CrowdStrike Falcon

About this document

This document gives you the step-by-step procedure to configure CrowdStrike Falcon in SAFE.

Pre-requisite

You need the following connection details to establish this integration.

• CrowdStrike URL
• Client ID
• Client Secret

Follow the below step-by-step procedure to get the connector details:

1. Login to your CrowdStrike instance.
2. Navigate to the Support > API Clients and Keys menu.
3. Click the Add new API Client. It opens an API scope view.
4. Enter the Client Name and Description. 
5. Select the Read checkbox for Detections and Hosts available under the API Scopes section.
   
6. Click the Add button.
7. The system displays the connection details (URL, Client ID, and Client Secret). 
8. Copy these connection details.  
   

Configure CrowdStrike

To configure CrowdStrike in SAFE:

1. Navigate to the SAFE Hooks.
2. Click theCrowdStrike Falcon card. 
3. Enter the connection details (CrowdStrikeURL, Client ID, and Client Secret) on the CrowdStrike Falcon configuration page.
4. (Optional) Enter the Tag Filters to pull selective data from CrowdStrike to SAFE.
   Tag Filter: SAFE allows users to fetch filtered data from CrowdStrike to SAFE using Tags. If a user does not add any Tag Name in this field, the system fetches all the asset's data to which the user has access.
   You can enter multiple Tag names separated by commas.
   Example: admin, location, department.
5. If needed, mark the Auto Onboard New Assets checkbox.
   Auto Onboard New Assets - By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.
6. If needed, uncheck the "Update Existing Assets Metadata" checkbox.
   Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from CrowdStrike. 
7. Enter the Auto Sync frequency in the number of days.
8. Click the Test Connection button.
9. Once the connection is validated, click the Save button.
   
10. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync. The auto-sync time is 01:15 UTC.

View Result

After a successful sync, SAFE automatically pulls the CrowdStrike assets and EDR data.

To view the assets:

1. Navigate to Technology > Assets.
2. Filter the asset list for signal source equals security.safe.crowdstrike.
   

To view the findings:

1. Navigate to the Risk Scenario created for the CrowdStrike assets.
2. Scroll down to the Findings section. Here you can see the finding details of theCrowdStrike assets.

FAQs

1. How is the CrowdStrike to SAFE asset type mapping done?

The CrowdStrike asset’s Operating System (os_version field returned by CrowdStrike APIs) is used to map it to the SAFE asset type. The mapping can be viewed or updated using GET and POST /settings/os-to-safe-asset-type-mapping API.

2. What assessment data does SAFE pull from Crowdstrike, and which type of assets?

SAFE does not perform any native assessment of the CrowdStrike assets. SAFE pulls the detections from CrowdStrike and adds/updates them as EDR findings in SAFE.

3. Which CrowdStrike detections are used for scoring an asset in SAFE?

Only the detections that are in New, In Progress, True Positive, Ignored, or Re-Opened state in CrowdStrike will be used as EDR findings for scoring assets in SAFE.

4. How can I view the list of all EDR Findings of an asset in SAFE?

A list of all EDR Findings of an asset can be viewed by going to the asset details page and clicking on the number in the EDR Findings Count row. 

5. Why is there a difference between the total count of EDR Controls and the EDR Findings count of an asset in SAFE?

EDR findings count contains all individual failing instances for EDR controls, which means EDR findings can be more than the number of EDR controls as there may be multiple failing instances of an EDR control.

6. How do I know if an EDR detection has multiple failing instances on an asset?

One way to identify whether an EDR finding has multiple failing instances is to check the observation section of the assessed control. Observation contains the different detection instances as returned by CrowdStrike. Another way is to go to that failed control’s details page and check if it has multiple instances.

7. How can I check the Sync status for CrowdStrike Integration?

To view the information related to any saved configuration GET /integrations/:instance_id can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

{
  "id": 1,
  "type": "edrplugin",
  "subtype": "crowdstrike",
  "config": {
    "url": "https://www.test.com/",
    "clientId": "username",
    "sensitiveFields": [
      "clientSecret"
    ],
    "autoSyncFrequency": 1,
    "shouldImportAssets": true,
    "assetMatchingCriteria": [
      "asset_name",
      "ip_address",
      "mac_address"
    ]
  },
  "state": {
    "error": null,
    "stage": "COMPLETED",
    "status": 0,
    "totalAssets": 43,
    "failedAssets": 0,
    "lastScanTriggerTs": "2022-08-30T12:30:29.502Z",
    "completionPercentage": 100,
    "lastScanCompletionTs": "2022-08-30T12:34:17.173Z"
  },
  "isEnabled": true
}

8. What are the possible values of the state of CrowdStrike sync?

The following are the possible values for the sync stage:

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:

9. What should be the type and subType of integration while adding a new CrowdStrike integration via POST /integration API?

The type of integration should be “edrplugin“ and subType should be “crowdstrike” while adding a new CrowdStrike integration using API.

10. Is it mandatory to provide tags in CrowdStrike Configuration?

No, it is not mandatory to provide the tags in CrowdStrike Configuration. Tags help users to configure a filter for the assets whose EDR data is pulled by SAFE. This is useful in case EDR findings of only a set of assets need to be pulled into SAFE.

11. Why are some of my assets showing with no score?

Assets may appear without a score in SAFE for the following reasons:

• TTP Mapping: SAFE requires a TTP mapping to be present for an incoming signal to generate a score. If no mapping is available, no score will be created for the asset.
• Crowdstrike Integration: If you have enabled the Crowdstrike integration and configured the "onboard assets" setting to "ON," any new assets identified by Crowdstrike that are not already in SAFE will be created as new assets. However, if there is no Malware Detection or other TTP signal in the Crowdstrike metadata at the time of asset creation, a score will not be generated for the asset.
  To resolve this and generate a score for the asset, one of the following actions must occur:
  • Crowdstrike provides a Malware Detection or other TTP signal for the asset.
  • A signal for the asset is provided from another source, such as a Vulnerability Assessment and Configuration Assessment.

By ensuring the presence of a TTP signal, either from Crowdstrike or another source, you can enable SAFE to generate a score for your assets.

12. What happens when an EDR control is marked as 'Accepted Failed' in SAFE?

When a control is marked as 'Accepted Failed' in SAFE, it instructs the system to ignore the control in all future assessments completely. Hence, the control's information, such as status and observation, won't be updated unless the control is manually reverted to the 'Not Assessed' status.