CrowdStrike Falcon Identity Protection (Preempt)
  • 17 Apr 2024
  • 2 Minutes to read
  • Dark
    Light
  • PDF

CrowdStrike Falcon Identity Protection (Preempt)

  • Dark
    Light
  • PDF

Article summary

CrowdStrike Falcon Identity Protection (formerly Preempt) lets organizations reduce user risk on their attack surface and preempt threats in real-time with conditional access. It continuously analyzes, adapts and responds to threats based on identity, behavior, and risk to resolve insider threats and targeted attacks.

Note:

It is possible to connect using either CrowdStrike or Preempt credentials.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

Parameters

  1. Preempt Domain (required) - The hostname of the Preempt server.
  2. Preempt API Key (optional) - An API Key created in the Preempt console. In the Administration page, select Connectors > API Keys tab. Select API Token and then generate and copy an API key. Either use the API Key, or use CrowdStrike OAuth2. For more details, see Required Permissions.
  3. Use CrowdStrike OAuth2 - Select to authenticate using CrowdStrike OAuth2, in this case use the CrowdStrike Client ID and Secret.
  4. CrowdStrike Client ID and CrowdStrike Client Secret - Credentials for a CrowdStrike account. For more information, see CrowdStrike Falcon Required Permissions.
  5. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

CRowdstrickeFalconIdentityProtection

Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Do not fetch devices without 'Last Seen' (required, default: true) - Select whether to exclude devices that do not have 'last seen' indication.

  2. Do not fetch devices without hostname (required, default: true) - Select whether to exclude devices that do not have a hostname.

  3. Only fetch active Users (optional) - Select to only fetch users who aren't archived.

  4. Ignore Programmatic users for device ownership (default: false) - Select this option to ignore the owner listed as device owner if it is a service account.

  5. Filter by Domain - Toggle on filter by domain.

  6. Domain list - Enter a comma-separated list of domains to filter by.

  7. Rename risk factors - Select this option to rename risk factors.

  8. Exclude devices with UNMANAGED_HOST risk status - Select this option to exclude devices with the risk factor type of 'UNMANAGED_HOST'.


Required Permissions

The value supplied in API Key must be associated with the following credentials:

CredentialPermission
Identity Protection AssessmentRead
Identity Protection DetectionsRead
Identity Protection EnforcementRead
Identity Protection EntitiesRead
Identity Protection GraphQLWrite
Identity Protection HealthRead
Identity Protection on-premise enablementRead
Identity Protection TimelineRead



Was this article helpful?