CrowdStrike Falcon

CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Related Enforcement Actions:

With the CrowdStrike adapter configured, Axonius can update group membership, update tags, and isolate devices directly in the Enforcement Center.

• CrowdStrike Falcon - Add/Remove Assets to/from Host Group
• CrowdStrike Falcon - Isolate and Unisolate
• CrowdStrike Falcon - Add or Remove Tagging Group to/from Assets
• CrowdStrike Falcon - RTR Run Command
• CrowdStrike Falcon - Run Script

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Users
• Vulnerabilities
• Application Settings (To fetch this information you need to configure the User Name and Password fields. If 2FA is required for this application, the 2FA key must be provided.)
• SaaS Applications
• Domains & URLs
• Containers
• Alerts/Incidents

About CrowdStrike Falcon

Use cases the adapter solves

Connecting CrowdStrike to Axonius allows you to assess your endpoint security coverage and quickly identify endpoints that are missing agents. Device correlation with Axonius allows you to garner information about your endpoint from other data sources that CrowdStrike cannot extract natively. This can greatly assist with the rollout and audit of your CrowdStrike deployment by introducing any business-unit context and identifying unmanaged devices across your organization.

Data retrieved by CrowdStrike Falcon

Axonius collects common device information such as the hostname, IPs, MAC address, and serial number. It also collects information unique to CrowdStrike such as group and policy membership, vulnerabilities, and the agent version.

Parameters

1. CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:

   • https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for v2 API - US region)
   • https://api.eu-1.crowdstrike.com/ (for v2 API - EU region)
   • https://api.laggar.gcw.crowdstrike.com/ (for v2 API - Government)

2. User Name / Client ID and API Key / Client Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.

   Note:

   Client ID and API Secret are required if you're using the latest (v2) API.

3. Member CID (optional) - Specify a CrowdStrike CID to fetch data from all tenants associated with it.

   • If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
   • If not supplied, Axonius will only fetch data from the main tenant.

4. Admin User Name (only used to fetch SaaS data) - The value you enter in the User Name field in CrowdStrike for the new user you created to allow Axonius to fetch SaaS Management data.

5. Admin Password (only used to fetch SaaS data) - The password you set for the new user in CrowdStrike.

6. 2FA Secret Key (only used to fetch SaaS data) - The secret generated in CrowdStrike for setting up 2-factor authentication for the CrowdStrike user created for collecting SaaS Management data.

7. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

8. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

9. Ignore devices that have not been seen by this connection in the last X hours (optional) - Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.

   • If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
     For example, if the value is 2160 hours, any device asset entity not identified by the present adapter connection in the last 90 days will not be pulled into Axonius.
   • If cleared, all connections for the adapter will function per the configuration in Advanced Settings of the Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.

10. Threat Graph API User and Threat Graph API Key (optional) - Fetch data from CrowdStrike Threat Graph API.

    Note:

    On December 11, 2024, this API User and API Key will be deprecated in CrowdStrike. If you already have your user and key, you need to add the ThreatGraph Scope for the OAuth 2.0 API Key (this is the same API key used in step 2 above).
    
    
    To enable the ThreatGraph Scope, go to the Falcon console and select Support and resources > Resources and tools > API clients and keys.
    
    
    The adapter will automatically do the right authorization to fetch ThreatGraph data.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Amount of requests per second (default: 5, min: 1, max: 5) - Set the amount of requests per second. If you are uncertain of the amount, it is best to leave as is.
2. Get uninstall token for device - Select this option to fetch the uninstall token for a specific device using the following API:
   https://assets.falcon.crowdstrike.com/support/api/swagger.html#/sensor-update-policies/revealUninstallToken
3. Get Detections Information for devices - Select this option to fetch detections information about the device, including the total counts of the detections.
4. Get Configuration Assessments for device - Select this option to fetch configuration assessments for the device. To access the Configuration Assessment API, your API client must be assigned the Falcon Configuration Assessment:read scope.
5. Enrich Configuration Assessments with Rule Name - Select this option to enrich configuration assessments with the rule name.
6. Get devices policies - Select this option to fetch prevention policies associated with the devices.

Avoid Duplicate Devices

• Enable logic to avoid duplicate devices - Toggle on to enable the option to avoid duplicate devices.

Cloud based device options

• Avoid device duplications based on local IP address and account ID - Select this option to avoid returning duplicate machines when using the scroll API. If a duplicate hostname, serial number, or IP address is detected, the most recent device is fetched.
• Avoid device duplications based on hostname - Select this option to avoid returning duplicate machines based on a hostname when using the scroll API. If a duplicate hostname is detected, only the most recent device is fetched.
• Avoid device duplications based on external IP - Select this option to avoid returning duplicate machines based on the device's external IP.

Non-cloud based device options

• Avoid device duplications based on hostname - Select this option to only fetch the latest information for a hostname of a device.

6. Fetch devices last logged in users - Select this option to fetch the last 10 users who logged in for each device.
7. Fetch devices network history - Select this option to fetch the history of IP and MAC addresses for devices.
8. Fetch users - Select this option to fetch user details and roles. For more information, see Required Permissions.
9. Devices per page (required, default: 100) - Specify the number of results per page received for a given request to gain better control of the performance of all connections of this adapter. The value specified can be from 100 to 5000. A higher value makes fewer API calls, which helps prevent API rate limit.
10. Fetch Zero Trust Assessment Data - Select this option to enriche devices with additional data from the zero trust assessment endpoint.
11. Get drive encryption data - Select this option to get the encryption status of the device's drives.
12. Get FileVantage data - Select this option to fetch FileVantage data.
13. Get USB control policy data - Select this option to enrich each device with the USB control policy to which the device belongs.
14. Fetch installed patches from the following report - Enter the name of the Installed Patches report to fetch. Leave empty not to fetch installed patches.
15. List of tags to parse as fields - Enter a comma-separated list of tags to parse as fields.
16. Fetch devices in hidden status - Select this option to fetch devices in hidden status.
17. Use hostname as device manufacturer serial number for mobile devices - Select this option to use the hostname as the device manufacturer serial number for mobile devices.
18. Fetch incidents - Toggle on this option to fetch CrowdStrike incidents.
19. Create applications from vulnerabilities - Select this option to create SaaS Application assets from the software related to each vulnerability.
20. Fetch application settings (only for accounts with SaaS Management capability) - By default Axonius fetches application settings. Clear this option to not fetch application settings.

Vulnerability fetch settings

• Enable vulnerability fetch - Toggle on this option to fetch vulnerabilities found on the devices and configure relevant settings.

• Include data facets in results - From the drop-down select data facets to use in results.
• Parse vulnerability descriptions - Select this option to parse vulnerability descriptions.

Filter vulnerabilities settings

• Enable advanced vulnerabilities filtering - Toggle on this option to enable advanced vulnerabilities filtering and configure relevant filters.

  • Filter mechanism - Select the filter mechanism from the drop-down, either FQL filter or pre-defined filter options.

  • FQL filter
    Enter a valid Falcon Query Language (FQL) filter string as specified here: Falcon Query Language.

Pre-defined filter options

You can configure the following pre-defined filter options.

• Filter by status - Toggle on to filter by status. Select either Include or Exclude to set statuses that will either be included or excluded in the fetch.
  • List - From the drop-down select status types to either exclude or include.

Filter by timestamps
Use the settings available to filter the vulnerabilities set depending on when they were last seen, closed, created or updated. A 0 value in any of the fields (default) means there is no limitation on the number of days back for which to fetch vulnerabilities.

Suppression filter settings

• Filter by suppression info - Toggle on this setting to filter by suppression info.
  • Filter by is_supressed - Toggle on this option to determine (in combination with the true/false drop-down) whether to fetched suppressed vulnerabilities.

CVE filter settings

Filter by CVE info - Toggle on to filter by CVE info.

• ExPRT filtering - Toggle on to implement ExPRT filtering. Select either Include or Exclude to set levels of severity that will either be included or excluded in the fetch.

  • List - From the drop-down select levels of severity to either exclude or include.

• Exploit filtering - Toggle on to implement filtering by exploit types. Select either Include or Exclude to set types of exploits that will either be included or excluded in the fetch.

  • List - From the drop-down select types of exploits to either exclude or include.

• Severity filtering - Toggle on to implement filtering by severity. Select either Include or Exclude to set levels of severity that will either be included or excluded in the fetch.

  • List - From the drop-down select levels of severity to either exclude or include.

21. Fetch external devices of type DNS Domain. Requires EASM license - Select this option to fetch external DNS domain devices. This setting requires an EASM license.
22. Fetch external devices of type IP. Requires EASM license - Select this option to fetch external IP devices. This setting requires an EASM license.
23. Enrich devices with online state - Select this option to enrich devices with their online state (for example: 'online', 'offline', or 'unknown').
24. Parse POD devices as containers - Select this option to parse POD devices as containers.
25. Platform Include list - Specify a comma-separated list of platforms in CrowdStrike, in order to only fetch devices associated with the platforms listed, otherwise devices associated with any platform are fetched.
26. Device Type Include List - Specify a comma-separated list of product_type_desc parameters in CrowdStrike to fetch.
27. Machine Domain Include list - Specify a comma-separated list of Microsoft Active Directory domains. The connection for this adapter will only collect devices from the domains provided in this list.
28. OS Version exclude list - Add a comma separated list of OS Versions. Devices with these Operating Systems will not be fetched.
29. OS Version include list - Add a comma separated list of OS Versions. Devices without these Operating Systems will not be fetched.
30. Group Name Include list - Specify a list of groups of systems in CrowdStrike. The connection for this adapter will only collect devices associated with the groups provided in this list.
31. Group name exclude list - Specify a list of group names. If a device has this group associated with it, Axonius will exclude it. This option is available from version 4.8.4.0.
32. Exclude hosts that have 'EC2' in their name and haven't been seen in the last X days - Remove EC2 hosts with EC2 in their name that have a last seen date lower than the specified number of days.

Required Permissions

Advanced Configuration Permissions

The following permissions are required for various Advanced Configurations:

Users

Vulnerabilities

Configuration Assessments

SaaS Management Permissions

To fetch SaaS data the following permissions are required:

Application Settings,

In order to fetch Application Settings, the new user you created to allow Axonius to fetch SaaS Management data needs to have the following permissions:

• View Quarantine File settings
• View Response policies
  
  

The credentials supplied must be associated with the following scopes:

CrowdStrike Enforcement Actions

The following permissions are required for CrowdStrike Enforcement Actions:

Creating Credentials - Latest API

To create credentials using the Latest API authentication method

1. Log in to the Falcon admin panel.

2. Go to Support > API Clients and Keys.
   

3. Click Add new API Client and select Read permissions as defined above::

4. Click Add and use the generated credentials.