Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

CrowdStrike is a cybersecurity technology firm pioneering cloud-delivered next-generation endpoint protection and services. The CrowdStrike Falcon platform stops breaches by preventing, detecting, and responding to all attack types, at every stage – even malware-free intrusions.

The CrowdStrike Falcon Intelligence integration includes the following feeds:

• CrowdStrike Actors
• CrowdStrike Indicators
• CrowdStrike MITRE
• CrowdStrike Reports
• CrowdStrike Signatures

The integration ingests the following system objects:

• Adversaries
• Attack Patterns
• Indicators
• Malware
• Reports
• Signatures
• Vulnerabilities

Prerequisites

The following is required for this integration:

• CrowdStrike Client ID
• CrowdStrike Secret
• CrowdStrike API Client permissions configured

CrowdStrike API Client Configuration

To use the CrowdStrike Falcon Intelligence Feeds, users are required to create a properly scoped API Client within CrowdStrike's Falcon platform. API Clients can be created and configured via the API Clients and Keys page under Support. An API Client must be created for these Feeds and given the following API Read Scopes by clicking the Add new API Client button:

• Actors (Falcon X)
• Indicators (Falcon X)
• Reports (Falcon X)
• Rules (Falcon x)
• Signatures (Falcon X)

It highly recommended to give the API Client an identifiable name in case of future editing.

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the integration yaml file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the integration yaml file using one of the following methods:
   • Drag and drop the file into the dialog box
   • Select Click to Browse to locate the file on your local machine
6. Select the individual feeds to install, when prompted, and click on Install.

   ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

7. The feed(s) will be added to the integrations page.   You will still need to configure and then enable the feed(s).

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Commercial option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   CrowdStrike Actors Parameters

   Parameter	Description
   API Host	Select the appropriate CrowdStrike host.  Options include: US-1: api.crowdstrike.com US-2: api.us-2.crowdstrike.com (Default) EU-1: api.eu-1.crowdstrike.com US-GOV-1: api.laggar.gcw.crowdstrike.com
   Client ID	Enter your CrowdStrike Client ID.
   Secret	Enter your CrowdStrike Secret key.
   Save CVE Data as	This is a required multi-select field and can be configured to have the Feed ingest CVE data as CVE Indicators, Vulnerabilities, or both.
   Enable SSL Certificate Verification	Enable or disable verification of the server's SSL certificate.
   Disable Proxies	Enable this option if the feed should not honor proxies set in the ThreatQ UI.

   
   

   CrowdStrike Indicators Parameters

   Parameter	Description
   API Host	Select the appropriate CrowdStrike host.  Options include: US-1: api.crowdstrike.com US-2: api.us-2.crowdstrike.com (Default) EU-1: api.eu-1.crowdstrike.com US-GOV-1: api.laggar.gcw.crowdstrike.com
   Client ID	Enter your CrowdStrike Client ID.
   Secret	Enter your CrowdStrike Secret key.
   Save CVE Data as	This is a required multi-select field and can be configured to have the Feed ingest CVE data as CVE Indicators, Vulnerabilities, or both.   The default setting is Vulnerabilities.
   *CrowdStrike Types	This optional parameter is a multi-select field that allows you to filter CrowdStrike's data based on indicator type.  You can request all objects by leaving the options unchecked.   The default setting is all indicator types.   Options include: Binary String CIDR Block Email Address Email Subject File Mapping Filename File Path FQDN Hash ION IP address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 URL User-agent Username x509 Serial x509 Subject
   Ingested Relationships	Select which objects to relate to the indicators. CrowdStrike may report millions of relationships to polymorphic malware and relevant actors, which can cause a massive amount of relationships to be added to your ThreatQ instance. At that volume, the value of the relationship data is minimized, and it is why none are enabled by default. Use with caution.
   Link Malware to Adversaries	When enabled, the feed will create a relationship between malware and adversaries that are related to a given indicator. This will not create a relationship from the malware/adversary to the indicator. This will allow you to see which adversaries utilize a given malware.
   *Ingest Indirect Related Indicators	This checkbox controls the ingestion of related indirect indicators from CrowdStrike.  Unchecking this option will override any setting for CrowdStrike Indirect Related Indicators and all indirect indicators will be dropped. This option is disabled by default.
   *CrowdStrike Indirect Related Indicator Types	This optional parameter is a multi-select field that allows you to filter Indirect Related Indicators based on their type. The default setting is all indicator types. Options include: Binary String CIDR Block Email Address Email Subject File Mapping Filename File Path FQDN Hash ION IP address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 URL User-agent Username x509 Serial x509 Subject
   *CrowdStrike Malicious Confidence Levels	This optional parameter is a multi-select field that allows you to filter CrowdStrike's data based on CrowdStrike's malicious confidence rating for IoCs. Options include: High (default) Medium Low Unverified
   *CrowdStrike Kill Chain Phases	This optional parameter is a multi-select field that allows you to filter CrowdStrike's data based on the kill chain phase associated with IoCs.  You can request all by leaving the options unchecked. Options include: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action On Objectives The default setting is all kill chains.
   Enable SSL Certificate Verification	Enable or disable verification of the server's SSL certificate.
   Disable Proxies	Enable this option if the feed should not honor proxies set in the ThreatQ UI.
   * When using these filtering parameters with CrowdStrike Indicators, the specified filters will be joined together in the following manner: Individual options within a filtering parameter will be joined with OR statements Filtering parameters will be joined together with AND statements Thus, if you were to configure CrowdStrike to filter as the following: Filtering Parameters Value CrowdStrike Types email_address, ip_address CrowdStrike Malicious Confidence Level high CrowdStrike Kill Chain Phases c2 CrowdStrike would only return indicators that: are Email or IP Addresses are of High Malicious Confidence and are associated with the C2 Kill Chain Phase This filtering is ultimately sent to CrowdStrike as FQL formatted: +(type: 'Target/Aerospace', type: 'Target/Agricultural') +(malicious_confidence: 'high',) +(kill_chains: 'c2',) Due to the AND association between the filtering parameters, checking all the provided filter options will not result in CrowdStrike returning a full data set. In fact, a significantly smaller data set will be returned as CrowdStrike rarely supplies all filterable fields with each object. In order to pull a full, unfiltered data set from CrowdStrike, you must leave the filtering parameters unchecked.

   
   

   CrowdStrike MITRE Parameters

   Parameter	Description
   API Host	Select the appropriate CrowdStrike host.  Options include: US-1: api.crowdstrike.com US-2: api.us-2.crowdstrike.com (Default) EU-1: api.eu-1.crowdstrike.com US-GOV-1: api.laggar.gcw.crowdstrike.com
   Client ID	Enter your CrowdStrike Client ID.
   Secret	Enter your CrowdStrike Secret key.
   Actor ID	Enter the actor ID (derived from the actor name) for which to retrieve a list of attacks. Example: fancy-bear. Only one value is allowed.
   Enable SSL Certificate Verification	Enable or disable verification of the server's SSL certificate.
   Disable Proxies	Enable this option if the feed should not honor proxies set in the ThreatQ UI.

   
   

   CrowdStrike Reports Parameters

   Parameter	Description
   API Host	Select the appropriate CrowdStrike host.  Options include: US-1: api.crowdstrike.com US-2: api.us-2.crowdstrike.com (Default) EU-1: api.eu-1.crowdstrike.com US-GOV-1: api.laggar.gcw.crowdstrike.com
   Client ID	Enter your CrowdStrike Client ID.
   Secret	Enter your CrowdStrike Secret key.
   Parsed IOC Types	Select the IOC types you would like to automatically parse from the content. Options include: CVE IP Address IPv6 Address CIDR Block FQDN File Path Filename URL MD5 SHA-1 SHA-256 SHA-384 SHA-512 Email Address Registry Key Normalization and derivation is controlled by the global platform settings. URLs and FQDNs will automatically receive a status of Review due to higher false positive rates.
   Ingest CVEs As	Select the entity type you'd like CVEs ingested as.  Options include: Indicators (CVEs) Vulnerabilities (default)
   Apply IOCs to Related Actors	If enabled, IOCs will be related to the related actors of the report.
   Apply Selected Attributes to Parsed IOCs	If selected, the selected attributes will be applied to the IOCs parsed from the report.  Options include: Target Country Target Industry
   Ingest Full Report	If selected, the full PDF report will be downloaded and attached to the report.
   Enable SSL Certificate Verification	Enable or disable verification of the server's SSL certificate.
   Disable Proxies	Enable this option if the feed should not honor proxies set in the ThreatQ UI.

   
   

   CrowdStrike Signatures Parameters

   Parameter	Description
   API Host	Select the appropriate CrowdStrike host.  Options include: US-1: api.crowdstrike.com US-2: api.us-2.crowdstrike.com (Default) EU-1: api.eu-1.crowdstrike.com US-GOV-1: api.laggar.gcw.crowdstrike.com
   Client ID	Enter your CrowdStrike Client ID.
   Secret	Enter your CrowdStrike Secret key.
   Signature Types	Select the types of rules/signatures to ingest into ThreatQ.  Option include: Snort / Suricata (default) YARA (default)
   Enable SSL Certificate Verification	Enable or disable verification of the server's SSL certificate.
   Disable Proxies	Enable this option if the feed should not honor proxies set in the ThreatQ UI.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

{
    "meta": {
        "query_time": 0.096869734,
        "pagination": {
            "offset": 0,
            "limit": 50,
            "total": 142
        },
        "powered_by": "msa-api",
        "trace_id": "0c587865-296e-4502-a39a-10febd0a3006"
    },
    "resources": [
        {
            "id": 10006,
            "name": "HELIX KITTEN",
            "slug": "helix-kitten",
            "url": "https://falcon.crowdstrike.com/intelligence/actors/helix-kitten/",
            "thumbnail": {
                "url": "https://cf-s.falcon.crowdstrike.com/2017/02/24181334/HELIX-KITTEN.jpg"
            },
            "image": {
                "url": "https://cf-s.falcon.crowdstrike.com/2017/02/24181334/HELIX-KITTEN.jpg"
            },
            "description": "HELIX KITTEN is an Iran-nexus adversary active since...",
            "short_description": "HELIX KITTEN is an Iran-nexus adversary active since...",
            "rich_text_description": "<p><span style=\"font-weight: 400;\">HELIX KITTEN is an Iran-nexus adversary active since...",
            "created_date": 1487960014,
            "last_modified_date": 1595568692,
            "first_activity_date": 1462060800,
            "last_activity_date": 1580860800,
            "active": false,
            "actor_type": "targeted",
            "capability": {
                "id": 246,
                "slug": "average",
                "value": "Average"
            },
            "kill_chain": {
                "actions_and_objectives": "Theft of sensitive data",
                "command_and_control": "Use of DNS for communication...",
                "delivery": "Spear Phishing (including from compromised accounts)\r\nSocial Media",
                "exploitation": "CVE-2017-0199\r\nCVE-2017-11882\r\nCVE-2018-15982",
                "installation": "Helminth PowerShell Tool\r\nAgentDrable RAT\r\nEarthquakeRAT...",
                "reconnaissance": "Suspected social media engagement",
                "weaponization": "Microsoft Office Documents",
                "rich_text_actions_and_objectives": "<p>Theft of sensitive data</p>",
                "rich_text_command_and_control": "<p><span style=\"font-weight: 400;\">Use of DNS for communication...",
                "rich_text_delivery": "<p><span style=\"font-weight: 400;\">Spear Phishing (including from...",
                "rich_text_exploitation": "<p>CVE-2017-0199</p>\r\n<p>CVE-2017-11882</p>\r\n<p>CVE-2018-15982</p>",
                "rich_text_installation": "<p><span style=\"font-weight: 400;\">Helminth PowerShell Tool</span></p>\r\n...",
                "rich_text_reconnaissance": "<p>Suspected social media engagement</p>",
                "rich_text_weaponization": "<p>Microsoft Office Documents</p>"
            },
            "known_as": "OilRig, Helminth, Clayslide, APT34, IRN2, COBALT GYPSY, ITG13, CHRYSENE, HEXANE, LYCEUM",
            "motivations": [
                {
                    "id": 352,
                    "slug": "espionage",
                    "value": "Espionage"
                }
            ],
            "notify_users": false,
            "origins": [
                {
                    "id": 101,
                    "slug": "ir",
                    "value": "Iran"
                }
            ],
            "region": {
                "id": 252,
                "slug": "iran",
                "value": "Iran"
            },
            "target_countries": [
                {
                    "id": 18,
                    "slug": "az",
                    "value": "Azerbaijan"
                }
            ],
            "target_industries": [
                {
                    "id": 457,
                    "slug": "academic",
                    "value": "Academic"
                },
                ...
            ]
        },
        {
            "name": "GENIE SPIDER",
            "ecrime_kill_chain": {
                "attribution": "Unknown",
                "crimes": "\r\n\tAccessing a computer without authorization...",
                "customers": "CrowdStrike Intelligence assesses...",
                "marketing": "Not openly advertised",
                "services_offered": "Unknown",
                "services_used": "Unknown",
                "technical_tradecraft": "\r\n\tConducts phishing campaigns using links...",
                "victims": "GENIE SPIDER primarily targets companies...",
                "rich_text_attribution": "<p>Unknown</p>",
                "rich_text_crimes": "<ul>\r\n\t<li>Accessing a computer without authorization...",
                "rich_text_customers": "<p><span style=\"font-weight: 400;\">CrowdStrike Intelligence assesses...",
                "rich_text_marketing": "<p>Not openly advertised</p>",
                "rich_text_monetization": "<p>Unknown</p>",
                "rich_text_services_offered": "<p>Unknown</p>",
                "rich_text_services_used": "<p>Unknown</p>",
                "rich_text_technical_tradecraft": "<ul>\r\n\t<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Conducts phishing...",
                "rich_text_victims": "<p>GENIE SPIDER primarily targets..."
            }
        }
    ]
}

{
    "meta": {
        "query_time": 1.077970568,
        "pagination": {
            "offset": 0,
            "limit": 100,
            "total": 12046205
        },
        "powered_by": "msa-api",
        "trace_id": "d934e4be-5172-4365-adff-2073044236cb"
    },
    "resources": [
        {
            "id": "hash_sha256_994bf4a94c154fb3e7566e469aadee2f157d95fc4d5b1107e2fdf631da8b4532",
            "indicator": "994bf4a94c154fb3e7566e469aadee2f157d95fc4d5b1107e2fdf631da8b4532",
            "type": "hash_sha256",
            "deleted": false,
            "published_date": 1577708859,
            "last_updated": 1597327932,
            "reports": [
                "CSA-18538"
            ],
            "actors": [
                "FANCYBEAR"
            ],
            "malware_families": [
                "DarkComet"
            ],
            "kill_chains": [
                "CommandAndControl"
            ],
            "ip_address_types": [
                "TorProxy"
            ],
            "domain_types": [
                "ActorControlled"
            ],
            "malicious_confidence": "high",
            "_marker": "1597327932d724b22d350df2eb489d7e0c0a69ea79",
            "labels": [
                {
                    "name": "ThreatType/Downloader",
                    "created_on": 1588277899,
                    "last_valid_on": 1592567532
                },
                ...
            ],
            "relations": [
                {
                    "id": "url_https://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
                    "indicator": "https://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
                    "type": "url",
                    "created_date": 1592344896,
                    "last_valid_date": 1592344896
                }
            ],
            "targets": [
                "Finance"
            ],
            "threat_types": [
                "Downloader",
                "Ransomware",
                "CredentialHarvesting"
            ],
            "vulnerabilities": [
                "CVE-2020-1234"
            ]
        }
    ]
}

{
    "meta": {
        "query_time": 0.055441907,
        "powered_by": "msa-api",
        "trace_id": "a3a0f49d-928d-4c52-81d7-25a1f86af876"
    },
    "resources": [
        "fancy-bear_TA0001_T1078",
        "fancy-bear_TA0042_T1588.006",
        "fancy-bear_TA0043_T1589",
        "fancy-bear_TA0043_T1589.001",
        "fancy-bear_TA0043_T1589.002",
        "fancy-bear_TA0043_T1591",
        "fancy-bear_TA0043_T1595",
        "fancy-bear_TA0043_T1598",
        "fancy-bear_TA0043_T1598.003"
    ],
    "errors": []
}

{
    "meta": {
        "query_time": 0.050410539,
        "pagination": {
            "offset": 0,
            "limit": 50,
            "total": 7
        },
        "powered_by": "msa-api",
        "trace_id": "420fa3f4-f5f2-48c1-a9cf-f3da4fb96fb7"
    },
    "resources": [
        {
            "id": 72478,
            "name": "Situational Awareness: Activity in Middle East",
            "slug": "situational-awareness-activity-in-middle-east",
            "type": {
                "id": 2883,
                "slug": "overwatch",
                "name": "OverWatch"
            },
            "sub_type": {
                "id": 391,
                "slug": "snort-suricata",
                "name": "Snort/Suricata"
            },
            "url": "https://falcon.crowdstrike.com/intelligence/reports/situational-awareness-activity-in-middle-east/",
            "short_description": "                         Situational Awareness    Â  Published on 06...",
            "description": "[vc_row][vc_column] CVE-2021-44228 [vc_page][vc_column_text]\r\n 05c43a9166a79bc793c1ef0707642df0f605ae9a0bf9937610015f1b3853f0f3d079cb458b9283c12ea4dd8457d7682b96ecd6b96e6705c8a1cf499972f88900 \r\n\r\n\r\n\r\n\r\nSituational Awareness\r\n\r\n\r\n\r\n \r55a9f4f8994b1bbf2058ea38c8efb6c459000814d5f39c087002571639e6230e\n 127.0.0.1, 2fe04e524ba40505a82e03a2819429cc, 793f970c52ded1276b9264c742f19d1888cbaf73,   Published on... ",
            "rich_text_description": "<p><div class=\"vc_row wpb_row vc_row-fluid\"><div class=\"wpb_column vc_column_container vc_col-sm-12\">...",
            "created_date": 1578332574,
            "last_modified_date": 1579880737,
            "image": {
                "url": "https://cf-s.falcon.crowdstrike.com/2016/10/04222253/product_release_banner.png"
            },
            "thumbnail": {
                "url": "https://cf-s.falcon.crowdstrike.com/2019/07/15200051/overwatch_thumb-1.png"
            },
            "actors": [
                {
                    "id": 82425,
                    "name": "TRACER KITTEN",
                    "slug": "tracer-kitten",
                    "url": "https://falcon.crowdstrike.com/intelligence/actors/tracer-kitten",
                    "thumbnail": {
                        "url": "https://assets-public.falcon.crowdstrike.com/2017/02/24181136/kitten.png"
                    }
                }
            ],
            "tags": [
                {
                    "id": 394,
                    "slug": "all-news",
                    "value": "All News"
                },
                {
                    "id": 793,
                    "slug": "intel",
                    "value": "Intel"
                },
                {
                    "id": 2852,
                    "slug": "overwatch",
                    "value": "Overwatch"
                }
            ],
            "target_industries": [
                {
                    "id": 328,
                    "slug": "technology",
                    "value": "Technology"
                }
            ],
            "target_countries": [
                {
                    "id": 1,
                    "slug": "us",
                    "value": "United States"
                }
            ],
            "motivations": [
                {
                    "id": 352,
                    "slug": "espionage",
                    "value": "Espionage"
                }
            ]
        }
    ]
}

// CrowdStrike YARA Rules
// Copyright: (c) 2023 CrowdStrike Inc.
// Generated: 2023-10-27T08:53:27+00:00 - Last change: 2023-10-27T08:44:34+00:00 - Exported: 3950 rules
rule CrowdStrike_CSIT_17176_01 : azorult stealer
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "Generic rule to detect Azorult samples"
        reports = "CSIT-17176"
        version = "202002251654"
        last_modified = "2020-02-25"
        malware_family = "Azorult"
    strings:
        $ = "IS_G_PWDS" wide
        $ = "IS_G_BROWSERS" wide
        $ = "IS_G_COINS" wide
        $ = "IS_G_SKYPE" wide
        $ = "IS_G_STEAM" wide
        $ = "IS_G_DESKTOP" wide
        $ = "G_DESKTOP_EXTS" wide
        $ = "G_DESKTOP_MAXSIZE" wide
        $ = "SELECT origin_url, username_value, password_value FROM logins"
        $ = "SELECT host, path, isSecure, expiry, name, value FROM moz_cookies"
        $ = "SELECT host_key, name, encrypted_value, value, path, secure, expires_utc FROM cookies"
        $ = "NSSBase64_DecodeBuffer"
        $ = "TSwdPwd"
        $ = "TPwdArray"
    condition:
        10 of them
}

# CrowdStrike Snort Rules
# Copyright: (c) 2023 CrowdStrike Inc.
# Generated: 2023-10-27T08:53:32+00:00 - Last change: 2023-10-27T08:51:58+00:00 - Exported: 1830 rules
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "CrowdStrike Derusbi GET /Photos/Query.cgi [CSIR-12000]"; content: "GET"; http_method; content: "/Photos/Query.cgi?loginid="; http_uri; classtype: trojan-activity; metadata: tag trojan; sid:8000135; rev:20111227; reference:url,falcon.crowdstrike.com/intelligence/reports/CSIR-12000;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "CrowdStrike Putter Panda Beacon Message [CSIR-12007]"; content: "GET"; http_method; content: "/search5"; http_raw_uri; content: "?h1="; http_uri; content: "&h2="; http_uri; content: "&h3="; http_uri; content: "&h4="; http_uri; classtype: trojan-activity; metadata: service http; sid:8000144; rev:20120424; reference:url,falcon.crowdstrike.com/intelligence/reports/CSIR-12007;)

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

CrowdStrike Actors (24h)

Scheduled Run with a 24 hour period

CrowdStrike Actors (manual)

Manual Run for all CrowdStrike Actors (January 01, 1997 - September 03, 2020)

CrowdStrike Indicators (hourly)

Hourly Run

CrowdStrike MITRE

CrowdStrike Reports

CrowdStrike Reports (manual)

Manual Run for CrowdStrike Reports (January 01, 1997 - September 08, 2020)

CrowdStrike Signatures (manual)

Manual Run for CrowdStrike Signatures (December 08, 2023 3:02 pm)

CrowdStrike Signatures

Known Issues / Limitations

General

• Occasionally, CrowdStrike may respond with a 403 Forbidden error even if the provided access token is still valid. CrowdStrike has attributed this to possible load balancing issues with their servers. In the event of receiving one of these errors, ThreatQ will attempt to re-authenticate on the first 403 Forbidden received, and usually proceed without incident. If it occurs a consecutive time however, the feed run will complete with errors.

CrowdStrike Indicators

• There could be cases where indicators ingested from CrowdStrike Indicators are not related to the reports ingested by CrowdStrike Reports.  This is due to CrowdStrike Reports not creating relationships between these threat objects. CrowdStrike Indicators must be ran in order to relate the objects.
• Due to the enormous size of CrowdStrike's data throughput on their Indicators endpoint, ThreatQ strongly recommends an hourly run frequency and applying a number of filters via UI configuration parameters to pare down the amount of data CrowdStrike returns.
• MITRE ATT&CK Attack Patterns must have already been ingested by a previous run of the MITRE ATT&CK feeds in order for MITRE ATT&CK Attack Patterns extracted from an indicator's MitreATTCK labels to be related to the indicator. The following feeds ingest MITRE ATT&CK Attack Patterns:
  • MITRE ATT&CK CAPEC
  • MITRE ATT&CK ICS
  • MITRE Enterprise ATT&CK
  • MITRE Mobile ATT&CK
  • MITRE PRE-ATT&CK

• Sometimes, CrowdStrike may respond with a 500 Internal Server Error even if the provided access token is still valid and the request query is properly formed. In the event of receiving one of these errors, ThreatQ will attempt to re-authenticate on the first 500 Internal Server Error received, and usually proceed without incident. If it occurs a consecutive time however, the feed run will complete with errors.

CrowdStrike Reports

• MITRE ATT&CK Attack Patterns must have already been ingested by a previous run of the MITRE ATT&CK feeds in order for MITRE ATT&CK Attack Patterns extracted from a report's description or rich_text_description fields to be related to the report. The following feeds ingest MITRE ATT&CK Attack Patterns:

  • MITRE ATT&CK CAPEC
  • MITRE ATT&CK ICS
  • MITRE Enterprise ATT&CK
  • MITRE Mobile ATT&CK
  • MITRE PRE-ATT&CK
• The PDF ingestion process is currently impacted by a ThreatQ Pynoceros limitation as of ThreatQ v5.29.1.  This limitation can result in not all files being attached as intended.  This issue will be addressed in future ThreatQ platform updates.      

CrowdStrike MITRE

• The new MITRE filter uses cache memory to load all MITRE ATT&CK data. This cache is refreshed every 24 hours.

Change Log

• Version 3.5.3
  • Resolved an issue where the CrowdStrike Reports feed would relate indicators/vulnerabilities to adversaries despite the Apply IOCs to Related Actors parameter being disabled.   
• Version 3.5.2
  • Added a new feed: CrowdStrike MITRE.
  • Added two new configuration parameters for all feeds:
    • Enable SSL Certificate Verification - enable or disable verification of the server's SSL certificate. 
    • Disable Proxies - determines if the feed should honor proxy settings set in the ThreatQ UI.
  • Added a new known limitation entry for the CrowdStrike MITRE Feed - the new MITRE filter uses cache memory to load all MITRE ATT&CK data. This cache is refreshed every 24 hours.
  • Updated minimum ThreatQ version to 6.5.0.  
• Version 3.5.1
  • Made the following updates to the CrowdStrike Indicators feed:
    • Added a new configuration option: Ingested Relationships. This makes relating Malware and Adversaries to Indicators optional. This option is disabled by default. See this field's entry in the Configuration section for additional details.
    • Added a new configuration option: Link Malware to Adversaries. This adds a user field to link adversaries to malware, so you'll have tactical information about which adversaries use which malware.
    • Removed ingestion of MITRE ATT&CK Techniques (Attack Patterns) from the feed as it caused performance issues due to creating millions of relationships.
• Version 3.5.0
  • Resolved an issue with the CrowdStrike Reports feed that prevented the ingestion of related objects (File/PDF).
  • Added a new entry to the Known Issues chapter for the CrowdStrike Reports feed.  A known ThreatQ Pynoceros limitation may result in not all files being attached as intended.  
• Version 3.4.0
  • Updated the default user fields for the CrowdStrike Indicators feed.
  • Resolved an issue with the CrowdStrike Actors feed where CVE values were ingested as attributes.
  • Added the ability to bring in a full report as a related object (as a PDF File).   You can use the new Ingest Full Report configuration parameter to set this feature.  
  • Resolved an issue with the CrowdStrike Reports feed regarding relationships objects parsed from report and the report itself.
  • Updated the minimum ThreatQ version to 5.20.0
• Version 3.3.1
  • Removed the parsing of FQDN and URLS to prevent false positives.
  • Removed the Vendor Link attribute for reports as it is provided in the Report Description.
  • Resolved an issue where signatures would have attributes for the related hashes.  
• Version 3.3.0
  • Resolved a FQL query issue that would result in 400 errors.
  • Added a new feed: CrowdStrike Signatures.
  • CrowdStrike Reports - added the following configuration parameters:
    • Parsed IOC Types
    • Parsing Options
    • Ingest CVEs As
    • Apply Selected Attributes to Parsed IOCs
  • The Attack Phase attribute has been renamed to Kill Chain Phase to align with the other feeds.
  • CrowdStrike Indicators - updated the follow configuration parameters:
    • Save CVE Data As field now defaults to Vulnerabilities.
    • CrowdStrike Malicious Confidence Levels field is now set to High by default.  
  • The minimum ThreatQ version has been updated to version 5.9.0.
• Version 3.2.7
  • Resolved an issue where IOCs from reports were not ingested.  
• Version 3.2.6
  • Resolved an issue where CrowdStrike reports did not contain a sub_type key.  
• Version 3.2.5
  • Removed the CrowdStrike Target Vertical Sectors configuration filter as this option is no longer supported by the provider.  
• Version 3.2.4
  • Fixed an error that would occur when the received JSON data contained keys that had None as their value.
• Version 3.2.3
  • Updated CrowdStrike Target Vertical Sectors configuration options for the CrowdStrike Indicators feed.  
  • Removed the relationships between the related alias adversaries.  
  • Updated all filter options to be enabled by default.
• Version 3.2.2
  • Fixed the following issues:
    • where the response from CrowdStrike contains objects in an array that is missing an expected attribute.
    • a potential issue where response from CrowdStrike contains a region object with no value attribute.
    • Added a new known Issue regarding ingested indicators are not related to the reports ingested by CrowdStrike Reports.   See the CrowdStrike Indicators heading in the Known Issues/Limitations chapter for more details. 
• Version 3.2.1
  • Fixed an issue where the response from CrowdStrike occasionally did not contain the expected attribute arrays.
  • The Ingest Indirect Related Indicators configuration option for the CrowdStrike Indicators feed is now disabled by default.    See the Configuration chapter for more information on configuring the integration.  
• Version 3.1.2
  • Added a new API Host configuration parameter that will allow you to select a CrowdStrike host.  See step 4 in the Configuration chapter for more information.  
  • Increased the API call limit for CrowdStrike Indicators to 10,000.  
• Version 3.1.1
  • Added a new configuration option, Ingest Indirect Related Indicators, to CrowdStrike Indicators
  • Added a new configuration option, CrowdStrike Indirect Related Indicator Types, to CrowdStrike Indicators
• Version 3.1.0
  • Added the following new configuration options to CrowdStrike Indicators:
    • CrowdStrike Target Vertical Sectors
    • CrowdStrike Types
    • CrowdStrike Malicious Confidence Levels
    • CrowdStrike Kill Chain Phases
• Version 3.0.3
  • Fixed a bug which caused a Filter error to be raised by CrowdStrike Actors when parsing data for Solar Spider.
• Version 3.0.2
  • Fixed a bug which caused the Threat Type Attribute value of DDoS to be spaced as D Do S
  • Updated user fields to more accurately reflect CrowdStrike's naming conventions
  • Added CrowdStrike API Client Configuration section to documentation
• Version 3.0.1
  • Fixed bug in the CrowdStrike Indicators filter chain to account for CrowdStrike report codes that are not accounted for by the CrowdStrike Reports API
• Version 3.0.0
  • Rewritten for CrowdStrike's v3 API:
    • Added support for OAuth2 Authentication
    • Split single CrowdStrike Feed into three feeds:
      • CrowdStrike Actors
      • CrowdStrike Indicators
      • CrowdStrike Reports
• Version 1.0.0
  • Initial release