Skip to content

Cortex Neurons documentation

FalconCustomIOC

FalconCustomIOC#

Crowdstrike_Falcon_Custom_IOC_API#

Author: Michael
License: MIT
Version: 1.0
Supported data types:
- thehive:alert
- thehive:case_artifact
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Submit observables to the Crowdstrike Falcon Custom IOC api

Configuration#

falconapi_url	Crowdstrike Falcon host url
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

falconapi_user	Crowdstrike Falcon query api user
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

falconapi_key	Crowdstrike Falcon query api key
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

Crowdstrike_Falcon_Custom_IOC#

Author: Nicolas Criton
License: AGPL-v3
Version: 2.0
Supported data types:
- thehive:alert
- thehive:case_artifact
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Submit observables to the Crowdstrike Falcon Custom IOC API

Configuration#

falconapi_endpoint	CrowdStrike API endpoints: US-1 \| US-2 \| US-GOV-1 \| EU-1
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

falconapi_clientid	Crowdstrike Falcon Client ID Oauth2 API client
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

falconapi_key	Crowdstrike Falcon Oauth2 API Key
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

domain_block_expiration_days	How many days should we block the domain IOCs sent? Default: 30
Default value if not configured	30
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

ip_block_expiration_days	How many days should we block the ip IOCs sent? Default: 30
Default value if not configured	30
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

hash_block_expiration_days	How many days should we block the hash IOCs sent? Default: 30
Default value if not configured	30
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

action_to_take	How the IOCs should be handled by Falcon ? Choose between 'no_action' or 'detect' -> no_action: Save the indicator for future use, but take no action / detect: Enable detections for the indicator at the selected severity (Default: detect)
Default value if not configured	detect
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	False

severity_level	Severity level when IOCs are ingested by Falcon CustomIOC: informational / low / medium / high / critical - Default: high
Default value if not configured	high
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	False

tag_added_to_cs	Tag added to the IOC in Falcon platform - Default: Cortex Incident - FalconCustomIOC
Default value if not configured	Cortex Incident - FalconCustomIOC
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	False

tag_added_to_thehive	Tag added to the IOC in TheHive platform - Default: Falcon:Custom IOC Uploaded
Default value if not configured	Falcon:Custom IOC Uploaded
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	False