Table: crowdstrike_intel_actor - Query CrowdStrike Intel Actors using SQL
CrowdStrike Intel Actors are entities that represent threat actors in the cybersecurity landscape. They are characterized by their aliases, motivations, capabilities, and the specific types of targets they are known to attack. This information is crucial for understanding potential threats and implementing appropriate security measures.
Table Usage Guide
The crowdstrike_intel_actor
table provides insights into threat actors within CrowdStrike's cybersecurity framework. As a cybersecurity analyst, explore actor-specific details through this table, including their aliases, motivations, and targets. Utilize it to uncover information about potential threats, their capabilities, and the specific types of targets they are known to attack.
Examples
Basic info
Explore the basic details of potential threat actors in the CrowdStrike intelligence database. This can help to understand the types of threats your system may face and inform your cybersecurity strategies.
select name, slug, description, actor_typefrom crowdstrike_intel_actor;
select name, slug, description, actor_typefrom crowdstrike_intel_actor;
List actors which have been active in the last 3 months
Discover actors who have recently been active in your network, specifically within the last three months. This query is useful in identifying potential security threats and understanding their nature.
select name, slug, description, actor_typefrom crowdstrike_intel_actorwhere last_activity_date > current_date - interval '3 months';
select name, slug, description, actor_typefrom crowdstrike_intel_actorwhere last_activity_date > date('now', '-3 months');
List actors from a specific origin
Explore which actors in your cybersecurity network originate from a specific location. This is useful for identifying potential security threats linked to that location.
select id, known_as, name, urlfrom crowdstrike_intel_actor, jsonb_array_elements(origins) as owhere o ->> 'slug' = 'cn';
select id, known_as, name, urlfrom crowdstrike_intel_actor, json_each(origins) as owhere json_extract(o.value, '$.slug') = 'cn';
Schema for crowdstrike_intel_actor
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
active | boolean | = | If this actor is still active. |
actor_type | text | = | The type of actor. |
capability | jsonb | The actor's capability. | |
created_date | timestamp with time zone | >, >=, =, <, <= | The creation date. |
description | text | A description of the actor. | |
ecrime_kill_chain | jsonb | eCrime kill chain fields. | |
entitlements | jsonb | Entitlements of the actor. | |
first_activity_date | timestamp with time zone | >, >=, =, <, <= | Date when first activity was detected. |
group | jsonb | The actor's group. | |
id | bigint | = | The actor's ID. |
image | jsonb | URL to the image of the Actor. | |
kill_chain | jsonb | Kill chain fields. | |
known_as | text | The actor's alias. | |
last_activity_date | timestamp with time zone | >, >=, =, <, <= | Date of last activity. |
last_modified_date | timestamp with time zone | >, >=, =, <, <= | Date when this actor was last modified. |
motivations | jsonb | The actor's motivations. | |
name | text | The actor's name. | |
notify_users | boolean | True if users have been notified. | |
origins | jsonb | The actor's country of origin. | |
region | jsonb | The actor's region. | |
rich_text_description | text | A rich text description of the actor. | |
short_description | text | A short description of the actor. | |
slug | text | = | A slug for the actor. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
target_countries | jsonb | The actor's targeted countries. | |
target_industries | jsonb | The actor's targeted industries. | |
thumbnail | jsonb | URL to an image for this actor. | |
title | text | Title of the resource. | |
url | text | The URL to the falcon portal for this actor. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrike
You can pass the configuration to the command with the --config
argument:
steampipe_export_crowdstrike --config '<your_config>' crowdstrike_intel_actor