Liberty91

CrowdStrike Intelligence module.

Last updated 14 Jun 20262 min read

The CrowdStrike module connects Falcon Intelligence to Liberty91. Once it is on, the platform imports CrowdStrike intelligence reports, data-exposure notifications, and Recon alerts as events, enriches the indicators of compromise that come in with every event, and pulls CrowdStrike's threat-actor profiles into your Threat Library. You need an active CrowdStrike licence for this module to work.

Before you start

You need an active Falcon Intelligence licence, and permission in the CrowdStrike Falcon portal to create an API client.

What the CrowdStrike module does

The module works in three ways:

  • Report collection. It imports CrowdStrike intelligence reports, data-exposure notifications, and Recon notifications as events in your Recent Threats dashboard.
  • Entity profile enrichment. When you create a threat card for an actor, Liberty91 reaches out to CrowdStrike, finds their profile for that actor, and uses it in the enrichment and associations.
  • IOC enrichment. For every event, if an IOC matches something CrowdStrike associates with a malware family or threat actor, the platform surfaces that association and offers to create a follow-up threat card.

How to connect CrowdStrike

Turning the module on takes two steps: create an API client in the CrowdStrike Falcon portal, then provide the credentials in Liberty91.

Step 1: Create an API client in Falcon

  1. Go to the CrowdStrike Falcon portal and open the sidebar from the hamburger menu in the top left.
  2. Choose Support and Resources, then API clients and keys.
  3. Click Create API client.
  4. Give the client a name and description, for example name Liberty91 and description Liberty91 Client.
  5. Under Scopes, tick Read for: Actors (Falcon Intelligence), Malware Families (Falcon Intelligence), Reports (Falcon Intelligence), Vulnerabilities (Falcon Intelligence), Monitoring rules (Falcon Intelligence Recon), and Scheduled Reports.
  6. Click Update client details. A dialog shows the base URL, client ID, and client secret. Note all three down now, because the secret is not shown again.
CrowdStrike Falcon portal: the Create API client dialog with the required Falcon Intelligence read scopes ticked

Step 2: Provide the credentials in Liberty91

  1. In Liberty91, go to Modules and open the CrowdStrike Intelligence module under Collection modules.
  2. Paste the base URL, client ID, and client secret into the matching fields.
  3. Set the module to Active and click Update.
Liberty91 CrowdStrike module configuration screen with base URL, client ID, and client secret fields

Once it is active, CrowdStrike reports begin importing and IOC enrichment runs on new events automatically.

Was this page helpful?
← PreviousHow Modules workNext →FalconFeeds module