Crowdstrike Falcon Insight

Samurai [Local] Collector	Samurai [Cloud] Collector

To complete this Integration you will need to:

1) From the Crowdstrike Falcon Console:

Create a new API client

2) From the Samurai MDR portal:

Complete the Crowdstrike Falcon Insight Integration

3) Complete and send authorization form

Create a new API client

For additional information you can refer to the Crowdstrike documentation

Crowdstrike credentials with the Falcon Administrator role are required to create API clients.

To create a new API client follow the steps below:

Log in to the Crowdstrike Falcon Console
Click the Support and resources icon in the left menu pane.
Under Resources and tools select API Clients and Keys. The API Clients and Keys page is displayed.
Click Create API client. The Create API client page appears.
Perform the following steps:
5.1 Specify NTT API Client in the CLIENT NAME field.
5.2 Specify API client for NTT in the DESCRIPTION field.
5.3 Under API SCOPES, perform the following steps:
5.4 Select the Read checkbox for:
- Detections
- Event Streams
- Host groups
- Hosts
- Prevention policies
- Threatgraph
- User Management
5.5 Select the Write checkbox for:
- Hosts
Click Create to save the API client and generate the client ID and secret.
Copy and record the values:
- CLIENT ID
- SECRET

The secret is displayed only once so ensure to record it for use during Complete the Crowdstrike Falcon Insight Integration.

Take note of your Cloud location which is dervived from the Base URL as per the table below, you will need to specify the cloud location under Complete the Crowdstrike Falcon Insight Integration.

The table below outlines the Cloud location and Base URL:

Cloud Location	Base URL
US-1	https://api.crowdstrike.com
US-2	https://api.us-2.crowdstrike.com
EU-1	https://api.eu-1.crowdstrike.com
US-GOV-1	https://api.laggar.gcw.crowdstrike.com

Complete the Crowdstrike Falcon Insight Integration

You will need:

OAuth Client ID: (from Step 7 under Create a new API client)
OAuth Secret: (from Step 7 under Create a new API client)
Cloud location: (from Step 8 under Create a new API client)

Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Select Create
Locate and click Crowdstrike Falcon Insight
Click Next (we leverage a Samurai Cloud Collector)
Enter a Name of Integration
Enter a Description (Optional)
Enter your OAuth Client ID
Enter your OAuth Secret
Select your Cloud Location (US-1 is default).
Click Finish

Complete and send authorization form

The Samurai SOC requires access to your Crowdstrike instance in order to:

Perform deeper investigations
Access data not present in the APIs
Perform remote isolation tasks

To ensure the Samurai SOC has access please complete this form Authorization Form for Access to Crowdstrike Falcon Host by MSP Personnel.

Once you have completed, email the form to mssp@crowdstrike.com.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.