ],
      "Name":"nadazpanda.publicvm.com"
   },
   {  
      "Actors":[  
         "FANCYBEAR"
      ],
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "X-Agent"
      ],
      "Name":"pandadefender.com",
      "Reports":[  
         "CSIR-17010"
      ]
   },
   {  
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "CybergateRAT"
      ],
      "Name":"panda1.hopto.org"
   },
   {  
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "XtremeRAT"
      ],
      "Name":"balvinnew.pandabearsunited.xyz"
   },
   {  
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "njRAT"
      ],
      "Name":"panda3.ddns.net"
   },
   {  
      "KillChains":[  
         "Delivery"
      ],
      "Name":"panda.tech-tw.com"
   }
]

URL
[  
   {  
      "Data":"http://panda.tech/tw.com/panda.rtf",
      "KillChains":[  
         "Delivery"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      }
   },
   {  
      "Actors":[  
         "STATICKITTEN"
      ],
      "Data":"http://suliparwarda.com/includes/panda.php?c=",
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "NTSTATS"
      ],
      "Reports":[  
         "CSIR-18002"
      ]
   },
   {  
      "Actors":[  
         "STATICKITTEN"
      ],
      "Data":"http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=",
      "KillChains":[  
         "C2"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      },
      "MalwareFamilies":[  
         "NTSTATS"
      ],
      "Reports":[  
         "CSIR-18002"
      ]
   },
   {  
      "Data":"http://panda.tech-tw.com/panda.rtf",
      "KillChains":[  
         "Delivery"
      ],
      "Malicious":{  
         "Description":"High confidence",
         "Vendor":"CrowdStrike"
      }
   }
]
Context Example
DBotScore:[] 10 items
0:{} 4 items
Indicator:nadazpanda.publicvm.com
Score:3
Type:domain
Vendor:CrowdStrike
1:{} 4 items
Indicator:pandadefender.com
Score:3
Type:domain
Vendor:CrowdStrike
2:{} 4 items
Indicator:http://panda.tech/tw.com/panda.rtf
Score:3
Type:url
Vendor:CrowdStrike
3:{} 4 items
Indicator:panda1.hopto.org
Score:3
Type:domain
Vendor:CrowdStrike
4:{} 4 items
Indicator:http://suliparwarda.com/includes/panda.php?c=
Score:3
Type:url
Vendor:CrowdStrike
5:{} 4 items
Indicator:http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=
Score:3
Type:url
Vendor:CrowdStrike
6:{} 4 items
Indicator:balvinnew.pandabearsunited.xyz
Score:3
Type:domain
Vendor:CrowdStrike
7:{} 4 items
Indicator:panda3.ddns.net
Score:3
Type:domain
Vendor:CrowdStrike
8:{} 4 items
Indicator:panda.tech-tw.com
Score:2
Type:domain
Vendor:CrowdStrike
9:{} 4 items
Indicator:http://panda.tech-tw.com/panda.rtf
Score:3
Type:url
Vendor:CrowdStrike
Domain:[] 6 items
0:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:njRAT
Name:nadazpanda.publicvm.com
1:{} 6 items
Actors:[] 1 item
0:FANCYBEAR
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:X-Agent
Name:pandadefender.com
Reports:[] 1 item
0:CSIR-17010
2:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:CybergateRAT
Name:panda1.hopto.org
3:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:XtremeRAT
Name:balvinnew.pandabearsunited.xyz
4:{} 4 items
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:njRAT
Name:panda3.ddns.net
5:{} 2 items
KillChains:[] 1 item
0:Delivery
Name:panda.tech-tw.com
URL:[] 4 items
0:{} 3 items
Data:http://panda.tech/tw.com/panda.rtf
KillChains:[] 1 item
0:Delivery
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
1:{} 6 items
Actors:[] 1 item
0:STATICKITTEN
Data:http://suliparwarda.com/includes/panda.php?c=
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:NTSTATS
Reports:[] 1 item
0:CSIR-18002
2:{} 6 items
Actors:[] 1 item
0:STATICKITTEN
Data:http://azmwn.suliparwarda.com/wp-content/plugins/wpdatatables/panda.php?c=
KillChains:[] 1 item
0:C2
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike
MalwareFamilies:[] 1 item
0:NTSTATS
Reports:[] 1 item
0:CSIR-18002
3:{} 3 items
Data:http://panda.tech-tw.com/panda.rtf
KillChains:[] 1 item
0:Delivery
Malicious:{} 2 items
Description:High confidence
Vendor:CrowdStrike 

7. Search summary and ID of Intelligence Reports

Searches for summary and ID of Intelligence Reports.

Base Command

cs-reports

Input
Argument Name Description
q Performs a generic substring search across all fields in a report.
name Search for keywords across report names (for example, the report’s title).
actor

Search for a report related to a specified actor.

For a list of actors, refer to the Intel Actors API. <hyperlink>

targetCountries Search reports by targeted country or countries.
targetIndustries Search reports by targeted industry or industries.
motivations Search reports by motivation.
slug Search reports by report 'slug' or short descriptive name.
description Search the body of the report.
type The type of object to search for.
subType The sub-type of object to search for.
tags Tags associated with a report (managed internally by CrowdStrike).
minLastModifiedDate

Search range starts at modified date.

Dates are formatted as YYYY-MM-DD.

maxLastModifiedDate

Search range ends at modified date.

Dates are formatted as YYYY-MM-DD.

offset

Used to number the responses.

You can then use limit to set the number of results for the next page.

limit Limits the number of results to return
sort

The field and direction to sort results on in the format of: . or ..

Valid values are:

  • name
  • target_countries
  • target_industries
  • type
  • created_date
  • last_modified_date

Context Output

There is no context output.

Command Example

!cs-reports actor=panda limit=10

Raw Output

There is no raw output.

Context Example

There is no context example.


8. Get report in PDF format

Returns a full summary of a specified report in PDF format.

Base Command

cs-report-pdf

Input
Argument Name Description
id The ID of the report to return

Context Output

There is no context output for this command.

Command Example

!cs-report-pdf id=588

Raw Output

There is no raw output for this command.

Context Example

There is no context example for this command.