Threat Actors
Fetches actor intelligence data to enhance threat correlation and investigation workflows.
Sync Type: Full Synchronisation
Requirements
- Before you connect Monad to CrowdStrike, you need a Client ID and Client Secret. Log in to your CrowdStrike portal, and under Support & Resources, click on 'API Client and Keys' to create your credentials.
- Enter a Client Name, Description and API Scopes to define the API client. Ensure read roles for Actors (Falcon Intelligence) are enabled.
- Click Done.
- Copy the ClientID and ClientSecret key. You'll need them when you set up the Monad connector.
Details
Monad uses the cron field to run this input on specific intervals and returns all actors' details, performing a full sync of data each time.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Cron | string | Yes | Cron string for scheduling tasks. Ex: '0 0 * * *' for daily execution at midnight. |
| Sort | string | No | Order fields in ascending or descending order. Ex: 'created_date |
| Cloud Type | string | No | Your cloud type for CrowdStrike. Ex: 'autodiscover', 'us-1', 'us-2', 'eu-1', 'us-gov-1'. |
| Actor Type | string | No | Type of actor. Ex: 'APT', 'eCrime', 'Hacktivist', 'Insider Threat', 'Nation-State', 'Unknown', 'Other', etc. |
| Target Industries | string | No | Industries targeted by the actor. Ex: 'Financial', 'Healthcare', 'Energy', 'Government', 'Manufacturing', 'Technology', etc. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Client ID | string | Yes | Client ID for the CrowdStrike API. This is required to authenticate requests. |
| Client Secret | string | Yes | Client Secret for the CrowdStrike API. This is required to authenticate requests. |
Custom Schema Handling
If the source data doesn't align with any of the OpenSecurityControlFramework (OSCF) schemas, you can create a custom transformation using our JQ transform pipeline. For example:
{
metadata: {
schema_version: "1.0.0",
custom_framework: "my_framework"
},
controls: .[]
}
For more information on JQ and how to write your own JQ transformations see the JQ docs here.
If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at support@monad.com. We're always looking to expand our coverage of security control frameworks based on community needs.
Sample Record
{
"active": true,
"actor_type": "nation-state",
"capabilities": [
{
"id": 1,
"name": "Phishing"
},
{
"id": 2,
"name": "Malware"
}
],
"capability": {
"id": 3,
"name": "High"
},
"created_date": 1754955992,
"description": "adipiscing nulla et ea sit veniam adipiscing elit elit velit",
"description_length": 85,
"develops_threats": [
{
"id": 4,
"name": "Ransomware"
}
],
"develops_threats_count": 1,
"ecrime_kill_chain": {
"id": 5,
"name": "Complete"
},
"entitlements": [
{
"id": 6,
"name": "Admin"
}
],
"first_activity_date": 1754955992,
"has_subgroup": [
{
"id": 7,
"name": "Subgroup A"
}
],
"has_subgroup_actors_count": 1,
"has_successor": [
{
"id": 8,
"name": "Successor A"
}
],
"has_successor_actors_count": 1,
"id": "33026",
"image": {
"url": "http://example.com/image.png"
},
"in_reports": [
{
"id": 9,
"title": "Report B"
}
],
"in_reports_count": 1,
"is_subgroup_of": [
{
"id": 10,
"name": "Secondary Group"
}
],
"is_subgroup_of_actors_count": 1,
"is_successor_of": [
{
"id": 11,
"name": "Predecessor B"
}
],
"is_successor_of_actors_count": 1,
"is_supported_by": [
{
"id": 12,
"name": "Supporter A"
}
],
"is_supported_by_actors_count": 1,
"kill_chain": {
"id": 13,
"name": "Simple"
},
"known_as": "Tom Johnson",
"last_activity_date": 1754955992,
"last_modified_date": 1754955992,
"motivations": [
{
"id": 14,
"name": "FinancialGain"
}
],
"name": "Mysterious Actor",
"notify_users": true,
"objectives": [
{
"id": 15,
"name": "IntelligenceGathering"
}
],
"origins": [
{
"id": 16,
"name": "Russia"
}
],
"recent_alerting": 1754955992,
"rich_text_description": "<p>ut sed commodo magna sed ut cillum dolor velit anim ex anim in commodo id</p>",
"sells_threats": [
{
"id": 17,
"name": "Ransomware"
}
],
"sells_threats_count": 1,
"short_description": "Ransomware actor",
"slug": "mysterious-actor",
"status": "Active",
"supports": [
{
"id": 18,
"name": "Supporter C"
}
],
"supports_actors_count": 1,
"target_countries": [
{
"id": 19,
"name": "Germany"
}
],
"target_industries": [
{
"id": 20,
"name": "Healthcare"
}
],
"target_regions": [
{
"id": 21,
"name": "Europe"
}
],
"thumbnail": {
"url": "http://example.com/thumbnail.png"
},
"url": "http://example.com/actor-profile",
"uses_indicators_count": 5,
"uses_mitre_attacks_count": 3,
"uses_mitre_tactics_count": 2,
"uses_mitre_techniques_count": 4,
"uses_threats": [
{
"id": 22,
"name": "Ransomware"
}
],
"uses_threats_count": 2,
"uses_vulnerabilities": [
"CVE-2020-0601",
"CVE-2021-34527"
],
"vulnerabilities_count": 2
}