Skip to content

Releases: CrowdStrike/foundry-sample-anomali-threatstream

v1.1.0

03 Apr 16:47
@mraible mraible
v1.1.0
710e550
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.1.0 Latest
Latest

What's New

Go Implementation for High-Performance CSV Processing

Added an alternative Go-based function implementation that processes CSV files with significantly better performance characteristics. The Go function uses the CrowdStrike gofalcon SDK for direct API integration. (#27)

Streaming CSV Processing

The Python function now uses streaming CSV writes instead of building files in memory, reducing memory usage when processing large IOC datasets. (#26)

Python Function as Default

The manifest now defaults to the Python function implementation. (#48)

E2E Testing Improvements

  • Fixed install button selector after UI rename to "Save and install" (#47)
  • Added API credential prompt validation to fail fast on missing credentials (#49)
  • URL filter parameter for App Catalog search (#35)
  • Optimized CI workers and disabled video recording (#40, #41)
  • Updated e2e dependencies for Artifactory compatibility (#36)

Dependency Updates

  • crowdstrike-foundry-function 1.1.3 -> 1.1.4 (#45)
  • github.com/go-openapi/runtime updated (#31, #46)
  • actions/setup-node 6.1.0 -> 6.2.0 (#34)

CI/CD

  • Removed step-security/harden-runner from workflows (#29, #30)
  • Added dependabot ignore rules for unapproved GitHub Actions (#39, #42)
Assets 2
Loading

v1.0.0

14 Jan 14:46
@mraible mraible
v1.0.0
657f105
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0

Initial release of the Anomali ThreatStream connector for CrowdStrike Falcon Foundry.

Features

Core Functionality

  • Automated IOC Ingestion: Hourly scheduled workflow fetches threat intelligence from Anomali ThreatStream and creates CSV lookup files for Falcon Next-Gen SIEM
  • Comprehensive IOC Support: IP addresses, domains, URLs, email addresses, and file hashes (MD5, SHA1, SHA256)
  • ECS-Compliant Field Mapping: Lookup files use Elastic Common Schema field names for seamless integration with Next-Gen SIEM queries
  • Incremental Sync: Tracks update_id to fetch only new/updated IOCs, avoiding redundant data processing

Filtering Options

  • Feed ID Filtering: Limit ingestion to specific Anomali ThreatStream feeds using feed_id parameter
  • Confidence Score Filtering: Filter IOCs by confidence threshold (confidence_gt, confidence_gte, confidence_lt, confidence_lte)
  • IOC Type Filtering: Selectively ingest specific IOC types (ip, domain, url, email, hash)
  • Status Filtering: Filter by IOC status (default: active)

Data Integrity

  • Temporal Precedence Deduplication: When duplicate IOCs exist, preserves the most recent data (newer confidence scores, threat classifications, and tags)

Monitoring & Observability

  • Job Tracking: Each ingestion run creates a job record in Falcon Foundry collections for audit trails
  • Progress Tracking: Saves sync state to resume from last successful position

Implementation

  • Language: Python with Pandas
  • Workflow Integration: Pagination handled via Falcon Fusion SOAR workflow loops with next token

Documentation

  • Setup guide with step-by-step installation instructions
  • Feed ID and confidence score filtering configuration
  • Example Next-Gen SIEM queries for threat hunting
  • Lookup file verification queries

Requirements

  • Falcon Foundry subscription
  • Falcon Next-Gen SIEM subscription
  • Anomali ThreatStream API credentials
Loading