CrowdStrike Falcon Intelligence service helps organizations by delivering relevant, timely, and actionable threat intelligence to defend from bad actors.
This document provides information about the CrowdStrike Falcon Intelligence connector, which facilitates automated interactions, with a CrowdStrike Falcon Intelligence server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with CrowdStrike Falcon Intelligence such as retrieving the reputation of IP addresses, domains, URLs, etc, and retrieving CrowdStrike (CS) actors, reports, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-crowdstrike-falcon-intelligence
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the CrowdStrike Falcon Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the CrowdStrike Falcon Intelligence server to which you will connect and perform automated operations. |
Client ID | Specify the Client ID used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations. |
Client Secret | Specify the Client Secret used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get IP Reputation | Retrieves reputation information of the specified IP addresses from CrowdStrike Falcon Intelligence. | get_ip_reputation Investigation |
Get File Reputation | Retrieves reputation information of the specified file hashes from CrowdStrike Falcon Intelligence. | get_file_reputation Investigation |
Get Domain or URL Reputation | Retrieves reputation information of the specified domain or URL from CrowdStrike Falcon Intelligence. | get_domain_reputation Investigation |
Get CS Actors | Retrieves the list of all known actors or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. | get_cs_actors Investigation |
Get CS Indicators | Retrieves the list of all known indicators or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. | get_cs_indicators Investigation |
Get CS Reports | Retrieves the list of all reports or specific reports from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. | get_cs_reports Investigation |
Parameter | Description |
---|---|
IP Address | Specify the IP addresses whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Parameter | Description |
---|---|
File Hash | Specify the hash value (MD5/SHA1/SHA256) value of files whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Parameter | Description |
---|---|
Domain/URL | Specify the domain name or URL address whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of actors) is returned.
Parameter | Description |
---|---|
Filter Query | Specify the FQL query using which you want to filter CS Actors retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date, target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, or, tags.id. For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql |
Generic Search | Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Actors from CrowStrike Falcon Intelligence. |
Response Fields | Specify a comma-separated list of fields that you want to include in the response. |
Sort | Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc , it means that the results will be sorted in the ascending order by the created_date field. |
Limit | The maximum number of results that this operation should return. You must specify a value between 1 and 5000. |
Offset | The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Output
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actor_type": "",
"capability": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"created_date": "",
"description": "",
"ecrime_kill_chain": {
"attribution": "",
"crimes": "",
"customers": "",
"marketing": "",
"monetization": "",
"rich_text_attribution": "",
"rich_text_crimes": "",
"rich_text_customers": "",
"rich_text_marketing": "",
"rich_text_monetization": "",
"rich_text_services_offered": "",
"rich_text_services_used": "",
"rich_text_technical_tradecraft": "",
"rich_text_victims": "",
"services_offered": "",
"services_used": "",
"technical_tradecraft": "",
"victims": ""
},
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"first_activity_date": "",
"group": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"kill_chain": {
"actions_and_objectives": "",
"command_and_control": "",
"delivery": "",
"exploitation": "",
"installation": "",
"objectives": "",
"reconnaissance": "",
"rich_text_actions_and_objectives": "",
"rich_text_command_and_control": "",
"rich_text_delivery": "",
"rich_text_exploitation": "",
"rich_text_installation": "",
"rich_text_objectives": "",
"rich_text_reconnaissance": "",
"rich_text_weaponization": "",
"weaponization": ""
},
"known_as": "",
"last_activity_date": "",
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"origins": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"region": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"rich_text_description": "",
"short_description": "",
"slug": "",
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of indicators) is returned.
Parameter | Description |
---|---|
Filter Query | Specify the FQL query using which you want to filter CS Indicators retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: _marker, indicator, type, published_date, kill_chains, labels, created_on, labels.last_valid_on, targets, deleted, malicious_confidence, ip_address_types, labels, last_updated, malware_families, vulnerabilities, labels.name, threat_types, id, reports, actors, or domain_types. For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql |
Generic Search | Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Indicators from CrowStrike Falcon Intelligence. |
Sort | Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc , it means that the results will be sorted in the ascending order by the created_date field. |
Limit | The maximum number of results that this operation should return. You must specify a value between 1 and 5000. |
Offset | The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Include Deleted | Select this option to include both published and deleted indicators in the response. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of reports) is returned.
Parameter | Description |
---|---|
Filter Query | Specify the FQL query using which you want to filter CS Reports retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, tags.id, target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date. For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql |
Generic Search | Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Reports from CrowStrike Falcon Intelligence |
Response Fields | Specify a comma-separated list of fields that you want to include in the response. |
Sort | Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc , it means that the results will be sorted in the ascending order by the created_date field. |
Limit | The maximum number of results that this operation should return. You must specify a value between 1 and 5000. |
Offset | The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actors": [
{
"id": "",
"name": "",
"slug": "",
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
],
"attachments": [
{
"id": "",
"url": ""
}
],
"created_date": "",
"description": "",
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"rich_text_description": "",
"short_description": "",
"slug": "",
"sub_type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"tags": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"topic": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"url": ""
}
]
}
The Sample - CrowdStrike Falcon Intelligence - 1.0.0
playbook collection comes bundled with the CrowdStrike Falcon Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
CrowdStrike Falcon Intelligence service helps organizations by delivering relevant, timely, and actionable threat intelligence to defend from bad actors.
This document provides information about the CrowdStrike Falcon Intelligence connector, which facilitates automated interactions, with a CrowdStrike Falcon Intelligence server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with CrowdStrike Falcon Intelligence such as retrieving the reputation of IP addresses, domains, URLs, etc, and retrieving CrowdStrike (CS) actors, reports, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-crowdstrike-falcon-intelligence
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the CrowdStrike Falcon Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the CrowdStrike Falcon Intelligence server to which you will connect and perform automated operations. |
Client ID | Specify the Client ID used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations. |
Client Secret | Specify the Client Secret used to access the CrowdStrike Falcon Intelligence APIs to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get IP Reputation | Retrieves reputation information of the specified IP addresses from CrowdStrike Falcon Intelligence. | get_ip_reputation Investigation |
Get File Reputation | Retrieves reputation information of the specified file hashes from CrowdStrike Falcon Intelligence. | get_file_reputation Investigation |
Get Domain or URL Reputation | Retrieves reputation information of the specified domain or URL from CrowdStrike Falcon Intelligence. | get_domain_reputation Investigation |
Get CS Actors | Retrieves the list of all known actors or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. | get_cs_actors Investigation |
Get CS Indicators | Retrieves the list of all known indicators or specific known actors from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. | get_cs_indicators Investigation |
Get CS Reports | Retrieves the list of all reports or specific reports from CrowdStrike Falcon Intelligence, based on the input parameters you have specified. | get_cs_reports Investigation |
Parameter | Description |
---|---|
IP Address | Specify the IP addresses whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Parameter | Description |
---|---|
File Hash | Specify the hash value (MD5/SHA1/SHA256) value of files whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Parameter | Description |
---|---|
Domain/URL | Specify the domain name or URL address whose reputation information you want to retrieve from CrowdStrike Falcon Intelligence. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of actors) is returned.
Parameter | Description |
---|---|
Filter Query | Specify the FQL query using which you want to filter CS Actors retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date, target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, or, tags.id. For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql |
Generic Search | Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Actors from CrowStrike Falcon Intelligence. |
Response Fields | Specify a comma-separated list of fields that you want to include in the response. |
Sort | Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc , it means that the results will be sorted in the ascending order by the created_date field. |
Limit | The maximum number of results that this operation should return. You must specify a value between 1 and 5000. |
Offset | The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Output
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actor_type": "",
"capability": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"created_date": "",
"description": "",
"ecrime_kill_chain": {
"attribution": "",
"crimes": "",
"customers": "",
"marketing": "",
"monetization": "",
"rich_text_attribution": "",
"rich_text_crimes": "",
"rich_text_customers": "",
"rich_text_marketing": "",
"rich_text_monetization": "",
"rich_text_services_offered": "",
"rich_text_services_used": "",
"rich_text_technical_tradecraft": "",
"rich_text_victims": "",
"services_offered": "",
"services_used": "",
"technical_tradecraft": "",
"victims": ""
},
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"first_activity_date": "",
"group": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"kill_chain": {
"actions_and_objectives": "",
"command_and_control": "",
"delivery": "",
"exploitation": "",
"installation": "",
"objectives": "",
"reconnaissance": "",
"rich_text_actions_and_objectives": "",
"rich_text_command_and_control": "",
"rich_text_delivery": "",
"rich_text_exploitation": "",
"rich_text_installation": "",
"rich_text_objectives": "",
"rich_text_reconnaissance": "",
"rich_text_weaponization": "",
"weaponization": ""
},
"known_as": "",
"last_activity_date": "",
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"origins": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"region": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"rich_text_description": "",
"short_description": "",
"slug": "",
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of indicators) is returned.
Parameter | Description |
---|---|
Filter Query | Specify the FQL query using which you want to filter CS Indicators retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: _marker, indicator, type, published_date, kill_chains, labels, created_on, labels.last_valid_on, targets, deleted, malicious_confidence, ip_address_types, labels, last_updated, malware_families, vulnerabilities, labels.name, threat_types, id, reports, actors, or domain_types. For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql |
Generic Search | Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Indicators from CrowStrike Falcon Intelligence. |
Sort | Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc , it means that the results will be sorted in the ascending order by the created_date field. |
Limit | The maximum number of results that this operation should return. You must specify a value between 1 and 5000. |
Offset | The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
Include Deleted | Select this option to include both published and deleted indicators in the response. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"_marker": "",
"actors": [],
"deleted": "",
"domain_types": [],
"id": "",
"indicator": "",
"ip_address_types": [],
"kill_chains": [],
"labels": [
{
"created_on": "",
"last_valid_on": "",
"name": ""
}
],
"last_updated": "",
"malicious_confidence": "",
"malware_families": [],
"published_date": "",
"relations": [
{
"created_date": "",
"id": "",
"indicator": "",
"last_valid_date": "",
"type": ""
}
],
"reports": [],
"targets": [],
"threat_types": [],
"type": "",
"vulnerabilities": []
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of reports) is returned.
Parameter | Description |
---|---|
Filter Query | Specify the FQL query using which you want to filter CS Reports retrieved from CrowdStrike Falcon Intelligence. You can specify the following filter parameters: target_countries.value, type.id, type.name, actors.name, motivations.id, tags, slug, tags.id, target_countries.slug, motivations.value, sub_type.id, sub_type.slug, tags.value, url, name.raw, short_description, sub_type, target_industries, actors.slug, name, target_countries.id, description, motivations, tags.slug, target_industries.id, actors, actors.url, created_date, sub_type.name, type, motivations.slug, target_countries, type.slug, target_industries.slug, target_industries.value, actors.id, id, last_modified_date. For more information about FQL see, https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-fql |
Generic Search | Specify the search keywords using which you want to perform a generic substring search across all fields in CrowdStrike Falcon Intelligence and based on which you want to retrieve CS Reports from CrowStrike Falcon Intelligence |
Response Fields | Specify a comma-separated list of fields that you want to include in the response. |
Sort | Specify the fields based on which you want to sort the results retrieved from CrowdStrike Falcon Intelligence, in the ascending or descending order. For example, if you specify created_date|asc , it means that the results will be sorted in the ascending order by the created_date field. |
Limit | The maximum number of results that this operation should return. You must specify a value between 1 and 5000. |
Offset | The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset. By default, this is set to 0. |
The output contains the following populated JSON schema:
{
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"resources": [
{
"active": "",
"actors": [
{
"id": "",
"name": "",
"slug": "",
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"url": ""
}
],
"attachments": [
{
"id": "",
"url": ""
}
],
"created_date": "",
"description": "",
"entitlements": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"id": "",
"image": {
"height": "",
"url": "",
"width": ""
},
"last_modified_date": "",
"motivations": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"name": "",
"notify_users": "",
"rich_text_description": "",
"short_description": "",
"slug": "",
"sub_type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"tags": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail": {
"height": "",
"url": "",
"width": ""
},
"topic": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"type": {
"id": "",
"name": "",
"slug": "",
"value": ""
},
"url": ""
}
]
}
The Sample - CrowdStrike Falcon Intelligence - 1.0.0
playbook collection comes bundled with the CrowdStrike Falcon Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.