CrowdStrike EDR
Connector Category: Endpoint Detection Response (EDR)
About Integration
CrowdStrike EDR is an endpoint detection and response tool that continuously monitors end-user devices to detect and respond to cyber threats such as ransomware and malware. This integration enables you to upload and delete indicators in the CrowdStrike EDR application with CTIX data (as an internal application).
The CrowdStrike EDR internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Delete Indicators | This action deletes indicators from the CrowdStrike EDR application. |
Upload Indicators | This action uploads indicators to the CrowdStrike EDR application that are retrieved from Intel Exchange. |
To configure CrowdStrike EDR as an internal application, follow these steps:
Create API Client in CrowdStrike
To integrate CrowdStrike with Intel Exchange, you must first create an API client in your CrowdStrike Falcon console. This allows you to generate the credentials required to authenticate API requests and run rules.
Before you Start
Ensure that you have the Falcon Administrator role, as only users with this role can create API clients in the CrowdStrike Falcon console.
Steps
To create an API client, follow these steps:
Log in to the CrowdStrike Falcon console.
Go to Menu > Support and resources. Under Resources and tools, click API clients and keys.
Click Create API Client and use the following information:
Client name: Enter a name for the API client. For example, Intel Exchange Integration Client
Description (Optional): Enter the description for the API client. For example, Used for Intel Exchange integration to perform security actions
Scopes: Scopes define what APIs the client can access and what actions it can perform. To enable Intel Exchange to manage IOCs, select Read and Write for the following scope:
IOC Management: Allows Intel Exchange to search, create, update, and delete custom indicators of compromise (IOCs) in your account.
For more information about API scopes, see CrowdStrike API documentation.
Click Create. Once created, the console displays the Client ID, Secret, and Base URL. You can now configure CrowdStrike EDR as an internal application in Intel Exchange using the generated details. For more information, see Configure CrowdStrike EDR as an Internal Application.
Note
Copy and store the Secret securely. You will not be able to view it again after closing the credentials window.
Configure CrowdStrike EDR as an Internal Application
Configure CrowdStrike EDR as an internal application to upload and delete indicators.
Before you Start
You must have the base URL, API ID, and API key of your CrowdStrike EDR account. For more information, see Create API Client in CrowdStrike.
You must have the view and update tool integration permissions.
Steps
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.
Search and select CrowdStrike EDR.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name to identify.
Base URL: Enter the base URL of your CrowdStrike EDR instance.
API ID: Enter the API ID (Client ID) of your CrowdStrike EDR instance.
API Key: Enter the API key (Secret) of your CrowdStrike EDR instance.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the CTIX and CrowdStrike EDR servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
The CrowdStrike EDR instance is configured and you can view the actions provided by the CrowdStrike EDR tool. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable App Actions
After configuring the CrowdStrike EDR application on CTIX, enable the actions to upload and delete indicators.
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.
Search and select CrowdStrike EDR.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Action(s).
Select the actions and turn on the toggles to enable.
Click Save.
The actions are enabled and are now ready to use.
Create Rule to Upload Indicators in CrowdStrike EDR
Create a rule to upload specific indicators from CTIX to the CrowdStrike EDR application.
Before you Start
You must have the View Rules, Create Rules, and Update Rules permissions.
Steps
To create a rule to upload indicators to the CrowdStrike EDR application, do the following:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name and click Submit.
In Source, select the source and collection from which you want to upload indicators.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator.
Rule Type: Select a rule type to apply specific conditions.
In Actions, enter the following details:
Actions: Select Upload Indicators.
Application: Select CrowdStrike EDR.
Account: Select a CrowdStrike EDR instance you have configured.
Platform: Select the operating system platforms.
Action to be Taken: Select No Action.
Severity: Select the severity of indicators to be uploaded.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
The rule is created and indicators will be uploaded to CrowdStrike EDR based on the configured sources and conditions when you run the rule.
Similarly, you can create a rule to delete indicators from CrowdStrike EDR.