- 20 Sep 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
CrowdStrike Falcon Discover
- Updated on 20 Sep 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
CrowdStrike Falcon Discover is a network security monitoring tool that provides real-time visibility into devices, users, and applications.
Types of Assets Fetched
This adapter fetches the following types of assets:
- Devices
- Users
- Software
- SaaS Applications
Parameters
Host Name or IP Address (required, default api.crowdstrike.com) - The hostname or IP address of the CrowdStrike Falcon Discover server.
Client ID and Client Secret (required) - The Client ID and Client Secret. Refer creating credentials for information about how to create the Client ID and Client Secret.
Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
HTTPS Proxy Password (optional) - The password to use when connecting to the server using the HTTPS Proxy.
Enhanced Device Search Settings - These settings help to ensure the greatest number of devices will be returned. For example, if many devices in a specific location have "LAPTOP-" as a prefix, you can add "LAPTOP-" to the list of prefixes to search for.
- Add support for host naming conventions - Toggle on to enable the adapter to search for devices based on host names when there are naming conventions in place.
- Host Name Prefix - Enter a comma-separated list of host name prefixes to search for.
Note:- This could potentially bring back more devices.
- This feature does not support regex.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
- Fetch applications - Select this option to fetch applications (installed software) on each device.
- Only fetch applications used in the last X days (leave 0 for all) - Enter a value higher than zero and select Fetch applications in order to only fetch applications used in the selected amount of days. Leave 0 (default) to fetch all applications, regardless of the last used timestamp.
- Filter installed software - Toggle on this setting to filter the installed software.
- Require software name - Only populate installed software if the software has a name.
- Use file name if no software name - If the software does not have a name, use the file name.
- Filter by software name - Toggle on to filter by software name. Select either Include or Exclude to set software names that will either be included or excluded in the fetch.
- List - Enter a comma-separated list of software names to either exclude or include.
- Fetch IoT devices - Select this option to fetch the IoT devices from the
discover/queries/iot-hosts/v1
endpoint. - Fetch only latest software versions - Enable this option to choose only the device with the latest last-seen timestamp.
- Fetch only software with Update Time and Last Used On present - Enable this option to fetch only software with existing values for the following attributes:
last_updated_timestamp: "string"
,last_used_timestamp: "string"
. - Fetch users - Toggle on this option to fetch users.
Advanced device filtering
Filter devices - Toggle on this option to filter devices and configure relevant settings.
Filter by data providers - Toggle on to filter by data providers. Select either Include or Exclude to set data providers that will either be included or excluded in the fetch.
- List - In the field, enter data providers to either exclude or include.
Filter by discoverer count - Toggle on to filter devices by their discoverer count field. Select Greater than if devices need more discoverers in order to be fetched or Less than if devices need less discoverers in order to be fetched. Otherwise select Equal to or Not Equal.
- Amount - Set the amount of discoverers required by a device.
- Filter by confidence level - From the dropdown, select the confidence level.
Separate historical IP addresses
- Separate historical IP addresses - Toggle on to configure a pattern to apply to an interface alias in order to identify a historical IP address and record it separately from current IP addresses. Historical IP addresses will not be taken into account for device correlation but will remain queriable, if desired.
- Interface alias regex pattern - In the field, enter a regex pattern to apply to an interface alias in order to identify a historical IP address.
- Ingest devices only if type is "managed" - Select this option to only fetch devices whose type is "managed".
- Ingest devices only if Product Type exists - Select this option to only ingest devices if the Product Type field exists on the device.
- Ingest devices only if hostname exists - Select this option to only ingest devices if the hostname field exists on the device.
To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.
APIs
Axonius uses:
CrowdStrike Falcon Discover Applications (for the Advanced setting, 'Fetch applications')
Required Permissions
The value supplied in Client ID must have Read permissions in order to fetch assets.
Supported From Version
Supported from Axonius version 4.8