CrowdStrike Falcon
Indicator context from the CrowdStrike Falcon threat intelligence database. Also provides information on corporate hosts running the Falcon agent.
Requires a paid Falcon Insight and Falcon X license.
ipv4
, domain
, sha256
, hostname
Found Falcon X indicator for 127.0.0.1:
Malicious confidence: 'High'.
Added: 2022-01-01 00:00:00 +0000 UTC
Updated: 2022-01-01 00:00:10 +0000 UTC
Labels: Killchain/C2,Malware/CobaltStrike
Kill Chains: C2
Malware Families: CobaltStrike
Vulnerabilities:
Threat Types: Commodity,Criminal,RAT
Targets:
More information at: https://falcon.crowdstrike.com/search/?term=_all:~'127.0.0.1'
- Create a Falcon API key
- In AWS, create a new Secrets Manager secret called
CrowdstrikeAPI
in the same account/region as Squyre is deployed. Use the following content, obviously substituting your key and email. The secret should be of typeOther type of secret
.
{
"ClientID": <the Client ID of the API key you just created>,
"ClientSecret": <the Client Secret of the key>,
"FalconCloud": <the Falcon Cloud region your account uses e.g. us-1, us-2, eu-1, us-gov-1>
}
ONLY_LOG_MATCHES
: Set to true
(in template.yaml) to only decorate an alert if the indicator was found in Falcon. Default=false
.