Do I need a CrowdStrike subscription?

Yes. Unlike the community-tier lookups in the pack, this skill requires an active Falcon Intelligence subscription and valid API credentials. Without them it cannot return data, and it will tell you the credentials are missing rather than failing silently.

Can I look up threat actors as well as indicators?

Yes. The indicator mode returns reputation and linkage for an IP, domain, hash or URL. The adversary mode returns an actor profile with origin, targeting and MITRE ATT&CK TTPs, and can search actors by origin or target.

What MITRE ATT&CK detail does it return for an actor?

For a known adversary it returns the ATT&CK techniques CrowdStrike attributes to that group, which you can use to align detections or compare an actor's tradecraft against what you are seeing.

CTI Skill · Lookups

CrowdStrike Falcon Intelligence Lookup.

/lookup-crowdstrike

The CrowdStrike Falcon Intelligence API skill brings vendor-authoritative intel into your AI coding agent. Look up an indicator and it returns CrowdStrike's malicious-confidence verdict along with linked actors, malware families and related reports. Look up an adversary and it returns a profile covering origin, targeting and the MITRE ATT&CK TTPs that actor is known for. This skill needs a Falcon Intelligence subscription.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It calls the CrowdStrike Falcon Intelligence API in two modes. On an indicator (an IP, domain, hash or URL) it returns the malicious-confidence rating, the actors and malware families CrowdStrike associates with it, and links to the relevant finished reports. On an adversary it returns the actor profile: known origin, targeted sectors and regions, and the MITRE ATT&CK techniques attributed to that group.

When to use it.

Use it when you want a tracked vendor's view alongside community sources, especially for attribution and actor context. Run the indicator mode to see whether CrowdStrike links a value to a known actor, and the adversary mode when profiling a group: questions like which TTPs an actor uses or which actors operate from a given region. It feeds the threat-actor profiling and indicator enrichment workflows.

What you get back.

For indicators, the malicious-confidence verdict, associated actors and malware families, and report references. For adversaries, a structured profile with origin, targeting and mapped ATT&CK TTPs, plus pointers to finished intelligence. Because it requires a Falcon Intelligence subscription, the skill checks for valid credentials and, if they are missing, notes the gap and returns rather than crashing your run.

How it fits your workflow.

Community sources are broad; a subscription source like Falcon Intelligence adds tracked attribution and finished analysis. Run a community reputation check first, then use this skill to add CrowdStrike's actor linkage and ATT&CK mapping. The adversary profile pairs well with the threat-entities model so you can attach actors, TTPs and malware to the indicators you are tracking.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.