CrowdStrike Falcon
  • 21 May 2024
  • 11 Minutes to read
  • Dark
    Light
  • PDF

CrowdStrike Falcon

  • Dark
    Light
  • PDF

Article summary

CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Note:

If you are using CrowdStrike Falcon Identity Protection (formerly Preempt), you need to use the CrowdStrike Falcon Identity Protection adapter.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users
  • Vulnerabilities
  • SaaS Applications
  • Alerts/Incidents

About CrowdStrike Falcon

Use cases the adapter solves

Connecting CrowdStrike to Axonius allows you to assess your endpoint security coverage and quickly identify endpoints that are missing agents. Device correlation with Axonius allows you to garner information about your endpoint from other data sources that CrowdStrike cannot extract natively. This can greatly assist with the rollout and audit of your CrowdStrike deployment by introducing any business-unit context and identifying unmanaged devices across your organization.

Data retrieved by CrowdStrike Falcon

Axonius collects common device information such as the hostname, IPs, MAC address, and serial number. It also collects information unique to CrowdStrike such as group and policy membership, CrowdStrike spotlight vulnerabilities, and the agent version.

Enforcements

With the CrowdStrike adapter configured, Axonius can update group membership, update tags, and isolate devices directly in the Enforcement Center.


Parameters

  1. CrowdStrike Domain (required) - The hostname of the API server – this could be one of the following:

    • https://falconapi.crowdstrike.com (for the v1 "legacy" API)

    • https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for v2 API - US region)

    • https://api.eu-1.crowdstrike.com/ (for v2 API - EU region)

    • https://api.laggar.gcw.crowdstrike.com/ (for v2 API - Goverment)

      Note:
      • The v1 API endpoint is currently deprecated and will cease functioning on February 9, 2023.
      • Please update your adapter’s endpoint to use the Crowdstrike API v2 endpoint before February 9th, 2023 to ensure the adapter continues working as expected.
  2. User Name / Client ID and API Key / Client Secret (required) - The credentials for a user account that has the Required Permissions to fetch assets.

    Note:
    • User Name and API Key are required if you're using the v1 "legacy" API.
    • Client ID and API Secret are required if you're using the latest (v2) API.
  3. Member CID (optional) - Specify a CrowdStrike CID to fetch data from all whether to fetch all tenants associated with it.
    * If supplied, Axonius will fetch data from all tenants associated with the Member CID (customer identification).
    * If not supplied , Axonius will only fetch data from the main tenant.

  4. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

  5. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

  6. Machine Domain Include list (optional) - Specify a comma-separated list of Microsoft Active Directory domains. The connection for this adapter will only collect devices from the domains provided in this list.

  7. Group Name Include list (optional) - Specify a comma-separated list of groups of systems in CrowdStrike. The connection for this adapter will only collect devices associated with the groups provided in this list.

  8. Platform Include list (optional) - Use this to specify a comma-separated list of platforms in CrowdStrike, in order to only fetch devices associated with the platforms listed, otherwise devices associated with any platform are fetched.

  9. Ignore devices that have not been seen by this connection in the last X hours (optional) - Select whether to avoid fetching old devices that are no longer part of your network, but that still exist in the present adapter connection.

    • If selected, the present connection for the adapter will only fetch device information if that device asset entity has been seen by the adapter connection ('Last Seen' field) in the last specified number of hours.
      For example, if the value is 2160 hours, any device asset entity not identified by the present adapter connection in the last 90 days will not be pulled into Axonius.
    • If cleared, all connections for the adapter will function per the configuration in Advanced Settings of the Ignore devices that have not been seen by this connection in the last X hours option. For more information, see Adapter Advanced Settings.
  10. Threat Graph API User and Threat Graph API Key (optional) - Fetch data from CrowdStrike Threat Graph API.

    • If supplied, the connection for this adapter will fetch data from the CrowdStrike Threat Graph API.
    Note:

    To receive access and credentials for the Threat Graph API, you will need to contact CrowdStrike support.

    • If not supplied, the connection for this adapter will not fetch data from CrowdStrike Threat Graph API.
  11. Device Type Include List - (optional) - Specify a comma-separated list of product_type_desc parameters in Crowdstrike to fetch.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

CRowdStrikeFAlconNN


Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Get devices policies - Select this option to fetch prevention policies associated with the devices.

Avoid Duplicate Devices

  • Enable logic to avoid duplicate devices - Toggle on to enable the option to avoid duplicate devices.

Cloud based device options

  • Avoid device duplications based on local IP address and account ID - Select this option to avoid returning duplicate machines when using the scroll API. If a duplicate hostname, serial number, or IP address is detected, the most recent device is fetched.
  • Avoid device duplications based on hostname - Select this option to avoid returning duplicate machines based on a hostname when using the scroll API. If a duplicate hostname is detected, only the most recent device is fetched.
  • Avoid device duplications based on external IP - Select this option to avoid returning duplicate machines based on the device's external IP.

Non-cloud based device options

  • Avoid device duplications based on hostname - Select this option to only fetch the latest information for a hostname of a device.
  1. Fetch devices last logged in users - Select this option to fetch the last 10 users who logged in for each device.
  2. Fetch devices network history - Select this option to fetch the history of IP and MAC addresses for devices.
  3. Fetch users - Select this option to fetch user details and roles. For more information, see Required Permissions.
  4. Normalize Device Manufacturer with BIOS Manufacturer - Select this option to set the device manufacturer to the value returned by the API in the BIOS manufacturer field.
  5. Devices per page (required, default: 100) - Specify the number of results per page received for a given request to gain better control of the performance of all connections of this adapter. The value specified can be from 100 to 5000. A higher value makes fewer API calls, which helps prevent API rate limit.
  6. Fetch Zero Trust Assessment Data - Select this option to enriche devices with additional data from the zero trust assessment endpoint.
  7. Get drive encryption data - Select this option to get the encryption status of the device's drives.
  8. Get FileVantage data - Select this option to fetch FileVantage data.
  9. Get USB control policy data - Select this option to enrich each device with the USB control policy to which the device belongs.
  10. Fetch installed patches from the following report - Enter the name of the Installed Patches report to fetch. Leave empty not to fetch installed patches.
  11. OS Version exclude list - Add a comma separated list of OS Versions. Devices with these Operating Systems will not be fetched.
  12. OS Version include list - Add a comma separated list of OS Versions. Devices without these Operating Systems will not be fetched.
  13. Group name exclude list - Enter a comma-separated list of Group names. If a device has this group associated with it, Axonius will exclude it. This option is available from version 4.8.4.0.
  14. List of tags to parse as fields - Enter a comma-separated list of tags to parse as fields.
  15. Fetch devices in hidden status - Select this option to fetch devices in hidden status.
  16. Use hostname as device manufacturer serial number for mobile devices - Select this option to use the hostname as the device manufacturer serial number for mobile devices.
  17. Fetch incidents - Toggle on this option to fetch CrowdStrike incidents.
  18. Use connection IP as local IP - Select this option to use the Connection IP address as the local IP address if no local IP address exists.
  19. Use "connection_ip" field as primary IP - Select this option to use the "connection_ip" field as the primary IP instead of the local IP.
  20. Create applications from vulnerabilities - Select this option to create SaaS Application assets from the software related to each vulnerability.

Vulnerability fetch settings

  1. Enable vulnerability fetch - Toggle on this option to fetch vulnerabilities found on the devices and configure relevant settings.
Note:

To use this setting, the value supplied in Username / Client ID must have Read access permissions to the Spotlight Vulnerabilities API scope, that is spotlight-vulnerabilities:read

  1. Include data facets in results - From the drop-down select data facets to use in results.
  2. Parse vulnerability descriptions - Select this option to parse vulnerability descriptions.

Filter vulnerabilities settings

Enable advanced vulnerabilities filtering - Toggle on this option to enable advanced vulnerabilities filtering and configure relevant filters.
Filter mechanism - Select the filter mechanism from the drop-down, either FQL filter or pre-defined filter options.

FQL filter
Enter A valid Falcon Query Language (FQL) filter string as specified here: Falcon Query Language.

Pre-defined filter options

You can configure the following pre-defined filter options.

  • Filter by status - Toggle on to filter by status. Select either Include or Exclude to set Statuses that will either be included or excluded in the fetch.
    • List - from the drop-down select status types to either exclude or include.

Filter by timestamps
Use the settings available to filter the vulnerabilities set depending on when they were last seen, closed, created or updated. A 0 value in any of the fields (default) means there is no limitation on the number of days back for which to fetch vulnerabilities.

Suppression filter settings

  • Filter by suppression info - Toggle on this setting to filter by suppression info.
    • Filter by is_supressed - Toggle on this option to determine (in combination with the true/false drop-down) whether to fetched suppressed vulnerabilities.

CVE filter settings

Filter by CVE info - Toggle on to filter by CVE info.

  • ExPRT filtering - Toggle on to implement ExPRT filtering. Select either Include or Exclude to set levels of severity that will either be included or excluded in the fetch.

    • List - From the drop-down select levels of severity to either exclude or include.
  • Exploit filtering - Toggle on to implement filtering by exploit types. Select either Include or Exclude to set types of exploits that will either be included or excluded in the fetch.

    • List - From the drop-down select types of exploits to either exclude or include.
  • Severity filtering - Toggle on to implement filtering by severity. Select either Include or Exclude to set levels of severity that will either be included or excluded in the fetch.

    • List - From the drop-down select levels of severity to either exclude or include.
Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.


Required Permissions

The credentials supplied must be associated with the following scopes:

ScopePermission
HostsRead
Host groupsRead
IOC ManagementRead
Prevention policiesRead
Sensor update policiesWrite

To fetch SaaS data:

ScopePermissionNotes
HostsRead
Host groupsRead
IOC ManagementRead
Prevention policiesRead
DetectionsRead
User ManagementRead
Sensor Update PoliciesRead
IndicatorsReadRequires CrowdStrike Falcon Intelligence Add-on to be deployed. Required to discover shadow SaaS applications
Spotlight vulnerabilitiesReadrequires an active subscription to the CrowdStrike Falcon Spotlight Vulnerability module. It may assist to discover shadow SaaS applications

Credentials for Advanced Configuration must also include:

Users

ScopePermission
User ManagementRead

Vulnerabilities

ScopePermission
spotlight-vulnerabilitiesRead

CrowdStrike Enforcement Actions

ScopePermission
HostsWrite

Creating Credentials - Latest API

To create credentials using the Latest API authentication method

  1. Log in to the Falcon admin panel.

  2. Go to Support > API Clients and Keys.
    image.png

  3. Click Add new API Client and select Read permissions as defined above::

image.png

Note:

To use the Isolate in CrowdStrike Falcon or the Unisolate in CrowdStrike Falcon enforcement actions, you need to select Write permissions for Hosts.

  1. Click Add and use the generated credentials.

Creating Credentials - Legacy API

To use the legacy API

  1. Verify that you have a valid account in the CrowdStrike support portal. Information on the process is available at the link below. Additionally, you need to create a GPG key pair prior to requesting the API key. For more information, see the CrowdStrike API Reference.
  2. Contact CrowdStrike Support to request an API key for the Query API. This is distinct from a regular API key (for the Falcon API), so be explicit that you need access to the Query API when making the request.
  3. Generate a GPG key pair.
  4. Export your public key in ASCII format.
  5. Email CrowdStrike Support at support@crowdstrike.com to request access to the Query API. Include your public key with your email request.
  6. Wait for CrowdStrike Support to respond with your Query API credentials, which are encrypted with your public key.
  7. Decrypt your Query API credentials using your private key.
  8. Use your credentials to make requests with the Query APIs.
  9. Enter the username and API key provided by CrowdStrike. The adapter is configured.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.