Create indicators
Create and manage threat indicators that synchronize directly with CrowdStrike Falcon Insight, enabling consistent, up‑to‑date threat intelligence across your security environment.
시작하기 전에
Role required: sn_si.analyst
프로시저
- Navigate to Security Incidents > Show All Incidents.
- Select the security incident that contains the observables for which you want to create indicators in CrowdStrike Falcon Insight.
- Select Associated Observables related lists.
- Select the observables.
- From the Actions on selected rows, select Create Indicator in CrowdStrike.
-
On the form, fill in the fields.
Field Description Selected Observables Observables that are affected. This action can be used to create indicators for multiple observables. 주:Indicators won't be created in CrowdStrike if the supported observable types are not mapped. Supported observable types include:- Domain
- MD5
- SHA-256
- IPv4
- IPv6
Source Integration profile configuration used to create the indicator. Description Purpose of the indicator. Platforms Platforms where this indicator applies. Options include: - Windows
- Mac
- Linux
- Android
- iOS
Action Actions to be performed when the Indicator is discovered in the organization. Options include: - Detect
- Prevent (hash only)
- Prevent (hidden UI) (hash only)
- Allow (hash only)
- No Action
Mobile Action Action applied on supported mobile platforms. Options include: - Detect
- Prevent (hash only)
- Allow (hash only)
- No Action
Severity Severity assigned to the Indicator. Options include: - Low
- Medium
- High
- Critical
Expiration Date and time when the indicator will automatically expire Tags Custom label to categorize/group indicators. Apply Globally Option to apply indicator to all the hosts. When cleared, the configuration applies only to selected host groups.
Host Groups Specify which CrowdStrike host groups should receive this configuration. - Select Create Indicator
- Validate the activity and UI messages.
- Select CrowdStrike Indicator tab to view the results.