CrowdStrike EDR
Connector Category: Endpoint Detection Response (EDR)
About Integration
CrowdStrike EDR is an endpoint detection and response tool that continuously monitors end-user devices to detect and respond to cyber threats such as ransomware and malware. This integration enables you to upload and delete indicators in the CrowdStrike EDR application with CTIX data (as an internal application).
The CrowdStrike EDR internal application in Intel Exchange supports the following actions:
Action Name | Description |
---|---|
Delete Indicators | This action deletes indicators from the CrowdStrike EDR application. |
Upload Indicators | This action uploads indicators to the CrowdStrike EDR application that are retrieved from Intel Exchange. |
To configure CrowdStrike EDR as an internal application, follow these steps:
Configure CrowdStrike EDR as an Internal Application
Configure CrowdStrike EDR as an internal application to upload and delete indicators.
Before you Start
You must have the base URL, API ID, and API key of your CrowdStrike EDR account.
You must have the view and update tool integration permissions.
Steps
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.
Search and select CrowdStrike EDR.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name to identify.
Base URL: Enter the base URL of your CrowdStrike EDR instance.
API ID: Enter the API ID of your CrowdStrike EDR account.
API Key: Enter the API key of your CrowdStrike EDR account.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the CTIX and CrowdStrike EDR servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
The CrowdStrike EDR instance is configured and you can view the actions provided by the CrowdStrike EDR tool. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable App Actions
After configuring the CrowdStrike EDR application on CTIX, enable the actions to upload and delete indicators.
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.
Search and select CrowdStrike EDR.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Action(s).
Select the actions and turn on the toggles to enable.
Click Save.
The actions are enabled and are now ready to use.
Create Rule to Upload Indicators in CrowdStrike EDR
Create a rule to upload specific indicators from CTIX to the CrowdStrike EDR application.
Before you Start
You must have the View Rules, Create Rules, and Update Rules permissions.
Steps
To create a rule to upload indicators to the CrowdStrike EDR application, do the following:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name and click Submit.
In Source, select the source and collection from which you want to upload indicators.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator.
Rule Type: Select a rule type to apply specific conditions.
In Actions, enter the following details:
Actions: Select Upload Indicators.
Application: Select CrowdStrike EDR.
Account: Select a CrowdStrike EDR instance you have configured.
Platform: Select the operating system platforms.
Action to be Taken: Select No Action.
Severity: Select the severity of indicators to be uploaded.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
The rule is created and indicators will be uploaded to CrowdStrike EDR based on the configured sources and conditions when you run the rule.
Similarly, you can create a rule to delete indicators from CrowdStrike EDR.