# CrowdStrike Integration

The CyberCyte portal provide CrowdStrike integration for more comprehensive visibility. We recommend it for observe all the CrowdStrike security events from users infrastructure from one portal.

## 1. Create API Key

Please login to the CrowdStrike Falcon Management Console and navigate to "Support and resources" -> "Resource and tools" -> "API Client and keys". In that page, please create a API client and save "Client ID", "Secret" and "Base URL".

<figure><img src="/files/oIZfUEGQ9ygswe3lK4WK" alt="" width="317"><figcaption></figcaption></figure>

These scopes should be selected:

| Scope           | Read | Write |
| --------------- | ---- | ----- |
| Alerts          | True | True  |
| Hosts           | True | False |
| Host Groups     | True | False |
| Incidents       | True | True  |
| Sensor Download | True | False |
| Vulnerabilities | True | False |
| Detections      | True | False |

<figure><img src="/files/fNrjZ2UxJsDw2crHU4q9" alt="" width="319"><figcaption></figcaption></figure>

## 2. Falcon Sensor Configurations

Please login to the CrowdStrike Falcon Management Console and navigate to "Host setup and management" -> "Deploy" -> "Sensor downloads". Please save the "Customer ID".

<figure><img src="/files/XdZWX1gxkO5ZD4ywHLvk" alt="" width="240"><figcaption></figcaption></figure>

## 3. Create Remote Credential in Portal

Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Credential Settings". Click on the "+ Credential" button to create a new credential. Select the "CorwdStrike Credential" as a "Credential Type". The Client ID, Client Secret and Cloud Destination variables already created in the previous steps.

## 4. Create a Repository on the Portal

Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Repository Management". Click on the "+Repository" button to create a new CrowdStrike repository and select the "CrowdStrike" as Type and fill the rest of the blank fields like below. The "Credentail" section is explained in the previous step. Please enable the repository and edit the sync interval, by default 15 minutes recommended.

## 5. Create a Policy in the Portal

Please navigate to "Rules & Policies" -> "Policy Management" -> Click on the "+ Policy" button. Please select the module named "CrowdStrike Health Analysis" and type named "CrowdStrike Health Analysis". After the selection, required fields will appeared. Please fill in the blanks with required values, demonstration is provided below:

If the organizaiton uses CrowdStrike on cloud they can select "Install From Cloud", if they are not they can select "Install From Local Package". This option is allows agent to install CrowdStirke if it is not installed. For these actions, agents requies a CrowdStrike credentails that we provided previously. The "Custom Installation Command" seciton is designed for that feature, the CID parameter is required for installations.

Also, CID (CrowdStrike ID/Customer ID) information should be provided inside of the policy.

The "Perform Repair" option is designed for unhealthy CrowdStrike agents, with that CrowdStrike agent is repaired by CyberCyte agent. This action is optional.

The "Collect Diagnostic Data" option allows CyberCyte agent to get the CrowdStrike agent health state and event data.

The "Maintenance Intervals" are default 09:00 to 18:00, but it can be change depends on the organization requirements.

## 6. Reviewing the Results

The CrowdStrike health state can be observed from under the "Analysis & Investigation" -> "Artifact Analysis" -> "Threat Management" -> "CrowdStrike Anlaysis".

Also, please navigate to "Analysis & Investigation" -> "Artifact Analysis" -> "Threat Management" -> "CrowdStrike Events" to analyze the CrowdStrike events on the CyberCyte portal.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudcyte.com/getting-started/integrations/crowdstrike-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.