How to Navigate the Falcon Intelligence App
Intelligence App Walkthrough
Hi there. In this video, we're going to walk you through the Intelligence App found in the updated Falcon Host UI.
Now, first thing to note, the features and content that you'll find in the Intelligence App will vary based on whether or not you're currently a Falcon Intel subscriber. The content will also vary based on your level of subscription: whether it's Intel Standard, Intel eCrime, or Intel Targeted. So, keep that in mind - and let's get started.
As you can see here, I'm already logged into the new Falcon Host UI, and by default, your placed into the Activity App. If you mouse-over the Intelligence App, you'll see that there are a number of choices that you have - including Actors, Reports and Feeds, Subscriptions, and Submit Malware. We're going to look into each one of these features in greater detail throughout this video.
So, let's take a look at the Actors page. On the Actors page, you'll find a list of actors that CrowdStrike tracks. Each actor is given a name- an animal designation. The name typically is selected by CrowdStrike and the animal is associated with a country of origin or organization. Each actor has a number of data points attributed to them. This includes origin- which is their country of origin, target industries, target countries, and motivation. Using the filter bar above, you can narrow down the list of actors that are shown on this page. On the right side of the page, you can also sort the actors page by either recent activity, recent profile updates, or alphabetically by actors name. Each actor card shown on this page will have their name, their country of origin, last-known active activity, target nations, and targeted industries.
If you're a Falcon Host subscriber, you may see a red bar and a detection count shown on the actors card. This signifies that there is a detection in your environment associated to that actor. You can get more details on each actor by clicking on the actor card. Once you've done this, you'll be brought to the actors detail page. This page contains the additional details on the actor- such as related terms and intelligence reports that are grouped by the facet of the kill chain with which the actor is associated. The center part of the page will display a summary report about the actor. Below this you'll see a series of Intel reports, alerts, and tippers that also have been associated with this particular actor. On the right side of the page, you'll see the kill chain and the known attributes of this actor.
Now, let's take a look at the Reports and Feed section. When you first log into the Reports and Feed section, you're provided with a list of the most recent intelligence items. You can search through this list via the search reports bar at the top. On the right side, you have a number of Intel specific categories. First, you have feeds. When you click on the feeds link, you'll be provided with a list of exportable files in a number of common formats- including common event format, netwitness, raw, snort, or yarra. To download any of these feed files, simply click on the specific file format and then click on the download zip icon. You can also forward this via email.
Now, let's look at the Intelligence Reports section. Intelligence Reports or CSIR's are the largest reports in terms of scope and length and can often involve multiple actors. Again, you can utilize the search bar above to help you narrow down the reports list, or you can click on various tags. When you click on a specific report, you'll see the ability to either download or forward this report via email. A summary will be provided along with a list of associated tags on the right side. You can click on any of these tags to quickly pivot to other Intel that is related to the respective tag.
Now, let's look at Alerts. Alerts are brief 3 to 5 paragraph news items. These will typically include geopolitical and technical information. When you click on an alert, you'll see the full content for that alert and you'll also be given the ability to forward this via email.
Next, we have periodic reports. These reports include weekly, monthly reports, CSMR's, and quarterly reports- CSQR's, which combine a summary of activity observed in the reporting period, and assessments of cases that may not have been reported elsewhere. Each report can also be downloaded or forwarded via email.
Next, we have our Tipper section. A Tipper is a comprehensive three to six-page intelligence report that provides an assessment of a concrete case, development, or actor. Again, tippers can be downloaded or forwarded via email.
Now, let's take a look at the Subscription section of the Intelligence App. The Subscription section will allow you to manage the notifications that you receive via email. To set up a subscription, you'll first click on the Edit icon in the My Subscription section. You first must decide whether you want to be updated on new posts- and then you want to decide how often you would like to be updated: every post, daily, or weekly. Once you've decided on the frequency of your update notification, you can choose which areas you wish to be updated on. This can include any of the reports and feed items, targeted countries, targeted sectors, tags, and specific actors. Now, once you've made your selection, you can save this by clicking on the Save icon at the top and now you will start to receive respective updates via email.
Now, finally, you can submit samples of malware to our CrowdStrike Intelligence team. You do so by clicking on submit malware- and once you've done so, the samples we fed into our typical analysis workflow- and it can be developed into a future CrowdStrike report which will then be made available to the general CrowdStrike intelligence subscriber.
Well, this concludes our Intelligence App walkthrough.
Thanks for watching.