# Threat Actors Fetches actor intelligence data to enhance threat correlation and investigation workflows. **Sync Type: Full Synchronisation** ## Requirements - Before you connect Monad to CrowdStrike, you need a Client ID and Client Secret. Log in to your CrowdStrike portal, and under Support & Resources, click on 'API Client and Keys' to create your credentials. - Enter a Client Name, Description and API Scopes to define the API client. Ensure read roles for Actors (Falcon Intelligence) are enabled. - Click **Done**. - Copy the ClientID and ClientSecret key. You'll need them when you set up the Monad connector. ## Details Monad uses the `cron` field to run this input on specific intervals and returns all actors' details, performing a full sync of data each time. ## Configuration The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below. #### Settings | Setting | Type | Required | Description | |---------|------|----------|-------------| | Cron | string | Yes | Cron string for scheduling tasks. Ex: '0 0 * * *' for daily execution at midnight. | | Sort | string | No | Order fields in ascending or descending order. Ex: 'created_date|asc', 'created_date|desc'. | | Cloud Type | string | No | Your cloud type for CrowdStrike. Ex: 'autodiscover', 'us-1', 'us-2', 'eu-1', 'us-gov-1'. | | Actor Type | string | No | Type of actor. Ex: 'APT', 'eCrime', 'Hacktivist', 'Insider Threat', 'Nation-State', 'Unknown', 'Other', etc. | | Target Industries | string | No | Industries targeted by the actor. Ex: 'Financial', 'Healthcare', 'Energy', 'Government', 'Manufacturing', 'Technology', etc. | #### Secrets | Secret | Type | Required | Description | |---------|------|----------|-------------| | Client ID | string | Yes | Client ID for the CrowdStrike API. This is required to authenticate requests. | | Client Secret | string | Yes | Client Secret for the CrowdStrike API. This is required to authenticate requests. | ## Custom Schema Handling If the source data doesn't align with any of the [OpenSecurityControlFramework (OSCF) schemas](https://schema.ocsf.io/), you can create a custom transformation using our JQ transform pipeline. For example: ```jq { metadata: { schema_version: "1.0.0", custom_framework: "my_framework" }, controls: .[] } ``` For more information on JQ and how to write your own JQ transformations see the JQ docs [here](https://jqlang.github.io/jq/). If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at [support@monad.com](mailto:support@monad.com). We're always looking to expand our coverage of security control frameworks based on community needs. ## Sample Record ```json { "active": true, "actor_type": "nation-state", "capabilities": [ { "id": 1, "name": "Phishing" }, { "id": 2, "name": "Malware" } ], "capability": { "id": 3, "name": "High" }, "created_date": 1754955992, "description": "adipiscing nulla et ea sit veniam adipiscing elit elit velit", "description_length": 85, "develops_threats": [ { "id": 4, "name": "Ransomware" } ], "develops_threats_count": 1, "ecrime_kill_chain": { "id": 5, "name": "Complete" }, "entitlements": [ { "id": 6, "name": "Admin" } ], "first_activity_date": 1754955992, "has_subgroup": [ { "id": 7, "name": "Subgroup A" } ], "has_subgroup_actors_count": 1, "has_successor": [ { "id": 8, "name": "Successor A" } ], "has_successor_actors_count": 1, "id": "33026", "image": { "url": "http://example.com/image.png" }, "in_reports": [ { "id": 9, "title": "Report B" } ], "in_reports_count": 1, "is_subgroup_of": [ { "id": 10, "name": "Secondary Group" } ], "is_subgroup_of_actors_count": 1, "is_successor_of": [ { "id": 11, "name": "Predecessor B" } ], "is_successor_of_actors_count": 1, "is_supported_by": [ { "id": 12, "name": "Supporter A" } ], "is_supported_by_actors_count": 1, "kill_chain": { "id": 13, "name": "Simple" }, "known_as": "Tom Johnson", "last_activity_date": 1754955992, "last_modified_date": 1754955992, "motivations": [ { "id": 14, "name": "FinancialGain" } ], "name": "Mysterious Actor", "notify_users": true, "objectives": [ { "id": 15, "name": "IntelligenceGathering" } ], "origins": [ { "id": 16, "name": "Russia" } ], "recent_alerting": 1754955992, "rich_text_description": "

ut sed commodo magna sed ut cillum dolor velit anim ex anim in commodo id

", "sells_threats": [ { "id": 17, "name": "Ransomware" } ], "sells_threats_count": 1, "short_description": "Ransomware actor", "slug": "mysterious-actor", "status": "Active", "supports": [ { "id": 18, "name": "Supporter C" } ], "supports_actors_count": 1, "target_countries": [ { "id": 19, "name": "Germany" } ], "target_industries": [ { "id": 20, "name": "Healthcare" } ], "target_regions": [ { "id": 21, "name": "Europe" } ], "thumbnail": { "url": "http://example.com/thumbnail.png" }, "url": "http://example.com/actor-profile", "uses_indicators_count": 5, "uses_mitre_attacks_count": 3, "uses_mitre_tactics_count": 2, "uses_mitre_techniques_count": 4, "uses_threats": [ { "id": 22, "name": "Ransomware" } ], "uses_threats_count": 2, "uses_vulnerabilities": [ "CVE-2020-0601", "CVE-2021-34527" ], "vulnerabilities_count": 2 } ```