CrowdStrike Falcon
  • 6 Minutes to read
  • PDF

CrowdStrike Falcon

  • PDF

Article summary

About this document


This document gives you the step-by-step procedure to configure CrowdStrike Falcon in SAFE.

Note

SAFE can only generate a score for an asset if there is a TTP mapping for the incoming signal for that asset. If Crowdstrike provides an asset without any signals mapped to one or more TTPs, no score will be generated. Typically, Crowdstrike includes a TTP signal when there is an Open Detection for malware. To achieve optimal outcomes, SAFE recommends pairing EDR integration results with Vulnerability Assessment and Configuration Assessment information to ensure that an asset generates a score.

Pre-requisite


You need the following connection details to establish the SAFE - CrowdStrike Falcon connection.

  • CrowdStrike URL

  • Client ID

  • Client Secret

Important

To create API clients and secrets, you must have a Falcon Administrator role in CrowdStrike. The API client secret value is only shown when a new API client is created or while resetting it.

Follow the below step-by-step procedure to get the connector details:

  1. Login to your CrowdStrike instance.

  2. Navigate to the Support > API Clients and Keys menu.

  3. Click the Add new API Client. It opens an API scope view.

  4. Enter the details Client Name and Description

  5. Select the Read checkbox for Detections and Hosts available under the API Scopes section.

  6. Click the Add button.

  7. The system displays the connection details (URL, Client ID, and Client Secret). 

  8. Copy the connection details.  

Configure CrowdStrike


To configure CrowdStrike in SAFE:

  1. Navigate to the SAFE Hooks.

  2. Click the CrowdStrike Falcon card. 

  3. Enter the connection details (CrowdStrike URL, Client ID, and Client Secret) on the CrowdStrike Falcon configuration page.

  4. (Optional) Enter the Tag Filters to pull selective data from CrowdStrike to SAFE.
    Tag Filter: SAFE allows users to fetch filtered data from CrowdStrike to SAFE using Tags. If a user does not add any Tag Name in this field, the system fetches all the asset's data to which the user has access.
    You can enter multiple Tag names separated by commas.
    Example: admin, location, department.

  5. If needed, uncheck the "Update Existing Assets Metadata" checkbox.
    Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from CrowdStrike. 
    Onboard Assets - By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.

  6. If needed, mark the Onboard Asset checkbox.
    Onboard Assets - By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.

  7. Enter the Auto Sync frequency in the number of days.

  8. Click the Test Connection button.

  9. Once the connection is validated, click the Save button.

  10. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync. The auto-sync time is 01:15 UTC.

CrowdStrike Config

View Result


After a successful sync, SAFE automatically pulls the CrowdStrike assets and EDR data.

To view the result:

  1. Navigate to Technology > Assets.

  2. Filter the asset list for signal source equals security.safe.crowdstrike.

    CS integration 2(1)


  3. Click an asset from the list to view the controls and their status. 

  4. Further clicking a control redirects you to the control details page, where you can see the MITRE ATT&CK mapping.

FAQs


1. How is the CrowdStrike to SAFE asset type mapping done?

The CrowdStrike asset’s Operating System (os_version field returned by CrowdStrike APIs) is used to map it to the SAFE asset type. The mapping can be viewed or updated using GET and POST /settings/os-to-safe-asset-type-mapping API.

2. What assessment data does SAFE pull from Crowdstrike, and which type of assets?

SAFE does not perform any native assessment of the CrowdStrike assets. SAFE pulls the detections from CrowdStrike and adds/updates them as EDR findings in SAFE.

3. Which CrowdStrike detections are used for scoring of an asset in SAFE?

Only the detections which are in New, In Progress, True Positive, Ignored, or Re-Opened state in CrowdStrike will be used as EDR findings for scoring assets in SAFE.

4. How can I view the list of all EDR Findings of an asset in SAFE?

A list of all EDR Findings of an asset can be viewed by going to the asset details page and clicking on the number in the EDR Findings Count row. 

Note

If no EDR Findings Count row is displayed for that asset, the asset type is not supported for EDR assessments in SAFE.

5. Why is there a difference between the total count of EDR Controls and the EDR Findings count of an asset in SAFE?

EDR findings count contains all individual failing instances for EDR controls, which means EDR findings can be more than the number of EDR controls as there may be multiple failing instances of an EDR control.

6. How do I know if an EDR detection has multiple failing instances on an asset?

One way to identify whether an EDR finding has multiple failing instances is to check the observation section of the assessed control. Observation contains the different detection instances as returned by CrowdStrike. Another way is to go to that failed control’s details page and check if it has multiple instances.

7. How can I check the Sync status for CrowdStrike Integration?

To view the information related to any saved configuration GET /integrations/:instance_id can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

{
  "id": 1,
  "type": "edrplugin",
  "subtype": "crowdstrike",
  "config": {
    "url": "https://www.test.com/",
    "clientId": "username",
    "sensitiveFields": [
      "clientSecret"
    ],
    "autoSyncFrequency": 1,
    "shouldImportAssets": true,
    "assetMatchingCriteria": [
      "asset_name",
      "ip_address",
      "mac_address"
    ]
  },
  "state": {
    "error": null,
    "stage": "COMPLETED",
    "status": 0,
    "totalAssets": 43,
    "failedAssets": 0,
    "lastScanTriggerTs": "2022-08-30T12:30:29.502Z",
    "completionPercentage": 100,
    "lastScanCompletionTs": "2022-08-30T12:34:17.173Z"
  },
  "isEnabled": true
}

8. What are the possible values of the state of CrowdStrike sync?

The following are the possible values for the sync stage:

Stage

Meaning

QUEUED

Sync request has been received and will begin soon

TRANSFORMING

Sync is in progress

COMPLETED

Finished sync

ERROR

Error occurred during sync

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:

Status

Meaning

0

Success

1

In Progress

2

Error

3

Partial Success

9. What should be the type and subType of integration while adding a new CrowdStrike integration via POST /integration API?

The type of integration should be “edrplugin“ and subType should be “crowdstrike” while adding a new CrowdStrike integration using API.

10. Is it mandatory to provide tags in CrowdStrike Configuration?

No, it is not mandatory to provide the tags in CrowdStrike Configuration. Tags help users to configure a filter for the assets whose EDR data is pulled by SAFE. This is useful in case EDR findings of only a set of assets need to be pulled into SAFE.

11. Why are some of my assets showing with no score?

Assets may appear without a score in SAFE for the following reasons:

  • TTP Mapping: SAFE requires a TTP mapping to be present for an incoming signal to generate a score. If no mapping is available, no score will be created for the asset.

  • Crowdstrike Integration: If you have enabled the Crowdstrike integration and configured the "onboard assets" setting to "ON," any new assets identified by Crowdstrike that are not already in SAFE will be created as new assets. However, if there is no Malware Detection or other TTP signal in the Crowdstrike metadata at the time of asset creation, a score will not be generated for the asset.
    To resolve this and generate a score for the asset, one of the following actions must occur:

    • Crowdstrike provides a Malware Detection or other TTP signal for the asset.

    • A signal for the asset is provided from another source, such as a Vulnerability Assessment and Configuration Assessment.

By ensuring the presence of a TTP signal, either from Crowdstrike or another source, you can enable SAFE to generate a score for your assets.

12. What happens when an EDR control is marked as 'Accepted Failed' in SAFE?

When a control is marked as 'Accepted Failed' in SAFE, it instructs the system to ignore the control in all future assessments completely. Hence, the control's information such as status and observation, won't be updated unless the control is manually reverted to the 'Not Assessed' status.


Was this article helpful?

What's Next