CrowdStrike Falcon
  • 23 May 2022
  • 6 Minutes to read
  • Dark
    Light
  • PDF

CrowdStrike Falcon

  • Dark
    Light
  • PDF

CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Note:

If you are using Preempt, you need to use the Preempt adapter.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

Parameters

  1. CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:

    • https://falconapi.crowdstrike.com (for "legacy" API)
    • https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for the latest API)
  2. User Name / Client ID and API Key / Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.

  3. Member CID (optional, default: empty) - Specify a CrowdStrike CID to fetch data from all whether to fetch all tenants associated with it.
    * If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
    * If not supplied , Axonius will only fetch data from the main tenant.

  4. Machine Domain Include list (optional, default: empty) - Specify a comma-separated list of Microsoft Active Directory domains.

    • If supplied, the connection for this adapter will only collect devices from the domains provided in this list.
    • If not supplied, the connection for this adapter will collect devices from the any domain.
  5. Group Name Include list (optional, default: empty) - Specify a comma-separated list of groups of systems in CrowdStrike.

    • If supplied, the connection for this adapter will only collect devices associated with the groups provided in this list.
    • If not supplied, the connection for this adapter will collect devices associated with any group.
  6. Get devices vulnerabilities (required, default: false) - Select this option to fetch vulnerabilities found on the devices.

    Note:

    To fetch vulnerabilities, the value supplied in Username / Client ID must have Read access to the Spotlight Vulnerabilities API scope.

  7. Get closed vulnerabilities - Select this option to fetch closed vulnerabilities. You can only use this option if you select Get devices vulnerabilities.

  8. Ignore devices that have not been seen by this connection in the last X hours (optional, default: false) - Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.

    • If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
      For example, if the value is 2160 hours, any device asset entity not identified by the present adapter connection in the last 90 days will not be pulled into Axonius.
    • If cleared, all connections for the adapter will function per the configuration in Advanced Settings of the Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.
  9. Threat Graph API User and Threat Graph API Key (optional, default: empty) - Fetch data from CrowdStrike Threat Graph API.

    • If supplied, the connection for this adapter will fetch data from the CrowdStrike Threat Graph API.
    Note:

    To receive access and credentials for the Threat Graph API, you will need to contact CrowdStrike support.

    • If not supplied, the connection for this adapter will not fetch data from CrowdStrike Threat Graph API.
  10. Verify SSL (required, default: false) - Select whether to verify the SSL certificate offered by the value supplied in CrowdStrike Domain. For more details, see SSL Trust & CA Settings.

  11. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the value supplied in CrowdStrike Domain.
    * If supplied, Axonius will utilize the proxy when connecting to the value supplied in CrowdStrike Domain.
    * If not supplied, Axonius will connect directly to the value supplied in CrowdStrike Domain.

  12. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

CrowdStrike_4-4-22


Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Get devices policies (required, default: false)
    • If enabled, all connections for this adapter will fetch prevention policies associated with the devices.
    • If disabled, all connections for this adapter will not fetch any prevention policies associated with the devices.
  2. Avoid AWS duplications (required, default: false) - Select to avoid returning duplicate AWS machines when using the scroll API.
  3. Filter AWS duplications based on hostname (required, default: false) - Select to avoid returning duplicate AWS machines based on a hostname when using the scroll API.
  4. Fetch devices last logged in users - Select this option to fetch the last 10 users who logged in for each device.
  5. Fetch devices network history - Select this option to fetch the history of IP and MAC addresses for devices.
  6. Fetch users - Select this option to fetch user details and roles. For more information, see Required Permissions.
  7. Devices per page (required, default: 100) - Specify the number of results per page received for a given request to gain better control of the performance of all connections of this adapter. The value specified can be from 100 to 5000. A higher value makes fewer API calls, which helps prevent API rate limit.
Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.


Required Permissions

  • The value supplied in Username / Client ID and API Key / Secret must have read access to devices and the Spotlight Vulnerabilities API scope.
  • User Name and API Key are required if you are using the "legacy" API.
  • Client ID and API Secret are required if you are using the latest API.
  • In Permissions > Manage Users, Read permission is required if you want to fetch users. For more information, see the Fetch users parameter in Advanced Settings.
  • Prior to selecting Fetch users, do the following:
    1. Configure Retrieve User in the API.
    2. In the CrowdStrike console, select the User API scope.
    3. In the CrowdStrike console, navigate to Permissions > Manage Users, and select the Read permission.

Creating Credentials - Latest API

To create credentials using the Latest API authentication method, follow the steps below.

  1. Log in to the Falcon admin panel.

  2. Go to Support > API Clients and Keys.
    image.png

  3. Click Add new API Client and select the following Read permissions:

    • Detections
    • Hosts
    • Host groups
    • Prevention policies
    • Sensor update policies
      image.png
Note:

To use the Isolate in CrowdStrike Falcon or the Unisolate in CrowdStrike Falcon enforcement actions, you need to select Write permissions for Hosts.

  1. Click Add and use the generated credentials.

Creating Credentials - Legacy API

To use the legacy API:

  1. Verify that you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you need to create a GPG key pair prior to requesting the API key. For more information, see the CrowdStrike API Reference.
  2. Contact CrowdStrike Support to request an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so be explicit that you need access to the Query API when making the request.
  3. Generate a GPG key pair.
  4. Export your public key in ASCII format.
  5. Email CrowdStrike Support at support@crowdstrike.com to request access to the Query API. Include your public key with your email request.
  6. Wait for CrowdStrike Support to respond with your Query API credentials, which are encrypted with your public key.
  7. Decrypt your Query API credentials using your private key.
  8. Use your credentials to make requests with the Query APIs.
  9. Enter the username and API key provided by CrowdStrike. The adapter is configured.



What's Next
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.