CrowdStrike
  • 2 Minutes to read
  • PDF

CrowdStrike

  • PDF

About this document


This document gives you the step-by-step procedure to configure CrowdStrike in SAFE.

Pre-requisite


You need the following connector details to establish the SAFE - CrowdStrike connection.

  • Base URL
  • Client ID
  • Secret Key
Important
To create API clients and secrets, you must have Falcon Administrator role in CrowdStrike. The API client secret value is only shown when a new API client is created or while resetting it.

Follow the below step-by-step procedure to get the connector details:

  1. Login to your CrowdStrike instance.
  2. Navigate to the Support > API Clients and Keys menu.
  3. Click the Add new API Client. It opens an API scope view.
  4. Enter the details Client Name and Description
  5. Select the Read checkbox for Detections and Hosts available under the API Scopes section.
  6. Click the Add button.
  7. The system displays the connector details (Base URL, Client ID, and Secret Key). Copy these details.  

Configure CrowdStrike


To configure CorwdStrike in SAFE:

  1. Navigate to the Administration > SAFE Hooks > Assessment Tools.
  2. Click the Configure button available on the CorwdStrike Falcon card.
  3. On the CrowdStrike Falcon configuration page, enter the connector details (Base URL, Client ID, and Secret Key).
  4. Enter the Auto Sync Frequency in the number of days.
  5. Click the Test Connection button.
  6. Once the connection is validated, click the Save button.
  7. Enable the CrowdStrike Falcon toggle switch available at the top-right corner of the screen. The system enables the SAFE - Crowdstrike integration.
  8. Click the SyncNow button. Once the system completes the sync, assets (servers and endpoints) that were already available on SAFE will have EDR detection shown (if any open detection for that asset) under the asset metadata information.

Note

It is assumed that the CrowdStrike instance is a dedicated instance for the organization, i.e., not an MSSP version where the API endpoints might have specific differences.

Data Utilization


SAFE fetches the below information from CrowdStrike to identify and map open EDR detections information against assets that are already onboarded on SAFE.

  • Detection severity
  • File name which was flagged by EDR
  • Detection time
  • Current status of the detection
  • Hostname/IP address
  • Operating system of the host

This information is then used to map the open detections against the corresponding host, which has already been onboarded on SAFE. The metadata of the affected host and the detection is then utilized by the SAFE Scoring API to calculate the score of that given asset, in addition to considering the current status of Configuration Assessment, Vulnerability Assessment, and Policy controls. The details of the closed detections are not stored or utilized by SAFE.

Supported Asset Types


SAFE fetches the open EDR detections from CrowdStrike for the below asset types. It means that if there is an open EDR detection for an asset but the asset is not available in SAFE or the asset type is outside of the list given below, then that malware information will not be available in SAFE.

  • SUSE Linux 11.x
  • SUSE Linux 12.x
  • SUSE Linux 15.x
  • Amazon Linux 1
  • Amazon Linux 2
  • CentOS 6.x
  • CentOS 7.x
  • CentOS 8.x
  • macOS Big Sur
  • macOS Catalina
  • macOS Mojave
  • macOS Monterey
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 8.x
  • Ubuntu 14.x
  • Ubuntu 16.x
  • Ubuntu 18.x
  • Ubuntu 20.x
  • Windows 10
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows Embedded Standard
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Was this article helpful?

What's Next