CrowdStrike Alert
  • 24 Nov 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

CrowdStrike Alert

  • Dark
    Light
  • PDF

Article summary

Axonius supports a CrowdStrike Alert as an event in a Workflow.

Workflows configured with a CrowdStrike Alert event are triggered when the Axonius Webhook URL receives an alert from CrowdStrike. Then, actions configured in the Workflow following the CrowdStrike Alert event, are triggered conditionally, according to the values in the relevant fields of the event.

Configuration Prerequisites

Before adding a CrowdStrike Alert event to a Workflow the first time (or after the URL has changed in the System Settings), you must do the following:

  • In Axonius: Make sure that the URL of the Axonius CrowdStrike Webhook, and optionally, the secure key, are configured in the Axonius System Settings so that Axonius can receive Webhook alerts from CrowdStrike.
  • In CrowdStrike: Configure in the CrowdStrike console the Axonius CrowdStrike Webhook URL, and optionally the HMAC Secret Key] so that CrowdStrike can send alerts to the Axonius Webhook URL.

The following sections describe how to integrate CrowdStrike with Axonius on both the Axonius and CrowdStrike sides.

CrowdStrike Webhook Settings in Axonius

CrowdStrike supports setting up a Webhook at the Axonius destination to receive alerts from CrowdStrike.
You can view the configuration of the CrowdStrike Webhook in System Settings> External Integrations> Workflows Events, with CrowdStrike selected in the Select Product dropdown.

CrowdstrikeWebhook

The Workflows Events dialog includes the following information for CrowdStrike:

  • The URL of the Axonius Webhook that receives CrowdStrike events, with an adjacent Copy icon. This URL is predefined in the system.
  • Private Secure Key (X-API-Key) (optional) - This field holds the secure key value entered in HMAC Secure Key (see Configuring an Axonius Custom Webhook in CrowdStrike below). This secure key is used on the CrowdStrike side to verify that its events are being sent to the Axonius Webhook and on the Axonius side to verify that events arriving at the Axonius Webhook are from CrowdStrike.

Configuring an Axonius Custom Webhook in CrowdStrike

This section explains how to configure an Axonius Custom Webhook in CrowdStrike. This includes configuring in CrowdStrike, the following:

  • The Axonius Webhook URL.
  • The HMAC Secret Key value (optional).
Note:

You need to configure the Axonius Custom Webhook URL in CrowdStrike only once, unless the Axonius Webhook URL changes.

To configure the Axonius Custom Webhook in CrowdStrike

  1. In the Falcon console, go to the CrowdStrike Store.
  2. Navigate to Webhook.
  3. Click Configure.
  4. Click Add configuration.
  5. In Name, type a meaningful name for the Webhook.
  6. In Webhook URL, paste the Axonius CrowdStrike Webhook URL - the URL that the CrowdStrike Webhook will post to.
  7. In HMAC Secret Key, add a key of at least 32 characters for use in generating an HMAC signature in requests from CrowdStrike to your webhook.
    Enter this key in Private Secure Key (X-API-Key) in the Axonius CrowdStrike Webhook Settings to use in your webhook to verify requests are from CrowdStrike.
Important:

While you must provide a value here, if you don’t want to verify that a request is from CrowdStrike, you can enter any 32 or more characters for the value.

  1. Leave the Signature Header Name value set to its default value of X-CS-Primary-Signature. This value is based on the key specified in the HMAC Secret Key field.
  2. Click Save configuration. CrowdStrike is now set up to send events to the Axonius Webhook.

CrowdStrike Event Delivery to Axonius

CrowdStrike delivers an event to the Axonius Webhook URL when an alert is triggered in CrowdStrike.

The following describes how a CrowdStrike alert is sent to Axonius:

  1. When CrowdStrike generates an alert, an event is triggered.
  2. CrowdStrike sends an HTTP POST request to the dedicated Axonius Webhook URL. The HTTP POST request includes the event and if configured (optional), the following three headers:
    • x-cs-primary-signature - This value is based on the key specified in the HMAC Secret Key field.
    • x-cs-delivery-timestamp
    • x-cs-signature-algorithm
  3. If the secure key is configured in Axonius System Settings> Workflow Events> CrowdStrike, the Axonius Webhook computes a signature from the secure key, accesses the request headers, and compares the computed signature to the one in the request. If there is a match, the Axonius Webhook accepts and acknowledges CrowdStrike's HTTP POST request.

Event Structure

The CrowdStrike custom Webhook delivers events to the Axonius Webhook URL.

You can view the Event Fields of each event payload sent to the URL by expanding the Event Fields in the CrowdStrike Alert pane.

CrowdStrikeEventFields

You can follow up on a CrowdStrike event in a Workflow with an Enforcement Action based on these Event fields.



Was this article helpful?