CrowdStrike Integration

PreviousActive Directory Integration NextPalo Alto - Cortex Integration

Last updated 18 days ago

Was this helpful?

CrowdStrike Integration

The CyberCyte portal can integrate with CrowdStrike for further analysis and investigations. To integrate, please follow these steps:

1. Create Remote Credential in Portal

Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Credential Settings". Click on the "+ Credential" button to create a new credential. Select the "CorwdStrike Credential" as a "Credential Type". The Client ID, Client Secret and Cloud Destination should be provided by user, they are unique variables.

2. Create a Repository on the Portal

Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Repository Management". Click on the "+Repository" button to create a new CrowdStrike repository and select the "CrowdStrike" as Type and fill the rest of the blank fields like below. The "Credentail" section is explained in the previous step. Please enable the repository and edit the sync interval, by default we recommend 15 minutes.

3. Create a Policy in the Portal

Please navigate to "Rules & Policies" -> "Policy Management" -> Click on the "+ Policy" button. Please select the module named "CrowdStrike Health Analysis" and type named "CrowdStrike Health Analysis". After the selection, required fields will appeared. Please fill in the blanks with required values, demonstration is provided below:

If the organizaiton uses CrowdStrike on cloud they can select "Install From Cloud", if they are not they can select "Install From Local Package". This option is allows agent to install CrowdStirke if it is not installed. For these actions, agents requies a CrowdStrike credentails that we provided previously. The "Custom Installation Command" seciton is designed for that feature, the CID parameter is required for installations.

Also, CID (CrowdStrike ID) information should be provided inside of the policy.

The "Perform Repair" option is designed for unhealthy CrowdStrike agents, with that CrowdStrike agent is repaired by CyberCyte agent. This action is optional.

The "Collect Diagnostic Data" option allows CyberCyte agent to get the CrowdStrike agent health state and event data.

The "Maintenance Intervals" are default 09:00 to 18:00, but it can be change depends on the organization requirements.

4. Reviewing the Results

The results can be observed from under the "Threat Hunting" -> "Analysis & Investigation" -> "Assets" -> "CrowdStrike Analysis".

Also, please navigate to "Threat Hunting" -> "Threat Analytics" -> "CrowdStrike Events" to analyze the CrowdStrike events on the CyberCyte portal.