Overview #
Maltiverse integrates with CrowdStrike so that you can seamlessly export Indicators of Compromise (IoCs) from Maltiverse feeds into CrowdStrike’s threat intelligence platform. Once configured, you can push selected Maltiverse IoCs—such as file hashes, IP addresses or domains — automatically into CrowdStrike, applying the desired action to each indicator.
This article walks you through the configuration steps and details the available action types depending on the nature of your IoC.
Prerequisites #
- CrowdStrike Account: Ensure you have valid CrowdStrike API credentials (Client ID and Client Secret) and the correct API permissions to upload custom IoCs.
- Maltiverse Account: You must have the right permissions within Maltiverse to configure connectors and manage feeds.
- CrowdStrike API Key and connection data: It is required to grab CrowdStrike API connection data, basically the connection URL (e.g.,
https://api.crowdstrike.comor region-specific variants), and a API Key
Generating an API Key in CrowdStrike #
Before you can configure the Maltiverse connector for CrowdStrike, you need valid CrowdStrike API credentials with the correct permissions to manage and upload IoCs. Follow these steps to create a new API Client in the CrowdStrike console:
- Log into CrowdStrike
- Open your web browser and navigate to your CrowdStrike cloud URL (e.g.,
https://falcon.crowdstrike.com/or the region-specific URL provided by your organization). - Enter your Username and Password, then click Log In.
- Open your web browser and navigate to your CrowdStrike cloud URL (e.g.,
- Open Support & Resources
- Once you are logged in, look for the Support & Resources (or similarly named) section in the left-hand menu of the CrowdStrike dashboard.
- Select API Clients and Keys.
- Create a New API Client
- On the API Clients and Keys page, click Add new API client or a similarly labeled button.
- In the Client name field, enter a descriptive name for this integration, such as
Maltiverse_Integration. - (Optional) Provide a short Description that references Maltiverse.
- Set Required Permissions
- In the list of available scopes, ensure you grant the following permissions:
- IOC Management: Check both Read and Write.
- IOCs (Indicators of Compromise): Check both Read and Write.
- If there are other optional permissions that your organization’s policies or workflows require, you can enable those as well.
- In the list of available scopes, ensure you grant the following permissions:
- Save the API Client
- Click Update client details (or the equivalent button) to create the API client.
- CrowdStrike will generate a Client ID and Client Secret. Copy these credentials immediately, as the secret may be hidden afterward.
- Verify Your Setup
- Return to the API Clients and Keys page to confirm that your new client is listed with the correct permissions.
- You can now use the Client ID and Client Secret to configure the Maltiverse CrowdStrike connector (as described in the previous sections of this document).
Note: If you do not see the API Clients and Keys option in your CrowdStrike console, you may need additional permissions or roles within your organization’s CrowdStrike environment. Contact your administrator for further assistance.
Connector Configuration Steps #
- Open Connector Configuration
In the Maltiverse platform, navigate to Connectors and select CrowdStrike. Then You can click on button ADD + to include a feed and complete the following formulary:
- Integration Name
Provide a descriptive name for this integration, such as “CrowdStrike US Region” or “CS Connector – Production”. This name will help you identify the connector later. - Description
(Optional) Enter a short description of the integration. For instance:“Connector for pushing IP, domain, and file hash IoCs from Maltiverse to CrowdStrike.” - CrowdStrike URL
Specify the base URL for your CrowdStrike instance. For most users, this will be the default CrowdStrike API endpoint, but it can vary by region or account. - CrowdStrike Client ID
Enter your CrowdStrike Client ID. This is provided by your CrowdStrike administrator. - CrowdStrike Client Secret
Enter the secret key associated with the above Client ID. - Delete Expired (Toggle)
If enabled, Maltiverse will remove or mark expired IoCs in CrowdStrike. If you prefer to retain them in CrowdStrike even after they expire in Maltiverse, leave this toggle off. - Action
Choose the default action that will be applied in CrowdStrike for IoCs sent by this connector. (More details on actions below.) - Feed
Select the Maltiverse feed(s) that contain the IoCs you want to push to CrowdStrike. You can add multiple feeds if needed. - Schedule
Define how often this connector will push updated IoCs to CrowdStrike. Typical schedules include daily or hourly updates. Adjust as needed based on your organization’s policies. - Enabled (Toggle)
Switch to ON if you want the connector to be active immediately. Otherwise, leave it off if you are not ready to start sending IoCs. - Test Connection
Click Test Connection to validate your CrowdStrike credentials and URL. If the test is successful, you can proceed to save the connector. - Save
Once all fields are configured, click Save to finalize the setup. In a few minutes you will start seeing the IoCs loaded in the Crowdstrike console under the IoC management:
Understanding IoC Actions #
CrowdStrike supports different action values depending on the IoC type. When you configure the CrowdStrike connector in Maltiverse, you specify an action that indicates how CrowdStrike will handle the indicator. However, not all actions are compatible with all IoC types:
- File Hashes (MD5, SHA256, etc.)
- no_action
- allow
- prevent
- detect
- prevent_no_ui
- IP Addresses
- no_action
- allow
- detect
- Domains/URLs
- no_action
- allow
- detect
- Registry Keys/Values
- no_action
- allow
- prevent
- detect
- prevent_no_ui
- Processes
- no_action
- allow
- prevent
- detect
- prevent_no_ui
When Maltiverse pushes an IoC to CrowdStrike, it will use the specified action. If the chosen action is not supported by that particular IoC type in CrowdStrike, the IoC update may fail or default to a supported action (depending on your CrowdStrike configuration).
Best Practices and Recommendations #
- Validate Your Feeds: Before pushing IoCs to CrowdStrike, ensure your Maltiverse feeds contain valid indicators. Remove duplicates or stale indicators to maintain a clean threat intelligence posture.
- Choose Actions Wisely: When selecting the default action, consider the risk category of your IoCs and the potential operational impact. For example, using prevent on file hashes might cause false positives if you are not certain about the threat context.
- Review Logs: Monitor Maltiverse logs and the CrowdStrike console to verify that IoCs are arriving with the intended action. Adjust as necessary.
- Periodic Testing: Use the Test Connection button whenever you modify credentials or CrowdStrike URLs to ensure continued communication.
- Check Scheduling: If your organization faces rapidly evolving threats, consider shorter push intervals (e.g., hourly). If changes are less frequent, daily or weekly intervals may suffice.
Conclusion #
With the CrowdStrike connector for Maltiverse, you can automatically push IoCs into CrowdStrike and apply nuanced actions for detection, prevention, or allowing specific indicators. Properly configuring this connector ensures that your organization’s threat intelligence in Maltiverse aligns seamlessly with CrowdStrike’s endpoint security measures.
For further troubleshooting or advanced configuration options, consult Maltiverse Support or your CrowdStrike technical documentation.
