- 30 May 2023
- 9 Minutes to read
- Print
- DarkLight
- PDF
CrowdStrike Falcon
- Updated on 30 May 2023
- 9 Minutes to read
- Print
- DarkLight
- PDF
This article explains how to configure the CrowdStrike Falcon adapter in Axonius. It fetches data such as devices, users, group membership, policy membership, spotlight vulnerabilities and agent version. It also allows for enforcement actions such as updating group membership and tags or isolating devices. Parameters such as domain name, user credentials and member CID are required to set up the connection. Advanced settings can be configured to fetch additional data from the Threat Graph API or filter out AWS duplicates based on hostname or external IP address.
CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence. If you are using CrowdStrike Falcon Identity Protection (formerly Preempt), you need to use the CrowdStrike Falcon Identity Protection adapter.
Types of Assets Fetched
This adapter fetches the following types of assets:
- Devices
- Users
About CrowdStrike Falcon
Use cases the adapter solves
Connecting CrowdStrike to Axonius allows you to assess your endpoint security coverage and quickly identify endpoints that are missing agents. Device correlation with Axonius allows you to garner information about your endpoint from other data sources that CrowdStrike cannot extract natively. This can greatly assist with the rollout and audit of your CrowdStrike deployment by introducing any business-unit context and identifying unmanaged devices across your organization.
Data retrieved by CrowdStrike Falcon
Axonius collects common device information such as the hostname, IPs, MAC address, and serial number. It also collects information unique to CrowdStrike such as group and policy membership, CrowdStrike spotlight vulnerabilities, and the agent version.
Enforcements
With the CrowdStrike adapter configured, Axonius can update group membership, update tags, and isolate devices directly in the Enforcement Center.
- CrowdStrike Falcon - Add/Remove Assets to/from Host Group
- CrowdStrike Falcon - Isolate and Unisolate
- Crowdstrike Falcon - Add or Remove Tagging Group to/from Assets
Parameters
CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:
https://falconapi.crowdstrike.com (for the v1 "legacy" API)
https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for v2 API - US region)
http://api.eu-1.crowdstrike.com/ (for v2 API - EU region)
http://api.laggar.gcw.crowdstrike.com/ (for v2 API - Goverment)
Note:- The v1 API endpoint is currently deprecated and will cease functioning on February 9, 2023.
- Please update your adapter’s endpoint to use the Crowdstrike API v2 endpoint before February 9th, 2023 to ensure the adapter continues working as expected.
User Name / Client ID and API Key / Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.
Note:- User Name and API Key are required if you're using the v1 "legacy" API.
- Client ID and API Secret are required if you're using the latest (v2) API.
Member CID (optional) - Specify a CrowdStrike CID to fetch data from all whether to fetch all tenants associated with it.
* If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
* If not supplied , Axonius will only fetch data from the main tenant.Machine Domain Include list (optional) - Specify a comma-separated list of Microsoft Active Directory domains.
- If supplied, the connection for this adapter will only collect devices from the domains provided in this list.
- If not supplied, the connection for this adapter will collect devices from the any domain.
Group Name Include list (optional) - Specify a comma-separated list of groups of systems in CrowdStrike.
- If supplied, the connection for this adapter will only collect devices associated with the groups provided in this list.
- If not supplied, the connection for this adapter will collect devices associated with any group.
Platform Include list (optional) - Use this to specify a comma-separated list of platforms in CrowdStrike, in order to only fetch devices associated with the platforms listed, otherwise devices associated with any platform are fetched.
Get devices vulnerabilities - Select this option to fetch vulnerabilities found on the devices.
Note:If Get devices vulnerabilities is enabled, the value supplied in Username / Client ID must have Read access permissions to the Spotlight Vulnerabilities API scope, that is
spotlight-vulnerabilities:read
Get closed vulnerabilities - Select this option to fetch closed vulnerabilities. You can only use this option if you select Get devices vulnerabilities.
Ignore devices that have not been seen by this connection in the last X hours (optional) - Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.
- If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
For example, if the value is 2160 hours, any device asset entity not identified by the present adapter connection in the last 90 days will not be pulled into Axonius. - If cleared, all connections for the adapter will function per the configuration in Advanced Settings of the Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.
- If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
Threat Graph API User and Threat Graph API Key (optional) - Fetch data from CrowdStrike Threat Graph API.
- If supplied, the connection for this adapter will fetch data from the CrowdStrike Threat Graph API.
Note:To receive access and credentials for the Threat Graph API, you will need to contact CrowdStrike support.
- If not supplied, the connection for this adapter will not fetch data from CrowdStrike Threat Graph API.
Device Type Include List - (optional) - Specify a comma-separated list of product_type_desc parameters in Crowdstrike to fetch.
Verify SSL - Select whether to verify the SSL certificate offered by the value supplied in CrowdStrike Domain. For more details, see SSL Trust & CA Settings.
HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in CrowdStrike Domain.
* If supplied, Axonius will utilize the proxy when connecting to the value supplied in CrowdStrike Domain.
* If not supplied, Axonius will connect directly to the value supplied in CrowdStrike Domain.To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
- Get devices policies
- If enabled, all connections for this adapter will fetch prevention policies associated with the devices.
- If disabled, all connections for this adapter will not fetch any prevention policies associated with the devices.
- Avoid AWS duplications - Select to avoid returning duplicate AWS machines when using the scroll API. In the event that a duplicate hostname, serial number, or IP address is detected, the most recent device is fetched.
- Filter AWS duplications based on hostname - Select to avoid returning duplicate AWS machines based on a hostname when using the scroll API. In the event that a duplicate hostname is detected, only the most recent device is fetched.
- Filter AWS duplications based on external IP - Select this option so that the AWS de-duplication logic uses the device's External IP as a key to detect duplications, allowing devices with different Local IPs (for example, due to DHCP configuration) to be detected as duplicates. Please note: this option is only relevant when Avoid AWS duplications is selected.
- Fetch devices last logged in users - Select this option to fetch the last 10 users who logged in for each device.
- Fetch devices network history - Select this option to fetch the history of IP and MAC addresses for devices.
- Fetch users - Select this option to fetch user details and roles. For more information, see Required Permissions.
- Normalize Device Manufacturer with BIOS Manufacturer - Select this option to set the device manufacturer to the value returned by the API in the BIOS manufacturer field.
- Devices per page (required, default: 100) - Specify the number of results per page received for a given request to gain better control of the performance of all connections of this adapter. The value specified can be from 100 to 5000. A higher value makes fewer API calls, which helps prevent API rate limit.
- Fetch Zero Trust Assessment Data - Select this option to enriche devices with additional data from the zero trust assessment endpoint.
- Get expired vulnerabilities - (required, default: False): Select this option to fetch expired vulnerabilities.
- Get suppressed vulnerabilities - (required, default: False): Select this option to fetch suppressed vulnerabilities.
- Get drive encryption data - Select this option to get the encryption status of the device's drives.
- Get FileVantage data - Select this option to fetch FileVantage data.
- Fetch vulnerabilities from X days ago (default: 0) - Enter a number of days to limit the fetch of open vulnerabilities to X days ago. A 0 value in this field (default) means there is no limitation on the number of days back for which to fetch vulnerabilities.
- Fetch installed patches from the following report - Enter the name of the Installed Patches report to fetch. Leave empty not to fetch installed patches.
- OS Version exclude list - Add a comma separated list of OS Versions. Devices with these Operating Systems will not be fetched.
- OS Version include list - Add a comma separated list of OS Versions. Devices without these Operating Systems will not be fetched.
- Group name exclude list - Enter a comma-separated list of Group names. If a device has this group associated with it, Axonius will exclude it. This option is available from version 4.8.4.0.
- Fetch devices in hidden status - Select this option to fetch devices in hidden status.
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
Required Permissions
The credentials supplied must be associated with the following scopes:
Scope | Permission |
---|---|
Hosts | Read |
Host groups | Read |
IOC Management | Read |
Prevention policies | Read |
Sensor update policies | Write |
Credentials for Advanced Configuration must also include:
Users
Scope | Permission |
---|---|
User Management | Read |
Vulnerabilities
Scope | Permission |
---|---|
spotlight-vulnerabilities | Read |
CrowdStrike Enforcement Actions
Scope | Permission |
---|---|
Hosts | Write |
Creating Credentials - Latest API
To create credentials using the Latest API authentication method
Log in to the Falcon admin panel.
Go to Support > API Clients and Keys.
Click Add new API Client and select Read permissions as defined above::
To use the Isolate in CrowdStrike Falcon or the Unisolate in CrowdStrike Falcon enforcement actions, you need to select Write permissions for Hosts.
- Click Add and use the generated credentials.
Creating Credentials - Legacy API
To use the legacy API
- Verify that you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you need to create a GPG key pair prior to requesting the API key. For more information, see the CrowdStrike API Reference.
- Contact CrowdStrike Support to request an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so be explicit that you need access to the Query API when making the request.
- Generate a GPG key pair.
- Export your public key in ASCII format.
- Email CrowdStrike Support at support@crowdstrike.com to request access to the Query API. Include your public key with your email request.
- Wait for CrowdStrike Support to respond with your Query API credentials, which are encrypted with your public key.
- Decrypt your Query API credentials using your private key.
- Use your credentials to make requests with the Query APIs.
- Enter the username and API key provided by CrowdStrike. The adapter is configured.