CrowdStrike Threat Intelligence

The integration between CrowdStrike Falcon Insights and ThreatConnect allows users to discover and investigate both current and historic endpoint activity within seconds of ThreatConnect sending an indicator to CrowdStrike Falcon Insights. With this integration you can:

• Provides ThreatConnect users the ability to send all indicators, including third-party IOCs to CrowdStrike Falcon Insights for alerting.
• Allows indicator filtering, giving users full control of which ThreatConnect indicators are sent to CrowdStrike.
• Ensures users are working with the most relevant data for their organization.
• Grants full visibility into current and historic endpoint activity, so you can identify exactly which endpoints are vulnerable to specific indicators.
• Allows users to take the following automated actions with these Playbook Apps:
• CrowdStrike Falcon Insights Delete - deletes associated IOC from CrowdStrike Falcon Insights
• Deploy to CrowdStrike Falcon Insights - deploy an IOC to CrowdStrike Falcon Insights

Main Features and Benefits:

• Sends indicators from ThreatConnect to CrowdStrike Falcon Insights for alerting
• Instantly shows endpoint activity, both current and historic
• Users have full control of which ThreatConnect indicators are sent to CrowdStrike Falcon Insights

This listing can be found in the ThreatConnect App Catalog under the name: CrowdStrike Falcon Insight.

The ThreatConnect integration with CrowdStrike Falcon Intelligence allows ThreatConnect customers to import information Reports, Indicators, and Actors, along with all of their context from the CrowdStrike Falcon Intelligence feed into ThreatConnect. There is both a Playbook app and Job app for this integration.

The integration supports address, email address, file, host, URL, email subject, mutex and registry key indicator types. Indicators are associated with Reports and Adversaries in ThreatConnect. Reports are also associated with Adversaries in ThreatConnect.

ThreatConnect can also take tag indicators from CrowdStrike with the relevant Mitre ATT&CK tactics & techniques in ThreatConnect. Not only does this make it easy to operationalize CrowdStrike Falcon Intel indicators based on specific tactics & techniques, but it opens up a whole new web of relationships across intel feeds for research and analysis.

This app interacts with CrowdStrike Falcon Intelligence to retrieve intelligence related to a submitted indicator. Submitting an indicator, such as an address, URL, host, etc., finds the Indicator ID and enrichment data including indicators, type, labels, and relations.

The following actions are available within the Playbook App:

• Enrich Indicator - Retrieve the Indicator ID and enrichment data including relations for one Indicator. Based on the indicator type and an exact match to a unique value.
• Query Indicator - Retrieve data for possibly multiple Indicators based on fuzzy search.

These apps can be found in the ThreatConnect App Catalog under the names: CrowdStrike Falcon Intelligence (Playbook), and Crowdstrike Falcon Intelligence Engine (API Service)

The Polarity - Falcon Logscale integration enables analysts to quickly run pre-defined searches agains the Falcon Logscale SIEM platform. Allowing analysts to have quick access to indicator searches within Logscale, enabling analysts to have a complete understanding of indicators in their environment.

Examples

Falcon Logscale Data Overview

• Summary Tags: When running a pre-defined search with the the Flacon Logscale integration, analysts can quickly see the number of associated logs (restricted to a set value by the admin to not over saturate the Logscale API).
• Logscale Link: When drilling into the search results, analysts can quickly pivot out to Logscale to view more information.
• Search Results: When looking at the details of the Logscale integration, users can see the results of the pre-defined search in fields, table or json formats to better understand the results in a form that is best for the analyst.