Skip to main content

Cyware Threat Intelligence eXchange

CrowdStrike EDR

Connector Category: Endpoint Detection Response (EDR)

About Integration

CrowdStrike EDR is an endpoint detection and response tool that continuously monitors end-user devices to detect and respond to cyber threats such as ransomware and malware. This integration enables you to upload and delete indicators in the CrowdStrike EDR application with CTIX data (as an internal application).

The CrowdStrike EDR internal application in Intel Exchange supports the following actions:

Action Name

Description

Delete Indicators 

This action deletes indicators from the CrowdStrike EDR application.

Upload Indicators 

This action uploads indicators to the CrowdStrike EDR application that are retrieved from Intel Exchange.

To configure CrowdStrike EDR as an internal application, follow these steps:

Create API Client in CrowdStrike

To integrate CrowdStrike with Intel Exchange, you must first create an API client in your CrowdStrike Falcon console. This allows you to generate the credentials required to authenticate API requests and run rules.

Before you Start  

Ensure that you have the Falcon Administrator role, as only users with this role can create API clients in the CrowdStrike Falcon console.

Steps 

To create an API client, follow these steps:

  1. Log in to the CrowdStrike Falcon console.

  2. Go to Menu > Support and resources. Under Resources and tools, click API clients and keys.

  3. Click Create API Client and use the following information:

    • Client name: Enter a name for the API client. For example, Intel Exchange Integration Client

    • Description (Optional): Enter the description for the API client. For example, Used for Intel Exchange integration to perform security actions

    • Scopes: Scopes define what APIs the client can access and what actions it can perform. To enable Intel Exchange to manage IOCs, select Read and Write for the following scope:

      • IOC Management: Allows Intel Exchange to search, create, update, and delete custom indicators of compromise (IOCs) in your account.

      For more information about API scopes, see CrowdStrike API documentation.

  4. Click Create. Once created, the console displays the Client ID, Secret, and Base URL. You can now configure CrowdStrike EDR as an internal application in Intel Exchange using the generated details. For more information, see Configure CrowdStrike EDR as an Internal Application.

    Note

    Copy and store the Secret securely. You will not be able to view it again after closing the credentials window.

Configure CrowdStrike EDR as an Internal Application

Configure CrowdStrike EDR as an internal application to upload and delete indicators.

Before you Start 

  • You must have the base URL, API ID, and API key of your CrowdStrike EDR account. For more information, see Create API Client in CrowdStrike.

  • You must have the view and update tool integration permissions.

Steps 

  1. Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.

  2. Search and select CrowdStrike EDR.

  3. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique instance name to identify.

    • Base URL: Enter the base URL of your CrowdStrike EDR instance.

    • API ID: Enter the API ID (Client ID) of your CrowdStrike EDR instance.

    • API Key: Enter the API key (Secret) of your CrowdStrike EDR instance.

    • Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the CTIX and CrowdStrike EDR servers. By default, Verify SSL is selected.

      Note

      Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  4. Click Save.

The CrowdStrike EDR instance is configured and you can view the actions provided by the CrowdStrike EDR tool. You can configure multiple instances of this integration by clicking Manage > Add More.

Enable App Actions

After configuring the CrowdStrike EDR application on CTIX, enable the actions to upload and delete indicators.

  1. Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Endpoint Detection Response.

  2. Search and select CrowdStrike EDR.

  3. On the upper-right corner, click the vertical ellipsis and click Manage.

  4. Click Manage Action(s).

  5. Select the actions and turn on the toggles to enable.

  6. Click Save.

The actions are enabled and are now ready to use.

Create Rule to Upload Indicators in CrowdStrike EDR

Create a rule to upload specific indicators from CTIX to the CrowdStrike EDR application.

Before you Start 

You must have the View Rules, Create Rules, and Update Rules permissions.

Steps 

To create a rule to upload indicators to the CrowdStrike EDR application, do the following:

  1. Go to  Main Menu > Actions > Rules.

  2. Click New Rule.

  3. Enter a rule name and click Submit.

  4. In Source, select the source and collection from which you want to upload indicators.

  5. In Condition, enter the following details:

    1. Intent Type: Select the intent type as Indicator.

    2. Rule Type: Select a rule type to apply specific conditions.

  6. In Actions, enter the following details:

    1. Actions: Select Upload Indicators.

    2. Application: Select CrowdStrike EDR.

    3. Account: Select a CrowdStrike EDR instance you have configured.

    4. Platform: Select the operating system platforms.

    5. Action to be Taken: Select No Action.

    6. Severity: Select the severity of indicators to be uploaded.

  7. Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.

  8. Click Save.

The rule is created and indicators will be uploaded to CrowdStrike EDR based on the configured sources and conditions when you run the rule.

Similarly, you can create a rule to delete indicators from CrowdStrike EDR.