CrowdStrike Falcon - Assign Role to User

CrowdStrike Falcon - Assign Role to User adds or removes roles to users in CrowdStrike Falcon for:

• Users that match the results of the selected saved query, and match the Enforcement Action Conditions, if defined.

General Settings

• Use stored credentials from CrowdStrike Falcon adapter - Select this option to use CrowdStrike Falcon connected adapter credentials. (add a link to adapter, only write the first when the select adapter is not there)
  • When you select this option, the Select Adapter Connection drop-down is available, and you can choose which adapter connection to use for this Enforcement Action.

📘

Note

To use this option, you must successfully configure a CrowdStrike Falcon adapter connection. Full link to adapter when relevant

Required Fields

These fields must be configured to run the Enforcement Set.

• Role IDs - A comma separated list of role IDs to assign to the users.
• Add/Remove assignment - Select the function to perform.

• Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Working with Axonius Compute Nodes.

Additional Fields

These fields are optional.

• Customer ID (CID) - Your organization’s account identifier.
• Justification reason - The justification for assigning these roles to these users.

💡

Connection and Credentials

When Use stored credentials from the adapter is toggled off, some of the connection fields below are required to create the connection, while other fields are optional.

• CrowdStrike Domain - The hostname of the API server. Could be one of the following:

  • https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (US region)
  • https://api.eu-1.crowdstrike.com/ (EU region)
  • https://api.laggar.gcw.crowdstrike.com/ (Government)

• User Name / Client ID and API Key / Client Secret - Enter the Client ID and Client Secret generated when you created the API client in CrowdStrike Falcon admin console.

• Admin User Name - The value you enter in the User Name field in CrowdStrike for the new user you created to allow Axonius to fetch Axonius SaaS Applications data.

• Admin Password - The password you set for the new user in CrowdStrike.

• 2FA Secret Key - The secret generated in CrowdStrike for setting up 2-factor authentication for the CrowdStrike user created for collecting Axonius SaaS Applications data.

• Member CID – Enter a CrowdStrike CID to fetch data from all tenants associated with that CID. To fetch data only from the primary tenant, leave this field blank.

• Verify SSL (optional) - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

• HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

• Ignore devices that have not been seen by this connection in the last X hours – Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.

• When enabled, the adapter fetches only device assets that have been seen by this connection within the specified number of hours (Last Seen field).

  • For example, if set to 2160 hours, any device not seen in the last 90 days will be ignored.

• When disabled, the adapter fetches devices according to the global Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.

• Threat Graph API Key - The API key used to access CrowdStrike Falcon's graph database.

• Gateway Name - Select the Gateway through which to connect to perform the action.

APIs

Axonius uses the CrowdStrike API.

Required Ports

Axonius must be able to communicate via the following ports:

• TCP Port 443

Required Permissions

The account used to access CrowdStrike must have user management write permissions.