Skip to main content

Crowdstrike Falcon Intel Feed

Details
Content
Dependencies
Version History

Download With Dependencies

Tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more.

Use this pack to receive information and indicators on adversaries tracked by CrowdStrike, their target nations and industries, and research on their activities.

What does this pack do?

This pack contains 2 feed integrations.

The CrowdStrike Falcon Intel Feed Actors integration retrieves indicators of type STIX Threat Actor from the CrowdStrike Falcon Intel Feed.
The CrowdStrike Falcon Indicator Feed integration retrieves indicators of the following types from the CrowdStrike Falcon Intel Feed.
- Account
- Domain
- Email
- File MD5
- File SHA-256
- IP
- Registry Key
- URL

Creating the integration instance

To create the integration instance for either feed, you need a CrowdStrike API client and a CrowdStrike API client secret. To define a CrowdStrike API client, you must have the role of a Falcon Administrator. This will allow you to view, create, or modify API clients or keys. Secrets are only shown when a new API client is created or when it is reset.

Integrations

Name	Description
CrowdStrike Falcon Intel Feed Actors	The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more. This integration retrieves indicators from the CrowdStrike Falcon Intel Feed.
CrowdStrike Indicator Feed	Retrieves indicators from the CrowdStrike Falcon Intel Feed.

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (2)

Pack Name	Pack By
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.1.22 - R5469292 (October 20, 2025)

Integrations

CrowdStrike Falcon Intel Feed Actors

Updated the Docker image to: demisto/python3:3.12.8.3296088.

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

2.1.21 - R3474673 (May 20, 2025)

Integrations

CrowdStrike Indicator Feed

Fixed an issue where a 401 error code (invalid bearer token) was returned infrequently.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39728

Download

2.1.20 - R3247809 (April 27, 2025)

Integrations

CrowdStrike Indicator Feed

Metadata and documentation improvements.

CrowdStrike Falcon Intel Feed Actors

Metadata and documentation improvements.

Related pull requests:
- 39095

Download

2.1.19 - R2040490 (January 22, 2025)

Integrations

CrowdStrike Falcon Intel Feed Actors

Updated the Docker image to: demisto/python3:3.11.10.115186.

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

2.1.18 - 1304994 (August 25, 2024)

Integrations

CrowdStrike Indicator Feed

Removed When removed from the feed option from Indicator Expiration Method
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35873

Download

2.1.17 - 1269433 (August 13, 2024)

Integrations

CrowdStrike Falcon Intel Feed Actors

Removed the When removed from the feed option from the Indicator Expiration Method parameter.
Updated the Docker image to: demisto/python3:3.11.9.106403.

Related pull requests:
- 35353

Download

2.1.16 - R1265696 (August 12, 2024)

Integrations

CrowdStrike Indicator Feed

Fixed an issue with the threat actor names coming back with nospaces causing XSOAR to create incorrect relationships.

Related pull requests:
- 33607

Download

2.1.15 - 765039 (January 16, 2024)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32212

Download

2.1.14 - 733853 (January 2, 2024)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31878

Download

2.1.13 - 7066068 (December 4, 2023)

Integrations

CrowdStrike Falcon Intel Feed Actors

Fixed an issue where the fetch-indicators command didn't retrieve all the information in some cases.
Updated the Docker image to: demisto/python3:3.10.13.82076.

Related pull requests:
- 31272

Download

2.1.12 - 6389447 (September 21, 2023)

Integrations

CrowdStrike Indicator Feed

Breaking changes - updated the stixkillchainphases indicator field to be in accordance with XSOAR standards.

Related pull requests:
- 29785

Download

2.1.11 - R6303396 (September 12, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29445

Download

2.1.10 - 5925411 (August 1, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28643

Download

2.1.9 - R5866730 (July 25, 2023)

Integrations

CrowdStrike Falcon Intel Feed Actors

Added the CrowdStrike API client ID and CrowdStrike API client secret integration parameters to support credentials fetching object.
Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27756

Download

2.1.8 - 5636258 (June 28, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27779

Download

2.1.7 - R5450895 (June 5, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.11.61265.
Updated the First Fetch Time parameter to mandatory.
Fixed an issue where already fetched indicators were immediately marked as Removed from feed during a subsequent fetch.

Related pull requests:
- 27050

Download

2.1.6 - 5318720 (May 21, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.11.59581.
Documentation and metadata improvements.

Related pull requests:
- 26503

Download

2.1.5 - 5176833 (May 3, 2023)

Integrations

CrowdStrike Falcon Intel Feed Actors

Fixed an issue where the fetch-indicators fetched the same indicators.
Updated the Docker image to: demisto/python3:3.10.11.56082.

Related pull requests:
- 26243

Download

2.1.4 - R5170573 (May 2, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.11.54132.

CrowdStrike Falcon Intel Feed Actors

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25971

Download

2.1.3 - 4906551 (March 27, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.10.50695.

Related pull requests:
- 25528

Download

2.1.2 - 4771215 (March 8, 2023)

Integrations

CrowdStrike Indicator Feed

Fixed an issue where parsing the indicator type did not differentiate between IP and IPv6.

Related pull requests:
- 25064

Download

2.1.1 - 4718798 (March 1, 2023)

Integrations

CrowdStrike Indicator Feed

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24934

Download

2.1.0 - R4646022 (February 19, 2023)

Integrations

CrowdStrike Indicator Feed

Improved implementation the fetch-indicators command.
Updated the Docker image to: demisto/python3:3.10.10.47713.

Related pull requests:
- 24547

Download

2.0.21 - 4527513 (February 3, 2023)

Integrations

CrowdStrike Indicator Feed

Fixed an issue where fetch-indicators failed when creating relationships with some indicator types, which are not supported.
Updated the Docker image to: demisto/python3:3.10.9.46807.

Related pull requests:
- 24296

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 15, 2020
Last Release	October 20, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

CrowdStrike Falcon Intel Feed Actors

CrowdStrike Indicator Feed

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.