CrowdStrike Falcon Intelligence Engine

Minimum ThreatConnect Version

7.12.2

Release Notes

1.0.14 (2026-05-06)

• APP-5156 Add Hunting Guide (Document) and Intelligence Query (Signature) ingestion from CrowdStrike CAO Hunting API.

1.0.12 (2026-04-21)

• APP-5176 Add 429/rate limit handling

1.0.11 (2026-03-29)

• APP-4994 Add alert ingestion.
• APP-5117 - Update core framework to TIE template v2 with notification support, pipeline health monitoring via supervisor, per-job retry with exponential backoffs, Angular memory leak fixes, and UI enhancements for notifications and attachment status pages.

1.0.10 (2025-10-23)

• APP-5008 Update vulnerability description to include description from source above table.

1.0.9 (2025-09-26)

• APP-4961 Update to be sure forked processes are killed during shutdown.

1.0.8 (2025-07-25)

• Fix issue with download page not working for some CS objects.

1.0.7 (2025-07-24)

• APP-4774 Add new pipeline to pull in report to indicator associations.
• APP-4774 Add associations between Malware and Vulnerability objects that are associated to the same indicator
• Update transforms to not recur on associations of associations.

1.0.6 (2025-05-29)

• APP-4843 Update heartbeat more frequently during convert task.
• Fix Malware last update comparison in download task.

1.0.5 (2025-04-02)

• APP-4573 Update to include Malware, Vulnerabilities.
• APP-4623 Upddate Reports to use rich_text_description for the Description attribute.

1.0.4 (2024-03-27)

• APP- Updated to TcEx 4 and Python 3.11
• APP- Updated handling of Mitre Tags

1.0.3 (2023-08-14)

• ESUP-1628 update call to retrieve ad-hoc actors and reports to include more fields.
• APP-4080 Pass through "motivation" to "Adversary Motivation Type"

1.0.2 (2023-07-10)

• Add user-agent to requests to CrowdStrike.
• APP-4041 update to tcex 3.0.9

1.0.1 (2023-02-01)

• Lowered the document storage limit to 50GB for cloud deployments of TC < 7.x.

1.0.0 (2023-01-31)

• Initial Release

Category

• Threat Intelligence

Description

The CrowdStrike Falcon Intelligence Engine Service App is designed to download intelligence data from the CrowdStrike Falcon Intelligence API, process the data, and ingest the data into the ThreatConnect Platform. This App is designed to be used with the ThreatConnect Platform. For more information please visit https://knowledge.threatconnect.com/docs/crowdstrike-falcon-intelligence-engine-integration-user-guide.

Service Configuration

CrowdStrike API Endpoint (Choice)

Valid Values: US-1 (api.crowdstrike.com), US-Gov-1 (api.laggar.gcw.crowdstrike.com), EU-1 (api.eu-1.crowdstrike.com), US-2 (api.us-2.crowdstrike.com)

Crowdstrike API Client ID (TypeEnum.String)

Crowdstrike API Client Secret (TypeEnum.String)

Group Types (MultiChoice, Default: actor, report)

Valid Values: actor, alert, exposed data record, hunting guide, intelligence query, malware, report, vulnerability

Indicator Types (MultiChoice, Optional, Default: domain, email_address, email_subject, ip_address, ip_address_block, mutex_name, registry, url, user_agent, hash_sha256)

Valid Values: domain, email_address, email_subject, ip_address, ip_address_block, mutex_name, registry, url, user_agent, hash_md5, hash_sha1, hash_sha256

Notification Digest Interval (Choice, Optional, Default: 2 Hours)

How often pipeline health digest notifications are sent.

Valid Values: 1 Hour, 2 Hours, 3 Hours, 4 Hours

Notification Types (MultiChoice, Optional, Default: App Startup, Job Retrying, Job Failed, Job Recovered)

Which notification types are sent via TC Notification API. Shutdown notifications are always sent regardless of this setting.

Valid Values: App Startup, Job Retrying, Job Failed, Job Recovered

Inputs

Show Passwords in Exposed Credentials alerts (Boolean, Default: Unselected)

Labels

• alerts, indicators, intel, malware, reports, threat, vulnerabilities