Recorded Future Collective Insights for CrowdStrike Falcon

Updated

Introduction

Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:

  • Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls.
  • Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies.

For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.

Fields collected from each detection of CrowdStrike by Recorded Future includes the following:
  • `id` - The ID of a detection
  • `description` - The description of a behavior
  • `timestamp` - The timestamp of a behavior associated with a detection
  • `type` - The behavior IOC type
  • `value` - The behavior IOC value

Install via the Integration Center

Fully guided setup walkthrough demonstration

To enable the Recorded Future integration for CrowdStrike Falcon, navigate to the Integration Center in the left-hand menu. 

Click the CrowdStrike Falcon tile. 

You will see additional details and resources for the integration. Click the blue Set up button.

Note: You must be an administrator to see the Set up button. 

Enter the requested information in the modal that displays.

Screenshot 2025-10-06 at 12.43.48 AM.png

  • Connector Name: Collective Insights Connector For CrowdStrike Falcon
  • Crowdstrike Falcon Authentication 
    • Client ID: Located in CrowdStrike, under Account Settings > API Keys
    • Client Secret: Located in CrowdStrike, under Account Settings > API Keys
    • Instance Region: The CrowdStrike Instance API URL contains the region. For example, '
      api.us-2.crowdstrike.com
      ' has region 'us-2'

Click on 'Save' and enable Collective Insights capability by providing required information.

Screenshot 2025-10-06 at 12.44.13 AM.png

  • Name: Name of the capability
  • Detection Parameters 
    • Minimum Severity: Severity threshold 
    • Minimum Confidence: Confidence threshold
    • Connector Update Frequency: The Update Frequency refers to the duration of time that Recorded Future will pause between updates. This can be set to hours, minutes, or days. Note that Recorded Future will poll for updates based on this frequency, but for all new events since the last time queried. The default (suggested) frequency is every 30 minutes.
  • Custom Parameters (This section is not enabled by default. Check the FAQ section on steps to request for enabling this section)
    • Custom Filter String: This field takes the filters to be applied at the Crowdstrike before ingesting the events into Collective Insights. The filter string has to be in FQL (Falcon Query Language). Some of the popular filters represented in its equivalent FQL include:
      • Exclude events from a specific device: device_name != "<name of the device>"
      • Exclude events from a specific region: region != "<name of the region>"
  • Initial Import
    • Detections Created Last: The duration of historical information that Recorded Future will pull based on the initial setup. The default range is 1 day; ranges longer than the previous 24 hours may cause delays in the setup process

Click Activate.

  •  

 

Migration from Detects API to Alerts API

The Collective Insights Connector for CrowdStrike has been updated to use the Alerts API in place of the legacy Detects API, in line with CrowdStrike’s announced migration (Detects API end-of-life: September 30, 2025). Existing API tokens already have the required Alerts: Read/Write scope. No additional permissions are needed. The connector continues to operate as before.

FAQ

1. How to generate Client ID and Secret in CrowdStrike for Collective Insights?

Fully guided setup walkthrough demonstration

2. What API scopes need to be given for API Client generated for Collective Insights?

The API Client should have Alerts:Read access within CrowdStrike.

3. Where can i get the instance region for CrowdStrike ?

The instance region field is only required, if the region is not us-1. The region can be picked from the API url of the CrowdStrike instance (e.g api.eu-1.crowdstrike.com for eu-1 region)

4. Why don't i see any detections or mismatch in the number of detections between CrowdStrike and Detection Trends dashboard ?

Not all detections from CrowdStrike make it to the Collective Insights. The following two criteria has to match in order for a behaviour in CrowdStrike to be sent to Collective Insights:

a. IOC Type should one of hash_sha256, hash_md5, sha256, md5, ipv4, ipv6 or domain 

b. IOC Value should not be null

5. Why don't i see any MITRE codes related to my CrowdStrike detections in the Detection Activity dashboard ?

Currently, the connector is being updated to include the new MITRE ATT&CK codes available from the CrowdStrike detections.

6. What are the IP addresses which needs to be whitelisted to allow communication from the hosted service to CrowdStrike?

The traffic from the following IP addresses from AWS which are dedicated to Recorded Future needs to be whitelisted to allow communication from the hosted service:

  • 3.234.126.234
  • 54.174.179.90
  • 54.88.191.160

7. How to setup connector under a suborg in case of a Multiorg environment?

In order to setup a connector under a specific suborg, please switch as Enterprise admin to that particular suborg and create a connector following the same process mentioned here.

8. Can we enable custom filters using FQL at the Crowdstrike before fetching Collective Insights?

Yes, you can provide an FQL query to filter events at the source. We can enable the field in your instance of Crowstrike connector if you request this from Recorded Future Support. (see below)

9. How to enable custom filters field in Crowdstrike Connector ?

Create a support ticket as follows:

a. Client Issue Category - Integrations

b. Subject - Enable custom parameters section in Crowdstrike Connector

c. Description- Provide a brief summary of the filters you wanted to apply at the Crowdstrike before ingesting events into Collective Insights

10. Does Recorded Future provide any support for writing new or debug existing FQL queries ?

Recorded Future only facilitates adding FQL query to be applied at Crowdstrike but the actual query has to be validated by the customer in their instance of Crowdstrike before its applied within the connector. For any queries related to FQL, please reach out to your Crowdstrike point of contact or refer to the official docs from Crowdstrike about the API docs related to Falcon for writing proper queries according to your requirements.

Happy Hunting !!

 

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
4 out of 4 found this helpful

Articles in this section

See more