CrowdStrike Falcon
  • 2 minutes to read
  • Print
  • Share
  • Dark
    Light

CrowdStrike Falcon

  • Print
  • Share
  • Dark
    Light

The CrowdStrike Falcon platform delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

The CrowdStrike Falcon Adapter connection requires the following parameters:

  1. CrowdStrike Domain – Enter hostname of the API server – this could be falconapi.crowdstrike.com (Old API) or api.crowdstrike.com (New API).
  2. User Name / Client ID – Username (Old API) or Client ID (New API).
  3. API Key / Secret – API Key (Old API) or Client Secret (New API).
  4. Verify SSL – Choose whether to verify the SSL certificate of the server.
  5. HTTPS Proxy (optional) – Enter details if the connection to the API requires a proxy.
  6. Choose Instance - If you are using multi-nodes, choose the Axonius node that is integrated with the adapter. By default, the 'Master' Axonius node (instance) is used. For details, see Connecting Additional Axonius Nodes

image.png

Connecting Using the "New" API

To create credentials using the New API authentication method, follow the steps below.

  1. Log in to the Falcon admin panel.
  2. Go to support > API Clients and Keys
    image.png
  3. Click Add new API Client and select read permissions for detections, hosts, host groups, prevention policies, and sensor update policies.
    image.png
  4. Click Add and use the generated credentials.

Connecting Using the "Old" API

To use the Old API, follow the steps below.

  1. Verify you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you will need to create a GPG key pair prior to requesting the API key. https://falcon.crowdstrike.com/support/documentation/2/query-api-reference
  2. Contact CrowdStrike Support and request they create an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so please be explicit that you need access to the Query API when making the request. Please see the specific steps in the screenshot below:

image.png

  1. Enter the username and API key provided by CrowdStrike and the adapter is configured.

Configuring CrowdStrike Falcon Advanced Settings

To configure the CrowdStrike Falcon adapter advanced settings, open the CrowdStrike Falcon Adapter screen, click Advanced Settings, and then click the CrowdStrike Configuration tab:

  • Get devices policies - Check this to fetch prevention policies associated with the devices.
  • Machine domain whitelist - Specify a comma-separated list of Microsoft Active Directory domains. If supplied, all connections for this adapter will only collect devices from the domains provided in this list.

image.png

Was this article helpful?