Falcon is CrowdStrike's purpose-built platform to stop breaches via a unified set of cloud-delivered technologies. It prevents all types of sophisticated attacks including malware and ransomware. Falcon gives a comprehensive view of the attack cycle of a threat for faster investigations with deep context.
SIRP integrates with CrowdStrike Falcon for the enrichment of the collected data, visibility into threat patterns, and extended automation for removing or containing threats.
The comprehensive detection capabilities of CrowdStrike Falcon, combined together with SIRP’s risk-based SOAR platform provide SOC teams with an unparalleled defense posture. The SOC teams have access to active threats, accelerated visibility and detection, and complete information on artifacts to provide context and threat validation.
SIRP’s CrowdStrike integration app allows you to execute the following actions:
Get Threat Intelligence
Pulls Threat Intelligence feeds from Crowdstrike
Enable and Configure the CrowdStrike App
Create CrowdStrike API Credentials
Follow these steps to generate the CrowdStrike API credentials (which will be later used in SIRP to enable the CrowdStrike Threat Intelligence App):
Log in to your Falcon Insight instance.
Access the Settings on the dashboard.
Click on the Support dropdown then select API Clients and Keys.
Within the API Clients and Keys section, click on the Add new API Client option.
Select the API scopes you want to read and write.
Click on Add.
Once the API client is created, the client ID, Secret key, and Base URL will be generated and displayed in a popup dialogue box. Copy this information for the next step.
Configure The SIRP App
Next, log in to SIRP, then go to Apps from the left navigation bar
Locate the CrowdStrike Threat Intelligemce App.
Click on the Toggle button to enable the app.
As soon as you enable the App, you will get an option to add the configuration details.
Add the URL, Client ID, and Client Secret copied earlier and click Save to enable the app
Create Ingestion Source
In order to start ingesting threat feeds from Crowdstrike through API, you need to create a new ingestion source and enable it.
1. Go to Administration section from the left-hand navigation bar
2. Go to Automation > Ingestion Sources
3. Click on Add Source
4 . Fill the fields in the popup form as shown in the image above:
Ingestion Method: API
Name: Falcon Threat Intel (This can be any name to distinguish this ingestion source)
Ingestion Type: Threat Intel
Applications: Crowndstrike Threat Intelligence
Actions: GET THREAT INTELLIGENCE
9. Click Create button to create the new ingestion source
10. The last step after creating an ingestion source is mapping the data fields ingested from Crowdstrike with the fields available in SIRP. After you create the ingestion source, you will get a new configuration icon under the Actions column. Click on the icon to configure the fields.
11. Configure the field mapping as shown in the following screenshot and click Save.
After enabling the ingestion source, SIRP will start to call Crowdstrike Falcon Threat Intelligence’s API every 5 minutes to check for any new threat feeds. If SIRP finds any offenses, it will start ingesting the records within its database.
The results will be visible in the Threat Intelligence module. The Pending tab will list all the ingested feeds.