CrowdStrike Falcon
runZero integrates with CrowdStrike by importing data through the CrowdStrike Falcon API. This integration allows you to sync and enrich your asset inventory, as well as ingesting vulnerability data from Falcon Spotlight and software data from Falcon Discover. Adding your CrowdStrike data to runZero makes it easier to find things like endpoints that are missing an EDR agent.
Getting started
To set up the CrowdStrike integration, you’ll need to:
- Configure CrowdStrike to allow API access through runZero.
- Add the CrowdStrike credentials, which will include the client ID and client secret, and CrowdStrike base API URL in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the CrowdStrike integration to sync your data with runZero.
Requirements
Before you can set up the CrowdStrike integration:
- Verify that you have runZero Enterprise.
- Make sure you have access to the CrowdStrike admin portal.
Step 1: Configure CrowdStrike to allow API access to runZero
- Sign in to CrowdStrike.
- Go to Support > API Clients and Keys. When the API Key page appears, choose to add a new API client.
- Provide the following details for the API client:
- Client name: API client name, such as runZero.
- API scope:
- To ingest host details, include read permissions for Hosts and Host Groups.
- To ingest vulnerability data, include read permissions for Vulnerabilities.
- To ingest software data, include read permissions for Assets.
- When you are done, add the client. An API client created window appears and shows you the client ID and client secret. You’ll need them to configure the integration in runZero.
- Copy the client ID and client secret now. You may not be able to get them later.
Step 2: Add the CrowdStrike credentials to runZero
- Go to the Credentials page in runZero. Provide a name for the credentials, like
CrowdStrike Falcon
. - Choose CrowdStrike Falcon API key from the list of credential types.
- Provide the following information:
- CrowdStrike client ID and CrowdStrike client secret - To generate your client ID and client secret, go to Support > API Clients and Keys > OAuth2 API clients > Add new API Client in your CrowdStrike portal.
- CrowdStrike API URL - Your organization-specific base URL, which will depend on your account type. You can find this in the CrowdStrike API Swagger documentation.
- For a US-1 account use
api.crowdstrike.com
- For a US-2 account use
api.us-2.crowdstrike.com
- For a US-GOV-1 account use
api.laggar.gcw.crowdstrike.com
- For a EU-1 account use
api.eu-1.crowdstrike.com
- For a US-1 account use
- If you want other organizations to be able to use these credentials, select the
Make this a global credential
option. Otherwise, you can configure access on a per organization basis. - Save the credentials. You’re now ready to set up and activate the connection to bring in data from CrowdStrike.
Step 3: Choose how to configure the CrowdStrike integration
The CrowdStrike integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.
Step 4: Set up and activate the CrowdStrike integration to sync data
After you add your CrowdStrike credential, you’ll need to set up a connector task or scan probe to sync your data.
Step 4a: Configure the CrowdStrike integration as a connector task
A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new CrowdStrike-only assets are created.
- Activate a connection to CrowdStrike. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.
- Choose the credential you added earlier. If you don’t see the credential listed, make sure that it has access to the organization you are currently in.
- Set the severity and risk levels you want to import (optional).
- Set the Fingerprint only toggle to
Yes
if you want vulnerability records to be ingested for fingerprint analysis but not stored in your runZero vulnerability inventory (optional). - Add an filter for imported assets (optional).
If the Crowdstrike API key is configured with access to Falcon Discover or Falcon Spotlight, software and vulnerability data will only be imported for the assets included in the filtered results.
- Enter a name for the task, like
CrowdStrike sync
(optional). - Choose the Explorer to perform this connector task from (optional).
- Choose the site you want to add your assets to. All newly discovered assets will be stored in this site.
- Enter a description for the task (optional).
- If you want to exclude assets that have not been scanned by runZero from your integration import, switch the Exclude unknown assets toggle to
Yes
. By default, the integration will include assets that have not been scanned by runZero. - Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
- Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.
Step 4b: Configure the CrowdStrike integration as a scan probe
- Create a new scan task or select a future or recurring scan task from your Tasks page.
- Add or update the scan parameters based on any additional requirements.
- On the Probes and SNMP tab, choose which additional probes to include, set the CrowdStrike toggle to
Yes
, and change any of the default options if needed. - On the Credentials tab, set the CrowdStrike toggle for the credential you wish to use to
Yes
. - Click Initialize scan to save the scan task and have it run immediately or at the scheduled time.
Step 5: View CrowdStrike assets and vulnerabilities
After a successful sync, you can go to your inventory to view your CrowdStrike assets and vulnerabilities. These will have a CrowdStrike icon listed in the Source column.
To filter by CrowdStrike attributes, consider running the following queries:
- View all CrowdStrike assets
source:crowdstrike
- Find assets that have a CrowdStrike EDR agent installed
edr.name:crowdstrike
- Find Windows assets, excluding servers, that are missing a CrowdStrike EDR agent
os:windows and not type:server and not edr.name:CrowdStrike
- View all CrowdStrike vulnerabilities
source:crowdstrike
- View all CrowdStrike software results
source:crowdstrike
Click into each asset or vulnerability to see its individual attributes. runZero will show you the attributes returned by the CrowdStrike API, with the exception of policies.
Filtering Crowdstrike assets
An optional filter can be applied to Crowdstrike integration tasks. runZero uses Crowdstrike’s Falcon Query Language (FQL) for filtering. FQL follows the syntax <property>:[operator]<value>
. Multiple expressions can be combined for more complex filtering by adding a +
between expressions. An OR expression can also be leveraged with comma separated expressions.
Properties
The following are some useful CrowdStrike properties that can be used in an FQL expression to filter assets. Details on additional attributes that are available for filtering can be found by reviewing CrowdStrike’s API documentation.
CrowdStrike Property | runZero Attribute | Description | Example |
---|---|---|---|
external_ip |
externalIP | The external IP address of the device | 18.191.169.203 |
first_seen |
firstSeen | A timestamp of when the device was first seen by CrowdStrike | 2022-01-08T19:42:34Z |
hostname |
hostname | The hostname of the device | EXPLORER-01 |
last_seen |
lastSeen | The timestamp of when the device was last seen by CrowdStrike | 2022-09-13T19:14:30Z |
local_ip |
localIP | The local IP address of the device | 192.168.1.100 |
mac_address |
macAddress | The mac address of the interface communication with CrowdStrike | 0a-6e-20-4a-e6-56 |
os_version |
osVersion | The operation system version of the device | Ubuntu 20.04 |
platform_name |
platformName | The platform running on the device | Linux |
product_type_desc |
productTypeDesc | The type of device | Server |
Operators
The following operators can be used in an FQL expression to filter assets.
Operator | Description |
---|---|
! | Not equal to |
> | Greater than |
>= | Greater than or equal to |
< | Less than |
<= | Less than or equal to |
~ | Text match. Tokenizes the string, ignoring spaces, case and punctuation |
!~ | Does not text match. Tokenized the string, ignoring spaces, cases and punctuation |
* | Wildcard matching. Matches one or more characters |
Example Filters
The following are examples of filters that can be applied to the CrowdStrike sync.
Search Filter | Description |
---|---|
hostname:'WIN10*' |
Import all devices where the hostname starts with WIN10 |
platform_name:'Linux' |
Import all Linux devices |
platform_types_desc:'Server' |
Import all devices that CrowdStrike identifies as a Server |
hostname:'PROD*'+platform_name:'Linux' |
Import all Linux devices with a hostname that starts with PROD |
local_ip:'192.168.1.100' |
Only import the device with a local IP address of 192.168.1.100 |
local_ip:!'192.168.1.100' |
Import all devices, excluding 192.168.1.100 |
local_ip.raw:*'192.168.1.*' |
Import all devices with a local IP address in the 192.168.1.0/24 range |
(local_ip.raw:*'192.168.1.*'),(local_ip.raw:*'192.168.2.*') |
Import all devices with a local IP address in the 192.168.1.0/24 or 192.168.2.0/24 range |
local_ip.raw:!*'192.168.1.*' |
Import all devices, excluding devices with a local IP address in the 192.168.1.0/24 range |
local_ip.raw:!*'192.168.1.*'+local_ip.raw:!*'192.168.2.*' |
Import all devices, exluding devices with a local IP in the 192.168.1.0/24 and 192.168.2.0/24 ranges |
Troubleshooting
If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.
Why is the CrowdStrike integration unable to connect?
- Are you getting any data from the Crowdstrike integration?
- Make sure to query the inventory rather than look at the task details to review all the data available from this integration.
- In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console.
- Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the intergration, it may not work correctly. Please review this documentation and follow the steps exactly.
- If the CrowdStrike integration is unable to connect be sure to check the task log for errors. Some common errors include:
- 500 - server error, unable to connect to the endpoint
- 404 - hitting an unknown endpoint on the server
- 403 - not authorized, likely a credential issue
- If the integration endpoint is on-premises, verify they are running the integration task from an Explorer with access to the CrowdStrike host.
How can I solve the following CrowdStrike error?
Unable to collect software data for CrowdStrike devices: invalid response 403 Forbidden
This error occurs if your API client is missing the Assets API scope. The integration requires read-only permissions for Assets in order to collect software information. Host and vulnerability data should be collected just fine, though. This can be remedied by returning to step 1 of the CrowdStrike documentation above and enabling read permissions for Assets.