turbot/crowdstrike
steampipe plugin install crowdstrike

Table: crowdstrike_intel_actor - Query CrowdStrike Intel Actors using SQL

CrowdStrike Intel Actors are entities that represent threat actors in the cybersecurity landscape. They are characterized by their aliases, motivations, capabilities, and the specific types of targets they are known to attack. This information is crucial for understanding potential threats and implementing appropriate security measures.

Table Usage Guide

The crowdstrike_intel_actor table provides insights into threat actors within CrowdStrike's cybersecurity framework. As a cybersecurity analyst, explore actor-specific details through this table, including their aliases, motivations, and targets. Utilize it to uncover information about potential threats, their capabilities, and the specific types of targets they are known to attack.

Examples

Basic info

Explore the basic details of potential threat actors in the CrowdStrike intelligence database. This can help to understand the types of threats your system may face and inform your cybersecurity strategies.

select
name,
slug,
description,
actor_type
from
crowdstrike_intel_actor;
select
name,
slug,
description,
actor_type
from
crowdstrike_intel_actor;

List actors which have been active in the last 3 months

Discover actors who have recently been active in your network, specifically within the last three months. This query is useful in identifying potential security threats and understanding their nature.

select
name,
slug,
description,
actor_type
from
crowdstrike_intel_actor
where
last_activity_date > current_date - interval '3 months';
select
name,
slug,
description,
actor_type
from
crowdstrike_intel_actor
where
last_activity_date > date('now', '-3 months');

List actors from a specific origin

Explore which actors in your cybersecurity network originate from a specific location. This is useful for identifying potential security threats linked to that location.

select
id,
known_as,
name,
url
from
crowdstrike_intel_actor,
jsonb_array_elements(origins) as o
where
o ->> 'slug' = 'cn';
select
id,
known_as,
name,
url
from
crowdstrike_intel_actor,
json_each(origins) as o
where
json_extract(o.value, '$.slug') = 'cn';

Schema for crowdstrike_intel_actor

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
activeboolean=If this actor is still active.
actor_typetext=The type of actor.
capabilityjsonbThe actor's capability.
created_datetimestamp with time zone>, >=, =, <, <=The creation date.
descriptiontextA description of the actor.
ecrime_kill_chainjsonbeCrime kill chain fields.
entitlementsjsonbEntitlements of the actor.
first_activity_datetimestamp with time zone>, >=, =, <, <=Date when first activity was detected.
groupjsonbThe actor's group.
idbigint=The actor's ID.
imagejsonbURL to the image of the Actor.
kill_chainjsonbKill chain fields.
known_astextThe actor's alias.
last_activity_datetimestamp with time zone>, >=, =, <, <=Date of last activity.
last_modified_datetimestamp with time zone>, >=, =, <, <=Date when this actor was last modified.
motivationsjsonbThe actor's motivations.
nametextThe actor's name.
notify_usersbooleanTrue if users have been notified.
originsjsonbThe actor's country of origin.
regionjsonbThe actor's region.
rich_text_descriptiontextA rich text description of the actor.
short_descriptiontextA short description of the actor.
slugtext=A slug for the actor.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
target_countriesjsonbThe actor's targeted countries.
target_industriesjsonbThe actor's targeted industries.
thumbnailjsonbURL to an image for this actor.
titletextTitle of the resource.
urltextThe URL to the falcon portal for this actor.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrike

You can pass the configuration to the command with the --config argument:

steampipe_export_crowdstrike --config '<your_config>' crowdstrike_intel_actor