- 17 Apr 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
CrowdStrike Falcon Identity Protection (Preempt)
- Updated on 17 Apr 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
CrowdStrike Falcon Identity Protection (formerly Preempt) lets organizations reduce user risk on their attack surface and preempt threats in real-time with conditional access. It continuously analyzes, adapts and responds to threats based on identity, behavior, and risk to resolve insider threats and targeted attacks.
It is possible to connect using either CrowdStrike or Preempt credentials.
Types of Assets Fetched
This adapter fetches the following types of assets:
- Devices
- Users
Parameters
- Preempt Domain (required) - The hostname of the Preempt server.
- Preempt API Key (optional) - An API Key created in the Preempt console. In the Administration page, select Connectors > API Keys tab. Select API Token and then generate and copy an API key. Either use the API Key, or use CrowdStrike OAuth2. For more details, see Required Permissions.
- Use CrowdStrike OAuth2 - Select to authenticate using CrowdStrike OAuth2, in this case use the CrowdStrike Client ID and Secret.
- CrowdStrike Client ID and CrowdStrike Client Secret - Credentials for a CrowdStrike account. For more information, see CrowdStrike Falcon Required Permissions.
- HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
Do not fetch devices without 'Last Seen' (required, default: true) - Select whether to exclude devices that do not have 'last seen' indication.
Do not fetch devices without hostname (required, default: true) - Select whether to exclude devices that do not have a hostname.
Only fetch active Users (optional) - Select to only fetch users who aren't archived.
Ignore Programmatic users for device ownership (default: false) - Select this option to ignore the owner listed as device owner if it is a service account.
Filter by Domain - Toggle on filter by domain.
Domain list - Enter a comma-separated list of domains to filter by.
Rename risk factors - Select this option to rename risk factors.
Exclude devices with UNMANAGED_HOST risk status - Select this option to exclude devices with the risk factor type of 'UNMANAGED_HOST'.
Required Permissions
The value supplied in API Key must be associated with the following credentials:
Credential | Permission |
---|---|
Identity Protection Assessment | Read |
Identity Protection Detections | Read |
Identity Protection Enforcement | Read |
Identity Protection Entities | Read |
Identity Protection GraphQL | Write |
Identity Protection Health | Read |
Identity Protection on-premise enablement | Read |
Identity Protection Timeline | Read |