This repository contains two versions (Python and Shell) of a script designed to poll a STIX2/TAXII 2 server for Indicators of Compromise (IOCs) and ingest them into CrowdStrike Falcon. The scripts handle pagination, token management, and include error handling for interacting with both TAXII 2 and CrowdStrike Falcon APIs.
- Configurable rate limiting to control API request frequency, adjustable via environment variables (
RATE_LIMIT_DELAY). - Poll STIX2/TAXII 2 servers to retrieve IOCs.
- Push or update IOCs into CrowdStrike Falcon.
- Handle pagination for large datasets from both TAXII 2 and CrowdStrike Falcon APIs.
- Retry mechanism for transient failures (network issues).
- Supports setting API credentials via environment variables for secure deployment.
- Expiration management for IOCs (valid for 3 months by default).
taxii_to_crowdstrike.sh— Shell version of the script.taxii_to_crowdstrike.py— Python version of the script.
- Shell (
/bin/sh) curlfor making HTTP requests.jqfor parsing JSON responses.
- Python 3.6+
requestslibrary for handling HTTP requests.
Install the Python dependency with:
pip install requestsBoth versions of the script expect the following environment variables to be set:
| Variable | Description |
|---|---|
CLIENT_ID |
CrowdStrike Falcon API client ID |
CLIENT_SECRET |
CrowdStrike Falcon API client secret |
TAXII_SERVER_URL |
URL of the TAXII 2 server |
TAXII_API_ROOT |
Taxii 2 API root directory (e.g. default) |
TAXII_COLLECTION |
TAXII 2 collection ID |
TAXII_USERNAME |
TAXII 2 server username |
TAXII_PASSWORD |
TAXII 2 server password |
RATE_LIMIT_DELAY |
(Optional) Delay between API requests; defaults to 2 seconds |
Ensure the script is executable and run:
chmod +x taxii_to_crowdstrike.sh
./taxii_to_crowdstrike.shExecute with Python 3:
python3 taxii_to_crowdstrike.pyBoth scripts log activity to /var/log/taxii_to_crowdstrike.log by default. Adjust the log path in the scripts if needed.
A Shell-based implementation using curl and jq.
Main functions:
get_crowdstrike_token— Retrieves the OAuth2 token.poll_taxii_server— Polls the TAXII 2 server for IOCs.push_iocs_to_crowdstrike— Upserts IOCs into CrowdStrike Falcon.
A Python implementation using the requests library.
Main functions:
get_crowdstrike_token— Retrieves the OAuth2 token.poll_taxii_server— Polls the TAXII 2 server for IOCs.check_ioc_exists_paginated— Checks if an IOC exists in CrowdStrike.push_iocs_to_crowdstrike— Upserts IOCs into CrowdStrike Falcon.
| Version | Date | Notes |
|---|---|---|
| 2025.05.1 | 29-05-2025 | Converted to TAXII 2 (JSON/STIX2) polling |
| 2024.10.6 | 11-10-2024 | Added TAXII polling error handling |
| 2024.10.5 | 10-10-2024 | Added configurable rate limiting |
| 2024.10.4 | 09-10-2024 | Improved token handling and page-by-page processing |
| 2024.10.3 | 09-10-2024 | Handled pagination of large datasets |
| 2024.10.2 | 09-10-2024 | Added error handling, logging, and retries |
| 2024.10.1 | 08-10-2024 | Initial Public Release |
Released under the MIT License. See the LICENSE file for details.