CrowdStrike Falcon
  • 05 Feb 2023
  • 7 Minutes to read
  • Dark
    Light
  • PDF

CrowdStrike Falcon

  • Dark
    Light
  • PDF

CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Note:

If you are using CrowdStrike Falcon Identity Protection (formerly Preempt), you need to use the CrowdStrike Falcon Identity Protection adapter.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

About CrowdStrike Falcon

Use cases the adapter solves

Connecting CrowdStrike to Axonius allows you to assess your endpoint security coverage and quickly identify endpoints that are missing agents. Device correlation with Axonius allows you to garner information about your endpoint from other data sources that CrowdStrike cannot extract natively. This can greatly assist with the rollout and audit of your CrowdStrike deployment by introducing any business-unit context and identifying unmanaged devices across your organization.

Data retrieved by CrowdStrike Falcon

Axonius will collect common device information such as the hostname, IPs, MAC address, and serial number. It will also collect information unique to CrowdStrike such as group and policy membership, CrowdStrike spotlight vulnerabilities, and the agent version.

Enforcements

With the CrowdStrike adapter configured, Axonius can update group membership, update tags, and isolate devices directly in the Enforcement Center.


Parameters

  1. CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:

    • https://falconapi.crowdstrike.com (for the v1 "legacy" API)

    • https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for v2 API - US region)

    • http://api.eu-1.crowdstrike.com/ (for v2 API - EU region)

    • http://api.laggar.gcw.crowdstrike.com/ (for v2 API - Goverment)

      Note:
      • This API endpoint is currently deprecated and will cease functioning on February 9, 2023.
      • Please update your adapter’s endpoint to use the Crowdstrike API v2 endpoint before February 9th, 2023 to ensure the adapter continues working as expected.
  2. User Name / Client ID and API Key / Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.

    Note:
    • User Name and API Key are required if you're using the v1 "legacy" API.
    • Client ID and API Secret are required if you're using the latest (v2) API.
  3. Member CID (optional) - Specify a CrowdStrike CID to fetch data from all whether to fetch all tenants associated with it.
    * If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
    * If not supplied , Axonius will only fetch data from the main tenant.

  4. Machine Domain Include list (optional) - Specify a comma-separated list of Microsoft Active Directory domains.

    • If supplied, the connection for this adapter will only collect devices from the domains provided in this list.
    • If not supplied, the connection for this adapter will collect devices from the any domain.
  5. Group Name Include list (optional) - Specify a comma-separated list of groups of systems in CrowdStrike.

    • If supplied, the connection for this adapter will only collect devices associated with the groups provided in this list.
    • If not supplied, the connection for this adapter will collect devices associated with any group.
  6. Platform Include list (optional) - Use this to specify a comma-separated list of platforms in CrowdStrike, in order to only fetch devices associated with the platforms listed, otherwise devices associated with any platform are fetched.

  7. Get devices vulnerabilities - Select this option to fetch vulnerabilities found on the devices.

    Note:

    If Get devices vulnerabilities is enabled, the value supplied in Username / Client ID must have Read access permissions to the Spotlight Vulnerabilities API scope.

  8. Get closed vulnerabilities - Select this option to fetch closed vulnerabilities. You can only use this option if you select Get devices vulnerabilities.

  9. Ignore devices that have not been seen by this connection in the last X hours (optional) - Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.

    • If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
      For example, if the value is 2160 hours, any device asset entity not identified by the present adapter connection in the last 90 days will not be pulled into Axonius.
    • If cleared, all connections for the adapter will function per the configuration in Advanced Settings of the Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.
  10. Threat Graph API User and Threat Graph API Key (optional) - Fetch data from CrowdStrike Threat Graph API.

    • If supplied, the connection for this adapter will fetch data from the CrowdStrike Threat Graph API.
    Note:

    To receive access and credentials for the Threat Graph API, you will need to contact CrowdStrike support.

    • If not supplied, the connection for this adapter will not fetch data from CrowdStrike Threat Graph API.
  11. Device Type Include List - (optional) - Specify a comma-separated list of product_type_desc parameters in Crowdstrike to fetch.

  12. Verify SSL - Select whether to verify the SSL certificate offered by the value supplied in CrowdStrike Domain. For more details, see SSL Trust & CA Settings.

  13. HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in CrowdStrike Domain.
    * If supplied, Axonius will utilize the proxy when connecting to the value supplied in CrowdStrike Domain.
    * If not supplied, Axonius will connect directly to the value supplied in CrowdStrike Domain.

  14. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

CRowdstrickeFalconN2


Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Get devices policies
    • If enabled, all connections for this adapter will fetch prevention policies associated with the devices.
    • If disabled, all connections for this adapter will not fetch any prevention policies associated with the devices.
  2. Avoid AWS duplications - Select to avoid returning duplicate AWS machines when using the scroll API. In the event that a duplicate hostname, serial number, or IP address is detected, the most recent device is fetched.
  3. Filter AWS duplications based on hostname - Select to avoid returning duplicate AWS machines based on a hostname when using the scroll API. In the event that a duplicate hostname is detected, only the most recent device is fetched.
  4. Fetch devices last logged in users - Select this option to fetch the last 10 users who logged in for each device.
  5. Fetch devices network history - Select this option to fetch the history of IP and MAC addresses for devices.
  6. Fetch users - Select this option to fetch user details and roles. For more information, see Required Permissions.
  7. Devices per page (required, default: 100) - Specify the number of results per page received for a given request to gain better control of the performance of all connections of this adapter. The value specified can be from 100 to 5000. A higher value makes fewer API calls, which helps prevent API rate limit.
  8. Get expired vulnerabilities - (required, default: False): Select this option to fetch expired vulnerabilities.
  9. Get suppressed vulnerabilities - (required, default: False): Select this option to fetch suppressed vulnerabilities​.
Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.


Required Permissions

The following permissions are required:

Required API client Scope

Hosts:
Hosts: read

Hosts Groups:
Host groups: read

Preventions and Sensors:
IOC Management: read
Prevention policies: read
Sensor update policies: read

For Advanced Configuration
Users:
User Management: read

Vulnerabilities:
spotlight-vulnerabilities: read

Creating Credentials - Latest API

To create credentials using the Latest API authentication method

  1. Log in to the Falcon admin panel.

  2. Go to Support > API Clients and Keys.
    image.png

  3. Click Add new API Client and select Read permissions as defined above::

image.png

Note:

To use the Isolate in CrowdStrike Falcon or the Unisolate in CrowdStrike Falcon enforcement actions, you need to select Write permissions for Hosts.

  1. Click Add and use the generated credentials.

Creating Credentials - Legacy API

To use the legacy API

  1. Verify that you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you need to create a GPG key pair prior to requesting the API key. For more information, see the CrowdStrike API Reference.
  2. Contact CrowdStrike Support to request an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so be explicit that you need access to the Query API when making the request.
  3. Generate a GPG key pair.
  4. Export your public key in ASCII format.
  5. Email CrowdStrike Support at support@crowdstrike.com to request access to the Query API. Include your public key with your email request.
  6. Wait for CrowdStrike Support to respond with your Query API credentials, which are encrypted with your public key.
  7. Decrypt your Query API credentials using your private key.
  8. Use your credentials to make requests with the Query APIs.
  9. Enter the username and API key provided by CrowdStrike. The adapter is configured.


Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.