CrowdStrike Falcon

CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Users
• SaaS Data

About CrowdStrike Falcon

Use cases the adapter solves

Connecting CrowdStrike to Axonius allows you to assess your endpoint security coverage and quickly identify endpoints that are missing agents. Device correlation with Axonius allows you to garner information about your endpoint from other data sources that CrowdStrike cannot extract natively. This can greatly assist with the rollout and audit of your CrowdStrike deployment by introducing any business-unit context and identifying unmanaged devices across your organization.

Data retrieved by CrowdStrike Falcon

Axonius collects common device information such as the hostname, IPs, MAC address, and serial number. It also collects information unique to CrowdStrike such as group and policy membership, CrowdStrike spotlight vulnerabilities, and the agent version.

Enforcements

With the CrowdStrike adapter configured, Axonius can update group membership, update tags, and isolate devices directly in the Enforcement Center.

• CrowdStrike Falcon - Add/Remove Assets to/from Host Group
• CrowdStrike Falcon - Isolate and Unisolate
• Crowdstrike Falcon - Add or Remove Tagging Group to/from Assets

Parameters

1. CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:

   • https://falconapi.crowdstrike.com (for the v1 "legacy" API)

   • https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for v2 API - US region)

   • http://api.eu-1.crowdstrike.com/ (for v2 API - EU region)

   • http://api.laggar.gcw.crowdstrike.com/ (for v2 API - Goverment)

     Note:

     • The v1 API endpoint is currently deprecated and will cease functioning on February 9, 2023.
     • Please update your adapter’s endpoint to use the Crowdstrike API v2 endpoint before February 9th, 2023 to ensure the adapter continues working as expected.

2. User Name / Client ID and API Key / Client Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.

   Note:

   • User Name and API Key are required if you're using the v1 "legacy" API.
   • Client ID and API Secret are required if you're using the latest (v2) API.

3. Member CID (optional) - Specify a CrowdStrike CID to fetch data from all whether to fetch all tenants associated with it.
   * If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
   * If not supplied , Axonius will only fetch data from the main tenant.

4. Machine Domain Include list (optional) - Specify a comma-separated list of Microsoft Active Directory domains.

   • If supplied, the connection for this adapter will only collect devices from the domains provided in this list.
   • If not supplied, the connection for this adapter will collect devices from the any domain.

5. Group Name Include list (optional) - Specify a comma-separated list of groups of systems in CrowdStrike.

   • If supplied, the connection for this adapter will only collect devices associated with the groups provided in this list.
   • If not supplied, the connection for this adapter will collect devices associated with any group.

6. Platform Include list (optional) - Use this to specify a comma-separated list of platforms in CrowdStrike, in order to only fetch devices associated with the platforms listed, otherwise devices associated with any platform are fetched.

7. Get devices vulnerabilities - Select this option to fetch vulnerabilities found on the devices.

   Note:

   If Get devices vulnerabilities is enabled, the value supplied in Username / Client ID must have Read access permissions to the Spotlight Vulnerabilities API scope, that is spotlight-vulnerabilities:read

8. Get closed vulnerabilities - Select this option to fetch closed vulnerabilities. You can only use this option if you select Get devices vulnerabilities.

9. Ignore devices that have not been seen by this connection in the last X hours (optional) - Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.

   • If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
     For example, if the value is 2160 hours, any device asset entity not identified by the present adapter connection in the last 90 days will not be pulled into Axonius.
   • If cleared, all connections for the adapter will function per the configuration in Advanced Settings of the Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.

10. Threat Graph API User and Threat Graph API Key (optional) - Fetch data from CrowdStrike Threat Graph API.

    • If supplied, the connection for this adapter will fetch data from the CrowdStrike Threat Graph API.
    Note:

    To receive access and credentials for the Threat Graph API, you will need to contact CrowdStrike support.

    • If not supplied, the connection for this adapter will not fetch data from CrowdStrike Threat Graph API.

11. Device Type Include List - (optional) - Specify a comma-separated list of product_type_desc parameters in Crowdstrike to fetch.

12. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

13. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Get devices policies
   • If enabled, all connections for this adapter will fetch prevention policies associated with the devices.
   • If disabled, all connections for this adapter will not fetch any prevention policies associated with the devices.
2. Avoid device duplications - Select to avoid returning duplicate machines when using the scroll API. In the event that a duplicate hostname, serial number, or IP address is detected, the most recent device is fetched.
3. Filter device duplications based on hostname - Select to avoid returning duplicate machines based on a hostname when using the scroll API. In the event that a duplicate hostname is detected, only the most recent device is fetched.
4. Filter device duplications based on external IP - Select this option so that the de-duplication logic uses the device's External IP as a key to detect duplications, allowing devices with different Local IPs (for example, due to DHCP configuration) to be detected as duplicates. Please note: this option is only relevant when Avoid duplications is selected.
5. Fetch devices last logged in users - Select this option to fetch the last 10 users who logged in for each device.
6. Fetch devices network history - Select this option to fetch the history of IP and MAC addresses for devices.
7. Fetch users - Select this option to fetch user details and roles. For more information, see Required Permissions.
8. Normalize Device Manufacturer with BIOS Manufacturer - Select this option to set the device manufacturer to the value returned by the API in the BIOS manufacturer field.
9. Devices per page (required, default: 100) - Specify the number of results per page received for a given request to gain better control of the performance of all connections of this adapter. The value specified can be from 100 to 5000. A higher value makes fewer API calls, which helps prevent API rate limit.
10. Fetch Zero Trust Assessment Data - Select this option to enriche devices with additional data from the zero trust assessment endpoint.
11. Get expired vulnerabilities - (required, default: False): Select this option to fetch expired vulnerabilities.
12. Get suppressed vulnerabilities - (required, default: False): Select this option to fetch suppressed vulnerabilities​.
13. Get drive encryption data - Select this option to get the encryption status of the device's drives.
14. Get FileVantage data - Select this option to fetch FileVantage data.
15. Get USB control policy data - Select this option to enrich each device with the USB control policy to which the device belongs.
16. Fetch vulnerabilities from X days ago (default: 0) - Enter a number of days to limit the fetch of open vulnerabilities to X days ago. A 0 value in this field (default) means there is no limitation on the number of days back for which to fetch vulnerabilities.
17. Fetch installed patches from the following report - Enter the name of the Installed Patches report to fetch. Leave empty not to fetch installed patches.
18. OS Version exclude list - Add a comma separated list of OS Versions. Devices with these Operating Systems will not be fetched.
19. OS Version include list - Add a comma separated list of OS Versions. Devices without these Operating Systems will not be fetched.
20. Group name exclude list - Enter a comma-separated list of Group names. If a device has this group associated with it, Axonius will exclude it. This option is available from version 4.8.4.0.
21. Fetch devices in hidden status - Select this option to fetch devices in hidden status.
22. Fetch incidents - Toggle on this option to fetch CrowdStrike incidents.
23. Use hostname as device manufacturer serial number for mobile devices - Select this option to use the hostname as the device manufacturer serial number for mobile devices.
24. Use connection IP as local IP - Select this option to use the Connection IP address as the local IP address if no local IP address exists.

Required Permissions

The credentials supplied must be associated with the following scopes:

To fetch SaaS data:

Credentials for Advanced Configuration must also include:

Users

Vulnerabilities

CrowdStrike Enforcement Actions

Creating Credentials - Latest API

To create credentials using the Latest API authentication method

1. Log in to the Falcon admin panel.

2. Go to Support > API Clients and Keys.
   

3. Click Add new API Client and select Read permissions as defined above::

4. Click Add and use the generated credentials.
   
   

Creating Credentials - Legacy API

To use the legacy API

1. Verify that you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you need to create a GPG key pair prior to requesting the API key. For more information, see the CrowdStrike API Reference.
2. Contact CrowdStrike Support to request an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so be explicit that you need access to the Query API when making the request.
3. Generate a GPG key pair.
4. Export your public key in ASCII format.
5. Email CrowdStrike Support at [email protected] to request access to the Query API. Include your public key with your email request.
6. Wait for CrowdStrike Support to respond with your Query API credentials, which are encrypted with your public key.
7. Decrypt your Query API credentials using your private key.
8. Use your credentials to make requests with the Query APIs.
9. Enter the username and API key provided by CrowdStrike. The adapter is configured.