CrowdStrike Falcon
  • 3 Minutes To Read
  • Print
  • Share
  • Dark
    Light

CrowdStrike Falcon

  • Print
  • Share
  • Dark
    Light

CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Parameters

  1. CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:
    • https://falconapi.crowdstrike.com (for "legacy" API)
    • https://api.crowdstrike.com (for the latest API)
  2. User Name / Client ID and API Key / Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.
  3. Member CID (optional, default: empty) - Specify a CrowdStrike CID to fetch data from all whether to fetch all tenants associated with it.
    * If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
    * If not supplied , Axonius will only fetch data from the main tenant.
  4. Verify SSL (required, default: False) - Verify the SSL certificate offered by the value supplied in CrowdStrike Domain. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by the value supplied in CrowdStrike Domain will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
    • If disabled, the SSL certificate offered by the value supplied in CrowdStrike Domain will not be verified against the CA database inside of Axonius.
  5. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the value supplied in CrowdStrike Domain.
    • If supplied, Axonius will utilize the proxy when connecting to the value supplied in CrowdStrike Domain.
    • If not supplied, Axonius will connect directly to the value supplied in CrowdStrike Domain.
  6. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Advanced Settings

  1. Get devices policies (required, default: False)
    • If enabled, all connections for this adapter will fetch prevention policies associated with the devices.
    • If disabled, all connections for this adapter will not fetch any prevention policies associated with the devices.
  2. Get devices vulnerabilities (required, default: False)
    • If enabled, all connections for this adapter will fetch vulnerabilities found on the devices.
    • If disabled, all connections for this adapter will not fetch any vulnerabilities found on the devices.
  3. Machine domain whitelist (optional, default: empty) - Specify a comma-separated list of Microsoft Active Directory domains.
    • If supplied, all connections for this adapter will only collect devices from the domains provided in this list.
    • If not supplied, all connections for this adapter will collect devices from the any domain.
  4. Group name whitelist (optional, default: empty) - Specify a comma-separated list of groups of systems in Crowdstrike.
    • If supplied, all connections for this adapter will only collect devices associated with the groups provided in this list.
    • If not supplied, all connections for this adapter will collect devices associated with any group.
      image.png
NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Required Permissions

The value supplied in Username / Client ID and API Key / Secret must have read access to devices.

  • User Name and API Key are required if you are using the "legacy" API.
  • Client ID and API Secret are required if you are using the latest API.

Creating Crendentials - Latest API

To create credentials using the New API authentication method, follow the steps below.

  1. Log in to the Falcon admin panel.
  2. Go to support > API Clients and Keys
    image.png
  3. Click Add new API Client and select read permissions for detections, hosts, host groups, prevention policies, and sensor update policies.
    image.png
  4. Click Add and use the generated credentials.

Creating Credentials - "Legacy" API

To use the Old API, follow the steps below.

  1. Verify you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you will need to create a GPG key pair prior to requesting the API key. https://falcon.crowdstrike.com/support/documentation/2/query-api-reference
  2. Contact CrowdStrike Support and request they create an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so please be explicit that you need access to the Query API when making the request. Please see the specific steps in the screenshot below:

image.png

  1. Enter the username and API key provided by CrowdStrike and the adapter is configured.
Was This Article Helpful?