CrowdStrike Threat Intelligence

The integration between CrowdStrike Falcon Insights and ThreatConnect allows users to discover and investigate both current and historic endpoint activity within seconds of ThreatConnect sending an indicator to CrowdStrike Falcon Insights. With this integration you can:

• Provides ThreatConnect users the ability to send all indicators, including third-party IOCs to CrowdStrike Falcon Insights for alerting.
• Allows indicator filtering, giving users full control of which ThreatConnect indicators are sent to CrowdStrike.
• Ensures users are working with the most relevant data for their organization.
• Grants full visibility into current and historic endpoint activity, so you can identify exactly which endpoints are vulnerable to specific indicators.
• Allows users to take the following automated actions with these Playbook Apps:
• CrowdStrike Falcon Insights Delete - deletes associated IOC from CrowdStrike Falcon Insights
• Deploy to CrowdStrike Falcon Insights - deploy an IOC to CrowdStrike Falcon Insights

Main Features and Benefits:

• Sends indicators from ThreatConnect to CrowdStrike Falcon Insights for alerting
• Instantly shows endpoint activity, both current and historic
• Users have full control of which ThreatConnect indicators are sent to CrowdStrike Falcon Insights

This listing can be found in the ThreatConnect App Catalog under the name: CrowdStrike Falcon Insight.

The ThreatConnect integration with CrowdStrike Falcon Intelligence allows ThreatConnect customers to import information Reports, Indicators, and Actors, along with all of their context from the CrowdStrike Falcon Intelligence feed into ThreatConnect. There is both a Playbook app and Job app for this integration.

The integration supports address, email address, file, host, URL, email subject, mutex and registry key indicator types. Indicators are associated with Reports and Adversaries in ThreatConnect. Reports are also associated with Adversaries in ThreatConnect.

ThreatConnect can also take tag indicators from CrowdStrike with the relevant Mitre ATT&CK tactics & techniques in ThreatConnect. Not only does this make it easy to operationalize CrowdStrike Falcon Intel indicators based on specific tactics & techniques, but it opens up a whole new web of relationships across intel feeds for research and analysis.

This app interacts with CrowdStrike Falcon Intelligence to retrieve intelligence related to a submitted indicator. Submitting an indicator, such as an address, URL, host, etc., finds the Indicator ID and enrichment data including indicators, type, labels, and relations.

The following actions are available within the Playbook App:

• Enrich Indicator - Retrieve the Indicator ID and enrichment data including relations for one Indicator. Based on the indicator type and an exact match to a unique value.
• Query Indicator - Retrieve data for possibly multiple Indicators based on fuzzy search.

These apps can be found in the ThreatConnect App Catalog under the names: CrowdStrike Falcon Intelligence (Playbook), and Crowdstrike Falcon Intelligence Engine (API Service)

The Polarity - Falcon Logscale integration enables analysts to quickly run pre-defined searches agains the Falcon Logscale SIEM platform. Allowing analysts to have quick access to indicator searches within Logscale, enabling analysts to have a complete understanding of indicators in their environment.

Examples

Falcon Logscale Data Overview

• Summary Tags: When running a pre-defined search with the the Flacon Logscale integration, analysts can quickly see the number of associated logs (restricted to a set value by the admin to not over saturate the Logscale API).
• Logscale Link: When drilling into the search results, analysts can quickly pivot out to Logscale to view more information.
• Search Results: When looking at the details of the Logscale integration, users can see the results of the pre-defined search in fields, table or json formats to better understand the results in a form that is best for the analyst.

The Polarity - CrowdStrike integration enables analysts to get a complete picture of detections, IOCs and devices. The integration will query file names, IPs and hashes to let the user know if there are any detections that match those indicators. Enabling the analyst to quickly see what could be affecting their environment. The integration also enables analysts to get IOC information, allowing them to see the severity of the indicator according to CrowdStrike. New capabilities to allow analysts to run RTR commands and custom falcon scripts right from the overlay window. Finally, the integration enables users to see devices on their network and run containments on the devices, allowing the analyst to act quickly if there is something that might be compromised.

Examples

Detections

• Summary Tags: Quickly understand the number of detections caught on your network and the number of IOCs related to the indicator.
• Detection Information: When drilling into the details of the detection, analysts can get more details on the detection from when it was first and last see to the confidence and severity of the detection.
• Device Information: Analysts can also see what devices might be affected by the detection. Enabling them to understand the scope of the detection and know what machines it might be running on. They can also pivot to look up the device to get more in-depth details.
• Behavior Information: Quickly drill into the behavior of the detection to get a complete picture on what the detection is doing. From the techniques used to the filenames that were run.

IOCs

• IOC Information: Quickly understand the indicator from its history to its severity, and know if it is something that is currently affecting your business or if it is expired. Allowing analysts to be able to complete the picture on indicators in your environment.

Devices

• Summary Tags: Quickly get information on the number of detections and devices that share a particular host name.
• Host Management: Analysts can quickly get information on the hosts, from what the host is, IP address associated, serial numbers, policies on the host and what it was first and last seen.
• Network Contain: If there is something malicious happening with the host, analysts can quickly contain it, so nothing else can affect the rest of the network.

The Polarity CrowdStrike-Intel integration enables analysts to search Crowdstrike's vast threat intelligence service. Providing threat actor, threat type and indicator intelligence for IPs, hashes, emails and domains.

Examples

CrowdStrike-Intel Data Overview

• Summary Tags: When analysts search information in CrowdStrike-Intel, they can quickly get insights into the number of associated indicators and the confidence Crowdstrike has that the indicator is malicious.
• Intel Details: When drilling in for more information on the indicator, analysts can see when Crowdstrike published the content.
• Threat Actors: Quickly see any and all associated threat actors that are associated with the indicator.
• Malware and Threat Types: Gather the information needed on threat types and malware families to see how and if this indicator is affecting an analyst's network.
• Related Indicators: Check and see if there are any related indicators associated with the indicator that was searched.