CrowdStrike Falcon
  • 7 Minutes to read
  • PDF

CrowdStrike Falcon

  • PDF

Article summary

About this document


This document gives you the step-by-step procedure to configure CrowdStrike Falcon in SAFE.

Pre-requisite


You need the following connection details to establish this integration.

  • CrowdStrike URL

  • Client ID

  • Client Secret

Important

To create API clients and secrets, you must have a Falcon Administrator role in CrowdStrike. The API client secret value is only shown when a new API client is created or while resetting it.


Follow the below step-by-step procedure to get the connector details:

  1. Login to your CrowdStrike instance.

  2. Navigate to the Support and resources > API Clients and Keys menu.

  3. Click the Create API Client. It opens an API scope view.

  4. Enter the Client Name and Description.

  5. Select the Read checkbox for Alerts and Hosts available under the API Scopes section.

  6. Click the Create button.

  7. The system displays the connection details (URL, Client ID, and Client Secret).

  8. Copy these connection details.  

The existing SAFE customers using the CrowdStrike Falcon integration need to update their configured Client Id with the newer permissions, i.e. Alerts (Read) along with existing permission Hosts (Read).

 

Configure CrowdStrike


To configure CrowdStrike in SAFE:

  1. Log in to your SAFE account as Admin.

  2. Click on the Integrations on the left navigation.

  3. Hover over or Click on the CrowdStrike Falcon card to configure.

  4. Enter the connection details such as CrowdStrike URL, Client ID, and Client Secret).

  5. Optionally, Tag Filters can also be added to pull selective data from CrowdStrike to SAFE.
    Tag Filters allow users to fetch filtered data from CrowdStrike to SAFE using Tags. Without Tag Name, the system fetches all the asset's data that the user has access to. Multiple Tag names can be added, separated by commas. Example: admin, location, department.

  6. If needed, mark the Auto Onboard New Assets checkbox.
    Auto Onboard New Assets - By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.

  7. If needed, uncheck the "Update Existing Assets Metadata" checkbox.
    Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from CrowdStrike. 

  8. Enter the Auto Sync frequency in the number of days.

  9. Click the Test Connection button.

  10. Once the connection is validated, click the Save button.

  11. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync. The auto-sync time is 01:15 UTC.

CrowdStrike Configuration

FQDN Population


FQDN will be populated from the CrowdStrike Falcon using the hostname and the machine_domain (Active Directory Domain). This will only get populated when Active Directory Domain (machine_domain) is configured in CrowdStrike.

Note:

There is a roughly 15-minute delay between creating a new custom field and its recognition during signal ingestion to populate tags successfully. After this interval, trigger CrowdStrike and validate again. For details on importing tags from CrowdStrike Falcon into SAFE, visit this link.

View Result


After a successful sync, SAFE automatically pulls the CrowdStrike assets and EDR data.

  1. Go to the Integration.

  2. Scroll to find the CrowdStrike Falcon integration card or search for CrowdStrike Falcon in the search bar.

  3. Click on the CrowdStrike Falcon integration card for Finding View and Asset View.

    • Finding View: This tab displays all the findings details pulled from CrowdStrike Falcon.

    • Assets View: This tab displays all the asset details pulled from CrowdStrike Falcon.

FAQs


1. How is the CrowdStrike to SAFE asset type mapping done?

The CrowdStrike asset’s Operating System (os_version field returned by CrowdStrike APIs) maps it to the SAFE asset type. The mapping can be viewed or updated using GET and POST /settings/os-to-safe-asset-type-mapping API.

2. What assessment data does SAFE pull from Crowdstrike, and which type of assets?

SAFE does not perform any native assessment of the CrowdStrike assets. SAFE pulls the detections from CrowdStrike and adds/updates them as EDR findings in SAFE.

3. Which CrowdStrike detections are used for scoring an asset in SAFE?

Only the detections that are in New, In Progress, True Positive, Ignored, or Re-Opened state in CrowdStrike will be used as EDR findings for scoring assets in SAFE.

4. How can I view the list of all EDR Findings of an asset in SAFE?

A list of all EDR Findings of an asset can be viewed by going to the asset details page and clicking on the number in the EDR Findings Count row. 

Note

If no EDR Findings Count row is displayed for that asset, the asset type is not supported for EDR assessments in SAFE.

5. Why is there a difference between the total count of EDR Controls and the EDR Findings count of an asset in SAFE?

EDR findings count contains all individual failing instances for EDR controls, which means EDR findings can be more than the number of EDR controls as there may be multiple failing instances of an EDR control.

6. How do I know if an EDR detection has multiple failing instances on an asset?

One way to identify whether an EDR finding has multiple failing instances is to check the observation section of the assessed control. Observation contains the different detection instances as returned by CrowdStrike. Another way is to go to that failed control’s details page and check if it has multiple instances.

7. How can I check the Sync status for CrowdStrike Integration?

To view the information related to any saved configuration GET /integrations/:instance_id can be used. It will return all config fields except the encrypted fields using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

{
  "id": 1,
  "type": "edrplugin",
  "subtype": "crowdstrike",
  "config": {
    "url": "https://www.test.com/",
    "clientId": "username",
    "sensitiveFields": [
      "clientSecret"
    ],
    "autoSyncFrequency": 1,
    "shouldImportAssets": true,
    "assetMatchingCriteria": [
      "asset_name",
      "ip_address",
      "mac_address"
    ]
  },
  "state": {
    "error": null,
    "stage": "COMPLETED",
    "status": 0,
    "totalAssets": 43,
    "failedAssets": 0,
    "lastScanTriggerTs": "2022-08-30T12:30:29.502Z",
    "completionPercentage": 100,
    "lastScanCompletionTs": "2022-08-30T12:34:17.173Z"
  },
  "isEnabled": true
}

8. What are the possible values of the state of CrowdStrike sync?

The following are the possible values for the sync stage:

Stage

Meaning

QUEUED

Sync request has been received and will begin soon

TRANSFORMING

Sync is in progress

COMPLETED

Finished sync

ERROR

Error occurred during sync

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:

Status

Meaning

0

Success

1

In Progress

2

Error

3

Partial Success

9. What should be the type and subType of integration while adding a new CrowdStrike integration via POST /integration API?

The type of integration should be “edrplugin“ and subType should be “crowdstrike” while adding a new CrowdStrike integration using API.

10. Is it mandatory to provide tags in CrowdStrike Configuration?

No, it is not mandatory to provide the tags in CrowdStrike Configuration. Tags help users to configure a filter for the assets whose EDR data is pulled by SAFE. This is useful in case EDR findings of only a set of assets need to be pulled into SAFE.

11. Why are some of my assets showing with no score?

Assets may appear without a score in SAFE for the following reasons:

  • TTP Mapping: SAFE requires a TTP mapping to be present for an incoming signal to generate a score. If no mapping is available, no score will be created for the asset.

  • Crowdstrike Integration: If you have enabled the Crowdstrike integration and configured the "onboard assets" setting to "ON," any new assets identified by Crowdstrike that are not already in SAFE will be created as new assets. However, if there is no Malware Detection or other TTP signal in the Crowdstrike metadata at the time of asset creation, a score will not be generated for the asset.
    To resolve this and generate a score for the asset, one of the following actions must occur:

    • Crowdstrike provides a Malware Detection or other TTP signal for the asset.

    • A signal for the asset is provided from another source, such as a Vulnerability Assessment and Configuration Assessment.

By ensuring the presence of a TTP signal, either from Crowdstrike or another source, you can enable SAFE to generate a score for your assets.

12. What happens when an EDR control is marked as 'Accepted Failed' in SAFE?

When a control is marked as 'Accepted Failed' in SAFE, it instructs the system to ignore the control in all future assessments completely. Hence, the control's information such as status and observation, won't be updated unless the control is manually reverted to the 'Not Assessed' status.

13. Why are tags not getting pulled after creating the mentioned custom field (cs-falcon-tags) and triggering the CrowdStrike sync?

There is a cache of 15 minutes or so between the creation of a new custom field and it being considered by signal ingestion to successfully populate the tags. Trigger the CrowdStrike after an interval and validate it again.

14. EDR Detection is showing as closed, but is still getting pulled into SAFE with a different status?

Check the new Endpoint Detections page in CrowdStrike and validate the findings pulled into SAFE.

15. Why is FQDN not getting populated from CrowdStrike?

FQDN is only populated when the Active Directory Domain (machine_domain) is configured in CrowdStrike.


Was this article helpful?

What's Next