# Threat Actors
Fetches actor intelligence data to enhance threat correlation and investigation workflows.
**Sync Type: Full Synchronisation**
## Requirements
- Before you connect Monad to CrowdStrike, you need a Client ID and Client Secret. Log in to your CrowdStrike portal, and under Support & Resources, click on 'API Client and Keys' to create your credentials.
- Enter a Client Name, Description and API Scopes to define the API client. Ensure read roles for Actors (Falcon Intelligence) are enabled.
- Click **Done**.
- Copy the ClientID and ClientSecret key. You'll need them when you set up the Monad connector.
## Details
Monad uses the `cron` field to run this input on specific intervals and returns all actors' details, performing a full sync of data each time.
## Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
#### Settings
| Setting | Type | Required | Description |
|---------|------|----------|-------------|
| Cron | string | Yes | Cron string for scheduling tasks. Ex: '0 0 * * *' for daily execution at midnight. |
| Sort | string | No | Order fields in ascending or descending order. Ex: 'created_date|asc', 'created_date|desc'. |
| Cloud Type | string | No | Your cloud type for CrowdStrike. Ex: 'autodiscover', 'us-1', 'us-2', 'eu-1', 'us-gov-1'. |
| Actor Type | string | No | Type of actor. Ex: 'APT', 'eCrime', 'Hacktivist', 'Insider Threat', 'Nation-State', 'Unknown', 'Other', etc. |
| Target Industries | string | No | Industries targeted by the actor. Ex: 'Financial', 'Healthcare', 'Energy', 'Government', 'Manufacturing', 'Technology', etc. |
#### Secrets
| Secret | Type | Required | Description |
|---------|------|----------|-------------|
| Client ID | string | Yes | Client ID for the CrowdStrike API. This is required to authenticate requests. |
| Client Secret | string | Yes | Client Secret for the CrowdStrike API. This is required to authenticate requests. |
## Custom Schema Handling
If the source data doesn't align with any of the [OpenSecurityControlFramework (OSCF) schemas](https://schema.ocsf.io/), you can create a custom transformation using our JQ transform pipeline. For example:
```jq
{
metadata: {
schema_version: "1.0.0",
custom_framework: "my_framework"
},
controls: .[]
}
```
For more information on JQ and how to write your own JQ transformations see the JQ docs [here](https://jqlang.github.io/jq/).
If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at [support@monad.com](mailto:support@monad.com). We're always looking to expand our coverage of security control frameworks based on community needs.
## Sample Record
```json
{
"active": true,
"actor_type": "nation-state",
"capabilities": [
{
"id": 1,
"name": "Phishing"
},
{
"id": 2,
"name": "Malware"
}
],
"capability": {
"id": 3,
"name": "High"
},
"created_date": 1754955992,
"description": "adipiscing nulla et ea sit veniam adipiscing elit elit velit",
"description_length": 85,
"develops_threats": [
{
"id": 4,
"name": "Ransomware"
}
],
"develops_threats_count": 1,
"ecrime_kill_chain": {
"id": 5,
"name": "Complete"
},
"entitlements": [
{
"id": 6,
"name": "Admin"
}
],
"first_activity_date": 1754955992,
"has_subgroup": [
{
"id": 7,
"name": "Subgroup A"
}
],
"has_subgroup_actors_count": 1,
"has_successor": [
{
"id": 8,
"name": "Successor A"
}
],
"has_successor_actors_count": 1,
"id": "33026",
"image": {
"url": "http://example.com/image.png"
},
"in_reports": [
{
"id": 9,
"title": "Report B"
}
],
"in_reports_count": 1,
"is_subgroup_of": [
{
"id": 10,
"name": "Secondary Group"
}
],
"is_subgroup_of_actors_count": 1,
"is_successor_of": [
{
"id": 11,
"name": "Predecessor B"
}
],
"is_successor_of_actors_count": 1,
"is_supported_by": [
{
"id": 12,
"name": "Supporter A"
}
],
"is_supported_by_actors_count": 1,
"kill_chain": {
"id": 13,
"name": "Simple"
},
"known_as": "Tom Johnson",
"last_activity_date": 1754955992,
"last_modified_date": 1754955992,
"motivations": [
{
"id": 14,
"name": "FinancialGain"
}
],
"name": "Mysterious Actor",
"notify_users": true,
"objectives": [
{
"id": 15,
"name": "IntelligenceGathering"
}
],
"origins": [
{
"id": 16,
"name": "Russia"
}
],
"recent_alerting": 1754955992,
"rich_text_description": "
ut sed commodo magna sed ut cillum dolor velit anim ex anim in commodo id
", "sells_threats": [ { "id": 17, "name": "Ransomware" } ], "sells_threats_count": 1, "short_description": "Ransomware actor", "slug": "mysterious-actor", "status": "Active", "supports": [ { "id": 18, "name": "Supporter C" } ], "supports_actors_count": 1, "target_countries": [ { "id": 19, "name": "Germany" } ], "target_industries": [ { "id": 20, "name": "Healthcare" } ], "target_regions": [ { "id": 21, "name": "Europe" } ], "thumbnail": { "url": "http://example.com/thumbnail.png" }, "url": "http://example.com/actor-profile", "uses_indicators_count": 5, "uses_mitre_attacks_count": 3, "uses_mitre_tactics_count": 2, "uses_mitre_techniques_count": 4, "uses_threats": [ { "id": 22, "name": "Ransomware" } ], "uses_threats_count": 2, "uses_vulnerabilities": [ "CVE-2020-0601", "CVE-2021-34527" ], "vulnerabilities_count": 2 } ```