Skip to content

CrowdStrike

1. Introduction

This document outlines steps for integrating CrowdStrike Extension with RDAF platform for Fabrix.ai

CrowdStrike is a cloud-native endpoint security platform that provides Endpoint Detection and Response (EDR), threat intelligence, and managed threat hunting capabilities through the CrowdStrike Falcon platform.

CrowdStrike Falcon helps organizations detect, investigate, and respond to cyber threats in real time by collecting telemetry data from endpoints and analyzing it using behavioral analytics and threat intelligence.

Integration Overview

The Fabrix.ai RDAF integration utilizes CrowdStrike's REST APIs to streamline security operations. These APIs allow security platforms like Fabrix RDAF to collect security events, device information, alerts, and incidents for analytics and automation workflows.

This integration allows for the automated collection of:

- Host details

- Detections

- Incident data

Extension Capabilities

The CrowdStrike extension enables the following key tasks:

- Centralized Inventory: Collection of centralized endpoint inventory.

- Automated Retrieval: Automated retrieval of security detections and incidents.

- SOAR Integration: Integration with incident response workflows (SOAR).

- Asset Visibility: Real-time visibility into both managed and unmanaged assets.

2. Prerequisites

The Fabrix.ai RDAF Platform requires a CrowdStrike Falcon read-only API client (OAuth2 API user) with read-only access. You must provide the following:

1) Client ID

2) Client Secret

3) Base URL (Based on your CrowdStrike cloud region, e.g., api.crowdstrike.com)

3. Steps for creating API User Client Account

This guide outlines the steps to create a read-only API client within the CrowdStrike Falcon Console, adhering to the principle of least privilege.

3.1 Accessing the CrowdStrike Falcon Console

  • Log in to the CrowdStrike Falcon Console using an administrator account with the necessary permissions to create API clients and assign roles.

3.2 Navigating to API Clients and Keys

  • Go to Support AppsAPI Clients and Keys
  • In the left-hand menu, scroll down to Support Apps
  • Select API Clients and Keys

3.3 Creating a New API Client

  • In the OAuth2 API Clients section, click Add new API client.

3.4 Configure API Client Settings

  • Enter a descriptive Client Name (e.g., "Read-Only Integration – [Tool Name]").

  • Provide a relevant Description for the client's purpose.

  • Under API Scopes, select only the required read-only API scopes. Examples include:

    • Hosts: Read

    • Detections: Read

    • Sensor Update Policies: Read

    • Incidents: Read

  • Adhere to the principle of least privilege by selecting only the minimum necessary permissions for your integration.

3.5 Generate Credentials

  • Click Add to create the API client.

  • Securely record the following information:

    • Client ID

    • Client Secret

Important

The Client Secret is displayed only once during creation and cannot be retrieved later. Store it immediately in an approved secure credential vault.

4. Post-Creation Validation

After creating your API client, verify the setup by following these steps:

  • Confirm Creation: Ensure the new API client appears in the API Clients and Keys list.

  • Validate Connectivity: Use the regional API base URL appropriate for your instance:

  • US-1: https://api.crowdstrike.com

  • EU-1: https://api.eu-1.crowdstrike.com

5. API Reference Documents

You can explore the comprehensive CrowdStrike API documentation for detailed insights and guidance.

For detailed information and guidance, check out the CrowdStrike Falcon API Reference Doc.

6. Adding Crowdstrike Credentials

  • Login to the CFX RDAF Portal

Navigate to Home → ConfigurationRDA Integrations → Click Add → select CrowdStrike from the Source drop-down.

7. Enter the below details to Add Crowdstrike as a Datasource

  • Secret Type - crowdstrike

  • Name - (Eg- CrowdStrike_Falcon )

  • Base URL- Your regional API URL (e.g., https://api.crowdstrike.com)

  • Client ID - The ID generated in the Falcon Console.

  • Client Secret - The secret key generated in the Falcon Console.

  • Timeout (sec): 60 (Default)

8. Sample Usage of Crowdstrike Bot in a Pipeline

  • @crowdstrike:host-data
%% stream = no and limit = 0
## CrowdStrike Host Inventory Collection
@c:new-block
--> @dm:empty
--> @dm:addrow crowdstrike_instance_ip = '10.x.x.x'
--> @crowdstrike:host-data column_name = "crowdstrike_instance"
--> @dm:save name = "crowdstrike-host-data"

9. Available CrowdStrike Bots

The following bots are available for use within the RDAF extension:

1. @crowdstrike:host-data – Retrieves a list of managed hosts and their details.

2. @crowdstrike:alert-data – Fetches alerts data.

3. @crowdstrike:incident-data – Collects incident-level security data.

4. @crowdstrike:alerts – Get overall alerts data.

5. @crowdstrike:query-device-data – Retrieves granular data for a specific device.

6. @crowdstrike:behaviour-data – Fetches behavioural data.

You can find the RDAF Bot list documentation here for more details on the CrowdStrike extension

For more details on the CrowdStrike extension, you can click here to access the RDAF Bot list documentation.