/
CrowdStrike Intelligence collector
Document toolboxDocument toolbox

CrowdStrike Intelligence collector

Owned by Laszlo Frazer
Last updated: Mar 19, 2025
4 min read
[ 1 Purpose ] [ 2 Example tables ] [ 3 Authorize It ] [ 4 Run It ] [ 5 Secure It ] [ 6 Devo Collector Features ]

Purpose

Use this collector to get intelligence about attacks from CrowdStrike. It should be used with the CrowdStrike Falcon Data Replicator SQS collector, which replicates endpoint logs to Devo. In addition to these collectors, custom data can be sent from Crowdstrike Falcon to Devo using a webhook and Devo’s HTTP endpoint.

An analyst wants to create an alert that triggers when there is a brute force attack on Active Directory. Using this collector, the “Password brute force attack (Active Directory)” event in CrowdStrike will trigger the alert so the analyst can determine if the attack was successful using a separate log of successful logins. The analyst will disable compromised accounts, preventing the brute force attacker from exfiltrating data.

An analyst wants to create an alert that will trigger when an endpoint is infected by a rootkit. Using this collector, the “Attempt to tamper with Falcon sensor” event in CrowdStrike will trigger an alert indicating use of Windows Remote Management to prevent CrowdStrike from sensing subsequent actions. The analyst will isolate the endpoint to prevent it from gathering users' passwords.

Example tables

Table

Description

Table

Description

edr.crowdstrike.falconstreaming.*

Data from different CrowdStrike APIs

edr.crowdstrike.falconstreaming.detection_summary

Threat intelligence relating to processes and users.

edr.crowdstrike.falconstreaming.alert

Threat intelligence relating to files.

edr.crowdstrike.falconstreaming.customer_ioc

Indicators of compromise identified by CrowdStrike, such as domain names, IP addresses, and file names. Includes the ID of the compromised endpoint.

edr.crowdstrike.falconstreaming.incidents

Identify the objective of an attack.

edr.crowdstrike.falconstreaming.scheduled_report_notification

Monitor scheduled reports of vulnerabilities to ensure report SLA compliance.

edr.crowdstrike.falcon_filevantage.change

Relate file operations to users, machines, and programs to identify ransomware and exfiltration. Includes prevalence intelligence.

edr.all.threats

Endpoint threats, including edr.crowdstrike.falconstreaming.detection_summary.

firewall.all.traffic

Firewall activity, including edr.crowdstrike.falconstreaming.firewall_match.

Authorize It

  1. Log in to the CrowdStrike web app.

  2. Open API clients and keys.

    image-20250310-155644.png

  3. Create an API client.

    image-20250310-155743.png

  4. Add a name and description.

  5. According to CrowdStrike, “The scopes you see when creating an API client are determined by your subscribed products and the cloud where your account is hosted.” Enable “Read” for these scopes, if available:

    1. Alerts

    2. Event streams

    3. FileVantage

    4. Hosts

    5. Incidents

    6. Indicators

    7. Vulnerabilities

      image-20250310-164803.png

  6. Copy the Client ID, Secret, and Base URL. The information can only be accessed once.

    image-20250310-164958.png

Run It

A URL, client ID, and secret are required. The URL CrowdStrike will provide you is typically one of these:

  • https://api.crowdstrike.com

  • https://api.eu-1.crowdstrike.com

  • https://api.us-2.crowdstrike.com

  • https://api.laggar.gcw.crowdstrike.com

  • https://api.us-gov-2.crowdstrike.mil

The client ID is a hexadecimal number. The secret is 40 letters and numbers.



In the Cloud Collector App, create a CrowdStrike API Resources instance using this parameters template, replacing the values enclosed in < >.

{ "inputs": { "crowdstrike": { "id": "<UNIQUE ID>", "credentials": { "client_id": "<CLIENT ID>", "secret_key": "<SECRET>" }, "enabled": true, "override_api_base_url": "<URL>", "services": { "estream": {}, "vulnerabilities": { "start_timestamp_in_epoch_seconds": 1740000000 }, "filevantage": { "start_timestamp_in_epoch_seconds": 1740000000 }, "alerts": { "start_timestamp_in_epoch_seconds": 1740000000 }, "indicators": { "start_timestamp_in_epoch_seconds": 1740000000 }, "behaviors": { "start_timestamp_in_epoch_seconds": 1740000000 }, "hosts": { "start_timestamp_in_epoch_seconds": 1740000000 }, "incidents": { "start_timestamp_in_epoch_seconds": 1740000000 } } } } }
image-20250310-170109.png

Secure It

Using the Devo Exchange

Devo provides alert packs for endpoint detection, file discovery, and firewalls which work with the CrowdStrike intelligence collector.

Blocked Exploit

An analyst wants to identify users associated with exploit attempts. These users should be evaluated to determine if they are compromised service accounts, users who need to be trained to resist social engineering attacks, or malicious individuals.

from edr.crowdstrike.falconstreaming.detection_summary where eq(DetectName,"Blocked Exploit") group by DetectDescription,UserName select collectdistinct(ComputerName)

Theft

An analyst wants to identify user accounts that are stealing sensitive information. If hashed passwords are stolen, it may be appropriate to rotate those passwords. If permissions information such as the registry hive has been stolen, check privileged accounts for signs of attempted lateral movement by the attacker.

from edr.crowdstrike.falconstreaming.detection_summary where eq(DetectName,"Credential Theft") or eq(DetectName,"Data Theft") group by DetectDescription,UserName

Ransomware

An analyst wants to identify computers infected with ransomware. This list can be used to speed restoration of backups, reducing downtime.

from edr.crowdstrike.falconstreaming.detection_summary where eq(DetectName,"Ransomware") group by DetectDescription,ComputerName

Firewall

An analyst wants to check if a compromised host is attempting to make connections which are not allowed by the firewall. Generate a list of rules and commands which are triggering firewall rules. The commands should be evaluated to determine if they are malicious.

from edr.crowdstrike.falconstreaming.firewall_match where eq(hostName,"example") group by hostName, policyName, ruleName, commandLine

Rootkit

An analyst wants to identify machines infected with rootkits. Attempts to tamper with Falcon may indicate a rootkit infection.

from edr.crowdstrike.falconstreaming.detection_summary where weakhas(DetectDescription,"tamper"), has(DetectDescription,"Falcon") group by DetectDescription, ComputerName, CommandLine

Brute force attack

An analyst wants to identify accounts that have experienced brute force attacks. Successful logins recorded in auth.all after a brute force attack may indicate that the attack has succeeded.

from edr.crowdstrike.falconstreaming.identity_protection where toktains(incidentType,"brute force") group by incidentType, userName

Devo Collector Features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

  • Not allowed

Running environments

  • Collector Server

Populated Devo events

  • Table

Related content