Fortinet black logo

CrowdStrike Falcon Intelligence

CrowdStrike Falcon Intelligence v1.0.0

1.0.0
Copy Link
Copy Doc ID 3c5e2401-f84f-11ec-bb32-fa163e15d75b:308

About the connector

CrowdStrike Falcon Intelligence service helps organizations by delivering relevant, timely, and actionable threat intelligence to defend from bad actors.

This document provides information about the CrowdStrike Falcon Intelligence connector, which facilitates automated interactions, with a CrowdStrike Falcon Intelligence server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with CrowdStrike Falcon Intelligence such as retrieving the reputation of IP addresses, domains, URLs, etc, and retrieving CrowdStrike (CS) actors, reports, etc.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-crowdstrike-falcon-intelligence

Prerequisites to configuring the connector

  • You must have the URL of the CrowdStrike Falcon Intelligence server to which you will connect and perform automated operations and the client ID and client secret used to access the CrowdStrike Falcon Intelligence server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the CrowdStrike Falcon Intelligence server.

Minimum Permissions Required

  • Not Applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the CrowdStrike Falcon Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the CrowdStrike Falcon Intelligence server to which you will connect and perform automated operations.
Client ID Specify the Client ID used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations.
Client Secret Specify the Client Secret used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Get IP Reputation Retrieves reputation information of the specified IP addresses from CrowdStrike Falcon Intelligence. get_ip_reputation
Investigation
Get File Reputation Retrieves reputation information of the specified file hashes from CrowdStrike Falcon Intelligence. get_file_reputation
Investigation
Get Domain or URL Reputation Retrieves reputation information of the specified domain or URL from CrowdStrike Falcon Intelligence. get_domain_reputation
Investigation
Get CS Actors Retrieves the list of all known actors or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. get_cs_actors
Investigation
Get CS Indicators Retrieves the list of all known indicators or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. get_cs_indicators
Investigation
Get CS Reports Retrieves the list of all reports or specific reports from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. get_cs_reports
Investigation

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address Specify the IP addresses whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get File Reputation

Input parameters

Parameter Description
File Hash Specify the hash value (MD5/SHA1/SHA256) value of files whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get Domain or URL Reputation

Input parameters

Parameter Description
Domain/URL Specify the domain name or URL address whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get CS Actors

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of actors) is returned.

Parameter Description
Filter Query Specify the FQL query using which you want to filter CS Actors retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date, target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, or, tags.id.
For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql
Generic Search Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Actors from CrowStrike Falcon Intelligence.
Response Fields Specify a comma-separated list of fields that you want to include in the response.
Sort Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc, it means that the results will be sorted in the ascending order by the created_date field.
Limit The maximum number of results that this operation should return. You must specify a value between 1 and 5000.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actor_type": "",
"capability": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"created_date": "",
"description": "",
"ecrime_kill_chain": {
"attribution": "",
"crimes": "",
"customers": "",
"marketing": "",
"monetization": "",
"rich_text_attribution": "",
"rich_text_crimes": "",
"rich_text_customers": "",
"rich_text_marketing": "",
"rich_text_monetization": "",
"rich_text_services_offered": "",
"rich_text_services_used": "",
"rich_text_technical_tradecraft": "",
"rich_text_victims": "",
"services_offered": "",
"services_used": "",
"technical_tradecraft": "",
"victims": ""
},
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"first_activity_date": "",
"group": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"kill_chain": {
"actions_and_objectives": "",
"command_and_control": "",
"delivery": "",
"exploitation": "",
"installation": "",
"objectives": "",
"reconnaissance": "",
"rich_text_actions_and_objectives": "",
"rich_text_command_and_control": "",
"rich_text_delivery": "",
"rich_text_exploitation": "",
"rich_text_installation": "",
"rich_text_objectives": "",
"rich_text_reconnaissance": "",
"rich_text_weaponization": "",
"weaponization": ""
},
"known_as": "",
"last_activity_date": "",
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"origins": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"region": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"rich_text_description": "",
"short_description": "",
"slug": "",
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
]
}

operation: Get CS Indicators

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of indicators) is returned.

Parameter Description
Filter Query Specify the FQL query using which you want to filter CS Indicators retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: _marker, indicator, type, published_date, kill_chains, labels, created_on, labels.last_valid_on, targets, deleted, malicious_confidence, ip_address_types, labels, last_updated, malware_families, vulnerabilities, labels.name, threat_types, id, reports, actors, or domain_types.
For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql
Generic Search Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Indicators from CrowStrike Falcon Intelligence.
Sort Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc, it means that the results will be sorted in the ascending order by the created_date field.
Limit The maximum number of results that this operation should return. You must specify a value between 1 and 5000.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0.
Include Deleted Select this option to include both published and deleted indicators in the response.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get CS Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of reports) is returned.

Parameter Description
Filter Query Specify the FQL query using which you want to filter CS Reports retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, tags.id, target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date.
For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql
Generic Search Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Reports from CrowStrike Falcon Intelligence
Response Fields Specify a comma-separated list of fields that you want to include in the response.
Sort Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc, it means that the results will be sorted in the ascending order by the created_date field.
Limit The maximum number of results that this operation should return. You must specify a value between 1 and 5000.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actors": [
{
"id": "",
"name": "",
"slug": "",
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
],
"attachments": [
{
"id": "",
"url": ""
}
],
"created_date": "",
"description": "",
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"rich_text_description": "",
"short_description": "",
"slug": "",
"sub_type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"tags": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"topic": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"url": ""
}
]
}

Included playbooks

The Sample - CrowdStrike Falcon Intelligence - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Intelligence connector.

  • Get CS Actors
  • Get CS Indicators
  • Get CS Reports
  • Get Domain or URL Reputation
  • Get File Reputation
  • Get IP Reputation

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

CrowdStrike Falcon Intelligence service helps organizations by delivering relevant, timely, and actionable threat intelligence to defend from bad actors.

This document provides information about the CrowdStrike Falcon Intelligence connector, which facilitates automated interactions, with a CrowdStrike Falcon Intelligence server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with CrowdStrike Falcon Intelligence such as retrieving the reputation of IP addresses, domains, URLs, etc, and retrieving CrowdStrike (CS) actors, reports, etc.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-crowdstrike-falcon-intelligence

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the CrowdStrike Falcon Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the CrowdStrike Falcon Intelligence server to which you will connect and perform automated operations.
Client ID Specify the Client ID used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations.
Client Secret Specify the Client Secret used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Get IP Reputation Retrieves reputation information of the specified IP addresses from CrowdStrike Falcon Intelligence. get_ip_reputation
Investigation
Get File Reputation Retrieves reputation information of the specified file hashes from CrowdStrike Falcon Intelligence. get_file_reputation
Investigation
Get Domain or URL Reputation Retrieves reputation information of the specified domain or URL from CrowdStrike Falcon Intelligence. get_domain_reputation
Investigation
Get CS Actors Retrieves the list of all known actors or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. get_cs_actors
Investigation
Get CS Indicators Retrieves the list of all known indicators or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. get_cs_indicators
Investigation
Get CS Reports Retrieves the list of all reports or specific reports from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. get_cs_reports
Investigation

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address Specify the IP addresses whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get File Reputation

Input parameters

Parameter Description
File Hash Specify the hash value (MD5/SHA1/SHA256) value of files whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get Domain or URL Reputation

Input parameters

Parameter Description
Domain/URL Specify the domain name or URL address whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get CS Actors

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of actors) is returned.

Parameter Description
Filter Query Specify the FQL query using which you want to filter CS Actors retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date, target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, or, tags.id.
For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql
Generic Search Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Actors from CrowStrike Falcon Intelligence.
Response Fields Specify a comma-separated list of fields that you want to include in the response.
Sort Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc, it means that the results will be sorted in the ascending order by the created_date field.
Limit The maximum number of results that this operation should return. You must specify a value between 1 and 5000.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actor_type": "",
"capability": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"created_date": "",
"description": "",
"ecrime_kill_chain": {
"attribution": "",
"crimes": "",
"customers": "",
"marketing": "",
"monetization": "",
"rich_text_attribution": "",
"rich_text_crimes": "",
"rich_text_customers": "",
"rich_text_marketing": "",
"rich_text_monetization": "",
"rich_text_services_offered": "",
"rich_text_services_used": "",
"rich_text_technical_tradecraft": "",
"rich_text_victims": "",
"services_offered": "",
"services_used": "",
"technical_tradecraft": "",
"victims": ""
},
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"first_activity_date": "",
"group": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"kill_chain": {
"actions_and_objectives": "",
"command_and_control": "",
"delivery": "",
"exploitation": "",
"installation": "",
"objectives": "",
"reconnaissance": "",
"rich_text_actions_and_objectives": "",
"rich_text_command_and_control": "",
"rich_text_delivery": "",
"rich_text_exploitation": "",
"rich_text_installation": "",
"rich_text_objectives": "",
"rich_text_reconnaissance": "",
"rich_text_weaponization": "",
"weaponization": ""
},
"known_as": "",
"last_activity_date": "",
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"origins": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"region": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"rich_text_description": "",
"short_description": "",
"slug": "",
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
]
}

operation: Get CS Indicators

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of indicators) is returned.

Parameter Description
Filter Query Specify the FQL query using which you want to filter CS Indicators retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: _marker, indicator, type, published_date, kill_chains, labels, created_on, labels.last_valid_on, targets, deleted, malicious_confidence, ip_address_types, labels, last_updated, malware_families, vulnerabilities, labels.name, threat_types, id, reports, actors, or domain_types.
For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql
Generic Search Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Indicators from CrowStrike Falcon Intelligence.
Sort Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc, it means that the results will be sorted in the ascending order by the created_date field.
Limit The maximum number of results that this operation should return. You must specify a value between 1 and 5000.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0.
Include Deleted Select this option to include both published and deleted indicators in the response.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}

operation: Get CS Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of reports) is returned.

Parameter Description
Filter Query Specify the FQL query using which you want to filter CS Reports retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, tags.id, target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date.
For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql
Generic Search Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Reports from CrowStrike Falcon Intelligence
Response Fields Specify a comma-separated list of fields that you want to include in the response.
Sort Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc, it means that the results will be sorted in the ascending order by the created_date field.
Limit The maximum number of results that this operation should return. You must specify a value between 1 and 5000.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0.

Output

The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actors": [
{
"id": "",
"name": "",
"slug": "",
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
],
"attachments": [
{
"id": "",
"url": ""
}
],
"created_date": "",
"description": "",
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"rich_text_description": "",
"short_description": "",
"slug": "",
"sub_type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"tags": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"topic": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"url": ""
}
]
}

Included playbooks

The Sample - CrowdStrike Falcon Intelligence - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Intelligence connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next