The Threat Intel Import to NG-SIEM sample Foundry app is a community-driven, open source project which serves as an example of an app which can be built using CrowdStrike's Foundry ecosystem. foundry-sample-ngsiem-importer is an open source project, not a CrowdStrike product. As such, it carries no formal support, expressed or implied.
This app is one of several App Templates included in Foundry that you can use to jumpstart your development. It comes complete with a set of preconfigured capabilities aligned to its business purpose. Deploy this app from the Templates page with a single click in the Foundry UI, or create an app from this template using the CLI.
Important
To view documentation and deploy this sample app, you need access to the Falcon console.
The NG-SIEM Importer sample Foundry app automates the collection, processing, and ingestion of threat intelligence data into CrowdStrike's Next-Generation Security Information and Event Management (NG-SIEM) platform.
- The Foundry CLI (instructions below).
- Python 3.13+ (needed if modifying the app's functions). See Python For Beginners for installation instructions.
You can install the Foundry CLI with Scoop on Windows or Homebrew on Linux/macOS.
Windows:
Install Scoop. Then, add the Foundry CLI bucket and install the Foundry CLI.
scoop bucket add foundry https://github.com/crowdstrike/scoop-foundry-cli.git
scoop install foundryOr, you can download the latest Windows zip file, expand it, and add the install directory to your PATH environment variable.
Linux and macOS:
Install Homebrew. Then, add the Foundry CLI repository to the list of formulae that Homebrew uses and install the CLI:
brew tap crowdstrike/foundry-cli
brew install crowdstrike/foundry-cli/foundryRun foundry version to verify it's installed correctly.
Clone this sample to your local system, or download as a zip file and import it into Foundry.
git clone https://github.com/CrowdStrike/foundry-sample-ngsiem-importer
cd foundry-sample-ngsiem-importerLog in to Foundry:
foundry loginSelect the following permissions:
- Create and run RTR scripts
- Create, execute and test workflow templates
- Create, run and view API integrations
- Create, edit, delete, and list queries
Deploy the app:
foundry apps deployTip
If you get an error that the name already exists, change the name to something unique to your CID in manifest.yml.
Once the deployment has finished, you can release the app:
foundry apps releaseNext, go to Foundry > App catalog, find your app, and install it. Go to Fusion SOAR > Workflows to see the scheduled workflow from this app.
The extension downloads threat intelligence from multiple public sources:
- botvrij.eu: Collects malicious domains, SHA1 file hashes, and IP addresses
- Emerging Threats: Gathers compromised IP addresses
- dan.me.uk: Downloads Tor exit node IP addresses
- urlhaus.abuse.ch: Retrieves malicious URLs
- Parses various file formats and structures
- Validates entries (especially IP addresses)
- Standardizes the data into a consistent format
- Organizes data into appropriate fields for SIEM ingestion:
- IP addresses: destination.ip
- Domains: dns.domain.name
- File hashes: file.hash.sha1
- URLs: url.original
- Converts processed data into CSV format
- Uploads CSVs to the specified NG-SIEM repository (default: "search-all")
- Returns status information for each processed file
- Runs automatically at 3:00 AM Eastern Time (America/New_York) every day
- Can also be triggered manually through the CrowdStrike platform
- Built on CrowdStrike's Foundry Function framework
- Written in Python with dependencies including:
- crowdstrike-foundry-function and FalconPy for CrowdStrike API integration
- pandas for data processing
- requests for HTTP communication
- ipaddress for IP validation
This extension enhances an organization's security posture by:
- Automating the collection of threat intelligence from multiple sources
- Standardizing heterogeneous data formats
- Regularly updating the SIEM with fresh threat data
- Enabling detection of malicious domains, IPs, file hashes, and URLs in security logs
