foundry-sample-ngsiem-importer
Threat Intel Import to NG-SIEM sample Foundry app
https://github.com/crowdstrike/foundry-sample-ngsiem-importer
Science Score: 44.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Committers with academic emails
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (15.6%) to scientific vocabulary
Keywords
Keywords from Contributors
Repository
Threat Intel Import to NG-SIEM sample Foundry app
Basic Info
Statistics
- Stars: 3
- Watchers: 4
- Forks: 1
- Open Issues: 0
- Releases: 0
Topics
Metadata Files
README.md
Threat Intel Import to NG-SIEM sample Foundry app
The Threat Intel Import to NG-SIEM sample Foundry app is a community-driven, open source project which serves as an example of an app which can be built using CrowdStrike's Foundry ecosystem. foundry-sample-ngsiem-importer is an open source project, not a CrowdStrike product. As such, it carries no formal support, expressed or implied.
This app is one of several App Templates included in Foundry that you can use to jumpstart your development. It comes complete with a set of preconfigured capabilities aligned to its business purpose. Deploy this app from the Templates page with a single click in the Foundry UI, or create an app from this template using the CLI.
[!IMPORTANT]
To view documentation and deploy this sample app, you need access to the Falcon console.
Description
The NG-SIEM Importer sample Foundry app automates the collection, processing, and ingestion of threat intelligence data into CrowdStrike's Next-Generation Security Information and Event Management (NG-SIEM) platform.
Prerequisites
- The Foundry CLI (instructions below).
- Python 3.13+ (needed if modifying the app's functions). See Python For Beginners for installation instructions.
Install the Foundry CLI
You can install the Foundry CLI with Scoop on Windows or Homebrew on Linux/macOS.
Windows:
Install Scoop. Then, add the Foundry CLI bucket and install the Foundry CLI.
shell
scoop bucket add foundry https://github.com/crowdstrike/scoop-foundry-cli.git
scoop install foundry
Or, you can download the latest Windows zip file, expand it, and add the install directory to your PATH environment variable.
Linux and macOS:
Install Homebrew. Then, add the Foundry CLI repository to the list of formulae that Homebrew uses and install the CLI:
shell
brew tap crowdstrike/foundry-cli
brew install crowdstrike/foundry-cli/foundry
Run foundry version to verify it's installed correctly.
Getting Started
Clone this sample to your local system, or download as a zip file and import it into Foundry.
shell
git clone https://github.com/CrowdStrike/foundry-sample-ngsiem-importer
cd foundry-sample-ngsiem-importer
Log in to Foundry:
shell
foundry login
Select the following permissions:
- [ ] Create and run RTR scripts
- [x] Create, execute and test workflow templates
- [ ] Create, run and view API integrations
- [ ] Create, edit, delete, and list queries
Deploy the app:
shell
foundry apps deploy
[!TIP] If you get an error that the name already exists, change the name to something unique to your CID in
manifest.yml.
Once the deployment has finished, you can release the app:
shell
foundry apps release
Next, go to Foundry > App catalog, find your app, and install it. Go to Fusion SOAR > Workflows to see the scheduled workflow from this app.
About this sample app
1. Data Collection
The extension downloads threat intelligence from multiple public sources:
- botvrij.eu: Collects malicious domains, SHA1 file hashes, and IP addresses
- Emerging Threats: Gathers compromised IP addresses
- dan.me.uk: Downloads Tor exit node IP addresses
- urlhaus.abuse.ch: Retrieves malicious URLs
2. Data Processing
- Parses various file formats and structures
- Validates entries (especially IP addresses)
- Standardizes the data into a consistent format
- Organizes data into appropriate fields for SIEM ingestion:
- IP addresses: destination.ip
- Domains: dns.domain.name
- File hashes: file.hash.sha1
- URLs: url.original
3. Data Ingestion
- Converts processed data into CSV format
- Uploads CSVs to the specified NG-SIEM repository (default: "search-all")
- Returns status information for each processed file
4. Scheduling
- Runs automatically at 3:00 AM Eastern Time (America/New_York) every day
- Can also be triggered manually through the CrowdStrike platform
Technical Implementation
- Built on CrowdStrike's Foundry Function framework
- Written in Python with dependencies including:
- crowdstrike-foundry-function and FalconPy for CrowdStrike API integration
- pandas for data processing
- requests for HTTP communication
- ipaddress for IP validation
Security Value
This extension enhances an organization's security posture by:
- Automating the collection of threat intelligence from multiple sources
- Standardizing heterogeneous data formats
- Regularly updating the SIEM with fresh threat data
- Enabling detection of malicious domains, IPs, file hashes, and URLs in security logs
Foundry resources
WE STOP BREACHES
Owner
- Name: CrowdStrike
- Login: CrowdStrike
- Kind: organization
- Email: github@crowdstrike.com
- Location: United States of America
- Website: https://www.crowdstrike.com
- Repositories: 183
- Profile: https://github.com/CrowdStrike
Citation (CITATION.cff)
cff-version: 1.2.0
title: 'CrowdStrike Foundry Sample App - NGSIEM Importer'
message: >-
If you use this software, and wish to cite the origins,
please use metadata from this file.
type: software
authors:
- given-names:
family-names: CrowdStrike
email: oss-questions@crowdstrike.com
repository-code: 'https://github.com/CrowdStrike/foundry-sample-ngsiem-importer'
url: 'https://www.crowdstrike.com'
repository-artifact: 'https://pkg.go.dev/github.com/crowdstrike/foundry-sample-ngsiem-importer'
abstract: >-
The CrowdStrike Foundry Sample App - NG-SIEM Importer
is a community-driven, open source project designed
to illustrate creating apps with CrowdStrike Foundry.
keywords:
- crowdstrike
- oauth2
- crowdstrike-foundry
- python
- windows
- linux
- mac
license: MIT
GitHub Events
Total
- Watch event: 1
- Delete event: 6
- Issue comment event: 2
- Push event: 15
- Public event: 1
- Pull request review comment event: 1
- Pull request review event: 8
- Pull request event: 17
- Fork event: 1
- Create event: 8
Last Year
- Watch event: 1
- Delete event: 6
- Issue comment event: 2
- Push event: 15
- Public event: 1
- Pull request review comment event: 1
- Pull request review event: 8
- Pull request event: 17
- Fork event: 1
- Create event: 8
Committers
Last synced: 10 months ago
Top Committers
| Name | Commits | |
|---|---|---|
| Matt Raible | m****e@c****m | 17 |
| dependabot[bot] | 4****] | 1 |
| BanuY | 5****Y | 1 |
Committer Domains (Top 20 + Academic)
Issues and Pull Requests
Last synced: 11 months ago
All Time
- Total issues: 0
- Total pull requests: 7
- Average time to close issues: N/A
- Average time to close pull requests: about 4 hours
- Total issue authors: 0
- Total pull request authors: 3
- Average comments per issue: 0
- Average comments per pull request: 0.29
- Merged pull requests: 6
- Bot issues: 0
- Bot pull requests: 1
Past Year
- Issues: 0
- Pull requests: 7
- Average time to close issues: N/A
- Average time to close pull requests: about 4 hours
- Issue authors: 0
- Pull request authors: 3
- Average comments per issue: 0
- Average comments per pull request: 0.29
- Merged pull requests: 6
- Bot issues: 0
- Bot pull requests: 1
Top Authors
Issue Authors
Pull Request Authors
- mraible (13)
- dependabot[bot] (4)
- BanuY (2)
Top Labels
Issue Labels
Pull Request Labels
Dependencies
- actions/checkout v4 composite
- actions/setup-python v5 composite
- crowdstrike-falconpy *
- crowdstrike-foundry-function ==1.1.0
- ipaddress ==1.0.23
- pandas *
- requests *