This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Crowdstrike Falcon Insight

    Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

    ProductSamurai [Local] CollectorSamurai [Cloud] Collector
    Crowdstrike Falcon InsightPicture1.svg

    To complete this Integration you will need to:

    1) From the Crowdstrike Falcon Console:

    mceclip0.png Crowdstrike credentials are required

    2) From the Samurai application:

    3) Complete and send authorization form

    Submit a support case with Crowdstrike

    As our integration leverages the ‘Legacy API Credentials’ for the ‘Threat Graph API’ you must submit a support case directly with Crowdstrike for enablement. Please refer to the following Crowdstrike documentation.

    mceclip0.png Please note Crowdstrike key-based APIs are deprecated however with the exception of Threat Graph API and Tailored Intel API as per the Crowdstrike documentation

    Create credentials for basic authentication

    To create credentials for basic authentication, perform the following steps:

    1. Log in to the Crowdstrike Falcon Console

    2. Click the Support and resources icon in the left menu pane.

    3. Under Resources and tools select API Clients and Keys. The API Clients and Keys page is displayed.

    4. Select the Legacy API Credentials tab.

    5. Click Create Credentials

    6. Copy the Username and Password. You will need the credentials to Complete the Crowdstrike Falcon Insight Integration

    API clients and keys _ Support and resources _ Falcon.png

    Figure 1: Credentials for basic authentication

    Create a new API client

    To create a new API client follow the steps below:

    1. Log in to the Crowdstrike Falcon Console

    2. Click the Support and resources icon in the left menu pane.

    3. Under Resources and tools select API Clients and Keys. The API Clients and Keys page is displayed.

    4. Click Create API client. The Create API client page appears.

    5. Perform the following steps:

    5.1 Specify NTT API Client in the CLIENT NAME field.

    5.2 Specify API client for NTT in the DESCRIPTION field.

    5.3 Under API SCOPES, perform the following steps:

    5.4 Select the Read checkbox for:

    • Detections
    • Host
    • Host groups
    • Prevention policies
    • Event Streams,
    • User Management.

    5.5 Select the Write checkbox for:

    • Hosts.
    1. Click Add.

    API clients and keys _ Support and resources _ Falcon.png

    Figure 2: Add new API client

    1. Copy and record the values :
    • CLIENT ID
    • SECRET

    API clients and keys _Falcon.png

    Figure 3: Client ID and Secret

    mceclip0.png The Secret is displayed only once so ensure to record it for use during Complete the Crowdstrike Falcon Insight Integration

    1. Take note of your Cloud location which is dervived from the Base URL as per the table below, you will need to specify the cloud location under Complete the Crowdstrike Falcon Insight Integration.

    The table below outlines the Cloud location and Base URL:

    Cloud LocationBase URL
    US-1https://api.crowdstrike.com
    US-2https://api.us-2.crowdstrike.com
    EU-1https://api.eu-1.crowdstrike.com
    US-GOV-1https://api.laggar.gcw.crowdstrike.com
    1. Click DONE.

    Complete the Crowdstrike Falcon Insight Integration

    You will need:

    1. Login to the Samurai application

    2. Select Integrations

    3. Select Create

    4. Locate and click Crowdstrike Falcon Insight

    5. Click Next (we leverage a Samurai Cloud Collector)

    6. Enter a Name of Integration

    7. Enter a Description (Optional)

    8. Enter a Devicename

    9. Enter your OAuth Client ID

    10. Enter your OAuth Secret

    11. Enter your Basic User

    12. Enter your Basic Password

    13. Select your Cloud Location (US-1 is default). 

    14. Click Finish

    Complete and send authorization form

    Our SOC requires access to your Crowdstrike GUI in order to:

    • Perform deeper investigations
    • Access data not present in the APIs
    • Perform remote isolation tasks

    To ensure the SOC has access please complete this form Authorization Form for Access to Crowdstrike Falcon Host by MSP Personnel. Once you have completed, email the form to mssp@crowdstrike.com.

    mceclip0.png For general information on Integrations refer to the Integrations article.