[ti_crowdstrike] Errors due to incorrect API path

[chrisberkhout]

It appears that the following paths that are off so they are not returning data:

GET /intel/combined/indicators/v1?filter=_marker%3A%3E%221234567890%22&limit=10000&offset=0&sort=_marker.asc
GET /iocs/combined/indicator/v1?limit=10

We currently currently make requests like the following:

GET /intel/combined/indicators/v1?sort=_marker.asc&limit=xxx&offset=...&filter=_marker:>"xxx"
GET /iocs/combined/indicator/v1?sort=modified_on&limit=xxx&offset=...&filter=modified_on:>"xxx"

The ti_crowdstrike integration README says:

Both the endpoints are related to the threat intelligence.
Intel Indicators provide information about a hash, particularly related to malware and threat types, while
IOC provides information about the detection of an IPv4 address, including severity, platforms, and global application status.

---

API documentation is available to admins at https://developer.crowdstrike.com/.

Looking at the documentation for CrowdStrike's Falcon SDK for Python, https://github.com/CrowdStrike/falconpy, which is a Python library for accessing that API, I can see a few things:

• The IOC-related paths differ from ours (/iocs/combined/indicator/v1), which matches neither the
  deprecated endpoint /indicators/queries/iocs/v1 nor its replacement /iocs/queries/indicators/v1.
• There is an intel endpoint /intel/combined/indicators/v1 that does match what we're using. The Python SDK says it has a maximum limit value of 5k, whereas we use a default limit of 10k which does match CrowdStrike documentation.
• We set the sort parameter as sort=_marker.asc, but the documentation says to use a pipe to join the sort field and direction: sort=_marker|asc.
• Our use of Falcon Query Language for the filter parameter, e.g. _marker:>"1234567890", may be incorrect. Perhaps it should use single quote. More importantly, _marker may be a parameter of its own for pagination, not a field to filter on.

---

CrowdStrike documentation from 2024-04-04 for "Falcon Intelligence APIs" covers the following:
(note the absence of /iocs/ endpoints)

Section	API Paths
About CrowdStrike APIs
Using Intel APIs
Search for data about actors	GET /intel/queries/actors/v1 GET /intel/entities/actors/v1 GET /intel/combined/actors/v1
Query for various types of indicators (Relations, Filtering, Deep pagination)	GET /intel/queries/indicators/v1 POST /intel/entities/indicators/GET/v1 GET /intel/combined/indicators/v1
Query CrowdStrike intelligence publications	GET /intel/queries/reports/v1 GET /intel/entities/reports/v1 GET /intel/combined/reports/v1
Download rules to use in other tools	GET /intel/entities/rules-latest-files/v1 GET /intel/queries/rules/v1 GET /intel/entities/rules/v1 GET /intel/entities/rules-files/v1
Advanced: Conditional GET requests

It looks like the /queries/ endpoints are for listing, the /entities/ endpoints are for fetching, and the /combined/ endpoints do both together.

---

Questions:

• [ ] Do GET /iocs/combined/indicator/v1 endpoints still exist? Is there separate documentation for them?
• [ ] What are the errors in our request paths or other details of our API use?
• [ ] What do request and response logs show?

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)