CrowdStrike Integration

The CyberCyte portal provide CrowdStrike integration for more comprehensive visibility. We recommend it for observe all the CrowdStrike security events from users infrastructure from one portal.

1. Create API Key

Please login to the CrowdStrike Falcon Management Console and navigate to "Support and resources" -> "Resource and tools" -> "API Client and keys". In that page, please create a API client and save "Client ID", "Secret" and "Base URL".

These scopes should be selected:

2. Falcon Sensor Configurations

Please login to the CrowdStrike Falcon Management Console and navigate to "Host setup and management" -> "Deploy" -> "Sensor downloads". Please save the "Customer ID".

3. Create Remote Credential in Portal

Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Credential Settings". Click on the "+ Credential" button to create a new credential. Select the "CorwdStrike Credential" as a "Credential Type". The Client ID, Client Secret and Cloud Destination variables already created in the previous steps.

4. Create a Repository on the Portal

Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Repository Management". Click on the "+Repository" button to create a new CrowdStrike repository and select the "CrowdStrike" as Type and fill the rest of the blank fields like below. The "Credentail" section is explained in the previous step. Please enable the repository and edit the sync interval, by default 15 minutes recommended.

5. Create a Policy in the Portal

Please navigate to "Rules & Policies" -> "Policy Management" -> Click on the "+ Policy" button. Please select the module named "CrowdStrike Health Analysis" and type named "CrowdStrike Health Analysis". After the selection, required fields will appeared. Please fill in the blanks with required values, demonstration is provided below:

If the organizaiton uses CrowdStrike on cloud they can select "Install From Cloud", if they are not they can select "Install From Local Package". This option is allows agent to install CrowdStirke if it is not installed. For these actions, agents requies a CrowdStrike credentails that we provided previously. The "Custom Installation Command" seciton is designed for that feature, the CID parameter is required for installations.

Also, CID (CrowdStrike ID/Customer ID) information should be provided inside of the policy.

The "Perform Repair" option is designed for unhealthy CrowdStrike agents, with that CrowdStrike agent is repaired by CyberCyte agent. This action is optional.

The "Collect Diagnostic Data" option allows CyberCyte agent to get the CrowdStrike agent health state and event data.

The "Maintenance Intervals" are default 09:00 to 18:00, but it can be change depends on the organization requirements.

6. Reviewing the Results

The CrowdStrike health state can be observed from under the "Threat Hunting" -> "Analysis & Investigation" -> "Assets" -> "CrowdStrike Analysis".

Also, please navigate to "Threat Hunting" -> "Threat Analytics" -> "CrowdStrike Events" to analyze the CrowdStrike events on the CyberCyte portal.