Recorded Future Collective Insights for CrowdStrike Falcon

Updated

Introduction

Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:

  • Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls.
  • Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies.

For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.

Fields collected from each detection of CrowdStrike by Recorded Future includes the following:
  • `id` - The ID of a detection
  • `description` - The description of a behavior
  • `timestamp` - The timestamp of a behavior associated with a detection
  • `type` - The behavior IOC type
  • `value` - The behavior IOC value

Getting Started

There are 2 different deployment modes for setting up Collective Insights for CrowdStrike:

Hosted service [Preferred] - In this mode, the connector for ingesting detections from CrowdStrike is hosted at Recorded Future which pulls detections from CrowdStrike.

Scripted solution [Legacy] - In this mode, the connector for ingesting alerts from CrowdStrike is deployed as a script at customer's environment which pushes detections from CrowdStrike.

Install via the Integration Center (Preferred)

To enable the Recorded Future integration for CrowdStrike Falcon, navigate to the Integration Center in the left-hand menu. 

Click the CrowdStrike Falcon tile. 

You will see additional details and resources for the integration. Click the blue Set up button.

Note: You must be an administrator to see the Set up button. 

Enter the requested information in the modal that displays.

 

  • Connector Name: Collective Insights Connector For CrowdStrike Falcon
  • Crowdstrike Falcon Authentication 
    • Client ID: Located in CrowdStrike, under Account Settings > API Keys
    • Client Secret: Located in CrowdStrike, under Account Settings > API Keys
    • Instance Region: The CrowdStrike Instance API URL contains the region. For example, 'api.us-2.crowdstrike.com' has region 'us-2'
  • Detection Parameters 
    • Minimum Severity: Severity threshold 
    • Minimum Confidence: Confidence threshold
    • Connector Update Frequency: The Update Frequency refers to the duration of time that Recorded Future will pause between updates. This can be set to hours, minutes, or days. Note that Recorded Future will poll for updates based on this frequency, but for all new events since the last time queried. The default (suggested) frequency is every 30 minutes.
  • Initial Import
    • Detections Created Last: The duration of historical information that Recorded Future will pull based on the initial setup. The default range is 1 day; ranges longer than the previous 24 hours may cause delays in the setup process

Click Activate.

Steps to deploy Scripted solution (Legacy)

The following details need to be available to proceed further:

  • Recorded Future API Token with access to Collective Insights 
  • CrowdStrike Client ID
  • CrowdStrike Client Secret
  • Python script & requirements.txt files related to Recorded Future Collective Insights for CrowdStrike which can be found as attachment(s) to this support article.
  • A machine to run the script with the following pre-requisites:
    • Python v3.8 or greater
    • Connectivity to Recorded Future API and CrowdStrike Falcon API
    • Permissions to write log files in the script directory and schedule the script to run on a schedule

Installation

  1. Setup a new python virtual environment to install dependencies and run the script from:`virtualenv venv --python=python3.8`
  2. Activate the virtual environment:`. venv/bin/activate`
  3. Install module dependencies from requirements.txt: `pip3 install -r requirements.txt`
  4. You may opt to store client credentials/secrets as environment variables instead of passing them as parameters to the script. If you choose to do so, you will need to set the following environment variables:
    • `RF_API_KEY`: Recorded Future API Key
    • `CS_CLIENT_ID`: CrowdStrike Client ID
    • `CS_CLIENT_SECRET`: CrowdStrike Client Secret
  5. Run python script manually to confirm deployment is successful: `python CS-Collective_Insights.py -k RF_API_KEY -ccid CROWDSTRIKE_CLIENT_ID -ccs CROWDSTRIKE_CLIENT_SECRET`
  6. Setup script to run on schedule daily to ingest events and send to collective insights (Example: cron schedule to run at 00:15: `15 0 * * * <FILE_DIR>/venv/bin/python3 <FILE_DIR>/CS-Collective_Insights.py -k RF_API_KEY -ccid CROWDSTRIKE_CLIENT_ID -ccs CROWDSTRIKE_CLIENT_SECRET`)
The script will ingest detections from CrowdStrike Falcon with behaviors from the previous 24 hours. This timeframe can be adjusted to backfill any additional collective insights. The behaviors from these detections are then filtered by a user set severity and confidence score to determine what is sent off to Recorded Future’s Collective Insights API.
Troubleshooting

The below section is for providing assistance with troubleshooting when having issues running the script.

  • Script is failing due to modules not installed.
  • Try confirming either the requirements.txt was installed properly with pip3 and by running `pip freeze` to confirm the modules are installed.
  • Confirm that the virtual environment where the python packages were installed is activated
  • Not authorized to submit to Recorded Future Collective Insights API
  • Confirm that the Recorded Future API token has the correct Collective Insights API permissions activated
  • Not authorized to collect events from CrowdStrike Falcon
  • Confirm that the correct Access Levels & Permissions are enabled for the client ID & client secret
  • [CrowdStrike Falcon API](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/)
  • Confirm that the RF API Key, CS Client ID, & CS Client Secret are in the correct parameter locations in the script
  • Why am I ingesting 800 events from CrowdStrike but the log says I’ve only submitted 200 indicators?
  • Collective Insights has filtering for unique indicators when submitting via the API.

 

FAQ

1. How to generate Client ID and Secret in CrowdStrike for Collective Insights?

When logged into the Falcon UI, navigate to Support > API Clients and Keys. From there you can view existing clients, add new API clients, or view the audit log. When you click “Add new API Client” you will be prompted to give a descriptive name and select the appropriate API scopes. After you click save, you will be presented with the Client ID and Client Secret. The secret will only be shown once and should be stored in a secure place. If the Client Secret is lost, a reset must be performed and any applications relying on the Client Secret will need to be updated with the new credentials.

2. What API scopes need to be given for API Client generated for Collective Insights?

The API Client should have READ access to the detections/alerts within CrowdStrike.

3. Where can i get the instance region for CrowdStrike ?

The instance region field is only required, if the region is not us-1. The region can be picked from the API url of the CrowdStrike instance (e.g api.eu-1.crowdstrike.com for eu-1 region)

4. Why don't i see any detections or mismatch in the number of detections between CrowdStrike and Detection Trends dashboard ?

Not all detections from CrowdStrike make it to the Collective Insights. The following two criteria has to match in order for a behaviour in CrowdStrike to be sent to Collective Insights:

a. IOC Type should one of hash_sha256, hash_md5, sha256, md5, ipv4, ipv6 or domain 

b. IOC Value should not be null

5. Why don't i see any MITRE codes related to my CrowdStrike detections in the Detection Activity dashboard ?

Currently, there are no MITRE ATT&CK codes available from the CrowdStrike detections due to which they are not reflected under Detection Activity dashboard.

6. What are the IP addresses which needs to be whitelisted to allow communication from the hosted service to CrowdStrike?

The traffic from the following IP addresses from AWS which are dedicated to Recorded Future needs to be whitelisted to allow communication from the hosted service:

  • 52.204.27.85
  • 54.198.55.229
  • 54.156.251.192
  • 34.235.48.77

7. How to setup connector under a suborg in case of a Multiorg environment?

In order to setup a connector under a specific suborg, please switch as Enterprise admin to that particular suborg and create a connector following the same process mentioned here.

 

Happy Hunting !!

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
3 out of 3 found this helpful

Articles in this section

See more