CrowdStrike

CrowdStrike’s security platform aims to stop breaches by offering advanced threat intelligence and real-time protection. CrowdStrike's solutions include endpoint protection, threat intelligence, and incident response services, all delivered through their cloud-based Falcon platform.

Integration Method: API
Tables: Detection Finding (2004), Incident Finding (2005), Device Inventory Info (5001)

This integration supports the following events.

This integration supports the following versions.

Prerequisites

• The user should ensure scopes are properly assigned to the API token for successful data retrieval.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate client credentials with the required scopes.

2. Add the CrowdStrike data feed in the DataBee console with the below parameters.

CrowdStrike Configuration

Start by creating the API Client and get the necessary information for API authentication such as Client ID and Client Secret.

1. Log on to CrowdStrike Platform.

2. Navigate to the top-left Navigation menu > Support and resources > API clients and keys.
    

3. Click on the Create API client button.
    

4. Enter ‘Client Name’ to identify API clients. Also add ‘Description’ that describes the purpose for the API client, if desired.
    

5. The following scope needs to be added for the endpoint to function properly:

   Event	Permission
   Alerts	Alerts.Read
   Detects	Detections.Read
   Incidents	Incidents.Read
   Devices	Hosts.Read

6. Select Host-Read scope to collect the device logs.
    

7. Select Alerts-Read scope to collect alert logs.

8. Select Detection-Read scope to collect detection logs.
    

9. Select Incidents-Read scope to collect incident logs.
    

10. Click on the Create button.
     

11. Copy the Base URL, Client ID, and Secret for later use, then click Done.
     

Note:

You will not be able to view this again after you complete this step. Ensure that you copy it before closing the notification.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for CrowdStrike and click it as shown below.
    

3. Click on the API Ingest option for the collection method.
    

4. Enter feed contact information and click Next.
    

5. In the next dialog, enter the following:

   • Authorization Method: OAuth2

   • API Base URL: paste the Base URL.

   • Client Key: paste the Client ID.

   • Client Secret: paste the Secret.

   • Token URL: replace the <region> with your tenant specific information obtained from the Base URL.

   • Event Types: preselected for all the event types that integration pulls.

6. Click Submit.
    

Troubleshooting Tips

• If you’re facing invalid_client or unauthorized_client issues this might be possibly due to incorrect credentials. Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• If you are facing 403 response code this might be possibly due to missing permissions. Check that CrowdStrike API credentials have the necessary scope. If needed, update the API credentials' scope using CrowdStrike platform, save the changes, and retry the integration.