Skip to content

FalconCustomIOC#

Crowdstrike_Falcon_Custom_IOC#

Author: Nicolas Criton
License: AGPL-v3
Version: 2.0
Supported data types:
- thehive:alert
- thehive:case_artifact
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Submit observables to the Crowdstrike Falcon Custom IOC API

Configuration#

falconapi_endpoint CrowdStrike API endpoints: US-1 | US-2 | US-GOV-1 | EU-1
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
falconapi_clientid Crowdstrike Falcon Client ID Oauth2 API client
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
falconapi_key Crowdstrike Falcon Oauth2 API Key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
domain_block_expiration_days How many days should we block the domain IOCs sent? Default: 30
Default value if not configured 30
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
ip_block_expiration_days How many days should we block the ip IOCs sent? Default: 30
Default value if not configured 30
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
hash_block_expiration_days How many days should we block the hash IOCs sent? Default: 30
Default value if not configured 30
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
action_to_take How the IOCs should be handled by Falcon ? Choose between 'no_action' or 'detect' -> no_action: Save the indicator for future use, but take no action / detect: Enable detections for the indicator at the selected severity (Default: detect)
Default value if not configured detect
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
severity_level Severity level when IOCs are ingested by Falcon CustomIOC: informational / low / medium / high / critical - Default: high
Default value if not configured high
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
tag_added_to_cs Tag added to the IOC in Falcon platform - Default: Cortex Incident - FalconCustomIOC
Default value if not configured Cortex Incident - FalconCustomIOC
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
tag_added_to_thehive Tag added to the IOC in TheHive platform - Default: Falcon:Custom IOC Uploaded
Default value if not configured Falcon:Custom IOC Uploaded
Type of the configuration item string
The configuration item can contain multiple values False
Is required False

Crowdstrike_Falcon_Custom_IOC_API#

Author: Michael
License: MIT
Version: 1.0
Supported data types:
- thehive:alert
- thehive:case_artifact
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Submit observables to the Crowdstrike Falcon Custom IOC api

Configuration#

falconapi_url Crowdstrike Falcon host url
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
falconapi_user Crowdstrike Falcon query api user
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
falconapi_key Crowdstrike Falcon query api key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True