CrowdStrike Falcon
The FortiNDR Cloud CrowdStrike integration provides endpoint visibility for any host IP address and/or hash value with a CrowdStrike agent in the FortiNDR Cloud entity panel. Host and detection details will surface directly in the platform via CrowdStrike APIs, with an actionable method to isolate and/or pivot directly into CrowdStrike Falcon User Interface.
This topic describes the capabilities that are available with the CrowdStrike integration from FortiNDR Cloud.
Access the CrowdStrike Panel
While navigating through the FortiNDR Cloud searching events or detections, just click on any IP address or md5/sha256 file to view the details panel. From the details panel, click the CrowdStike Falcon icon in the details panel to view the host information retrieved from the CrowdStrike Falcon API.
To access the CrowdStrike Panel:
-
Go to Investigations > Entity Lookup in FortiNDR Cloud.
-
Enter the IQL query to view the events.
-
Click on the Host IP to open the details panel.
-
The Summary tab shows the status of the integration and count of total detections.
-
Click the Falcon icon to view more details about the recent detection and the device captured it.
-
The "Most Recent Detections" section will either display the highest severity detection in the last 24 hours, or if there's no detection in the last 24 hours, this section will display the most recent detection
Capabilities
Detection Enrichment
If CrowdStrike has any detections on this host, FortiNDR Cloud will show the most critical detections or the past 24-hours in entity details panel.
CrowdStrike has in-depth information on hosts that is retrieved into the host entity panel and shown based on criticality and time. The highest threat risk will be presented. If a critical risk is not found, the past 24-hours of detections will be presented.
-
Threat risk (highest risk will be shown)
-
Time
-
Detection name
Entity Enrichment
The Entity Enrichment panel shows detailed host information from CrowdStrike.
Host Containment
Instead of going to the CrowdStrike Falcon app to contain the host that you are viewing in FortiNDR Cloud, you can invoke this functionality from the entity details panel.
Open the CrowdStrike details panel to view the host's current containment status. If it is not contained, click the Contain button to contain the entity, or click Investigate Host to open details in the Falcon interface.
Contain Host |
Containment In-Progress |
---|---|
|
|
To contain a host:
-
Access the CrowdStrike Falcon details panel for the entity.
-
Click the Contain Host button at the bottom of the panel.
-
In the confirmation dialog, click Continue.
-
Enter an additional note about the containment in the text field provided.
After containing the host, the action button will change to read "Lift Containment," which you can use later to release the host from isolation.
To lift containment:
-
Access the CrowdStrike Falcon details panel for the entity.
-
Click the Lift Containment button at the bottom of the panel.
-
In the confirmation dialog, click Accept.
-
Enter an additional note about the containment in the text field provided.
Host unavailable
No Agent Installed: If there is no agent installed, the host cannot be contained. A Not installed on this Host message will appear in the panel. The Contain Host and Investigate Host buttons will not be shown.
Pivot into CrowdStrike Falcon console
The entity details panel also provides a link to open the host details page in the CrowdStrike Falcon app.
To access the CrowdStrike Falcon Console:
-
Access the CrowdStrike Falcon details panel for the entity.
-
Click the Investigate Host button at the bottom of the panel.
-
The Falcon console will open in a new browser tab displaying the host details from CrowdStrike.
Roles
Users
Users can contain hosts, do CrowdStrike-related tasks within the platform, and handle configuration for the API key details:
-
read (API): get device summary and detection summary
-
contain (API): contain and lift containment
Administrators
-
create: add new CrowdStrike credentials
-
delete: delete CrowdStrike credentials
-
update: update secret for existing client_id
-
enable: enable or disable CrowdStrike integration
Enable the Integration
CrowdStrike Host Visibility and CrowdStrike Intelligence are enabled separately, but the enablement steps are essentially the same for each. Additionally, you can share credentials across the two modules. For example, if you have credentials enabled for both CrowdStrike Host Visibility and CrowdStrike Intelligence, the same Client ID and Client Secret may be used. To do this, you will need to enter the same ID and secret in both the CrowdStrike Host Visibility and CrowdStrike Intelligence configuration panels.
To enable these integrations:
-
Navigate to the integration module for the account: Gear icon > Account Management > Modules
-
Click the Enable button for the respective module:
-
CrowdStrike Host Visibility, or
-
CrowdStrike Intelligence
-
-
Enter the Client ID, Client Secret, and URL values from CrowdStrike in the configuration panel.
For the integration to work completely, please enable the appropriate API scopes and permissions on CrowdStrike's API Client and Keys when generating credentials.
-
Click Save
Reset the API Client, Key, and URL
After enablement, the Configure option allows you to edit the API Client, Keys, and URL (the Client ID, Client Secret, and URL). To reset, click the Configure option, update the fields, and click Save.
Using CrowdStrike
For information on how to use the CrowdStrike API client to generate the Client ID and Key needed to configure either of these CrowdStrike integrations, refer to CrowdStrike documentation. Some examples and pointers are provided below.
The following CrowdStrike links and content are external to Fortinet and may change without notice.
To define a CrowdStrike API client:
To define a CrowdStrike API client, you must be a Falcon Administrator to view, create, or modify API clients or keys. Secrets are only shown when a new API Client is created or when it is reset.
-
Log into the Falcon UI.
-
Navigate to Support and resources > API Clients and Keys. You can view existing clients, add new API clients, or view the audit log.
-
When you click Add new API Client, you will be prompted to give a descriptive name and select the appropriate API scopes permissions: Detections: "Read"; Hosts: "Read, Write" are the minimal required.
-
After you click Save, you will be presented with the Client ID and Client Secret. The secret will be shown only once and must be stored in a secure place. If the Client Secret is lost, a reset must be performed and any applications relying on the Client Secret must be updated with the new credentials.
Additional CrowdStrike Documentation
The above instructions are from the CrowdStrike blog, "Getting Access to the CrowdStrike API," which provides a video and as well as written instructions on how to set credentials in CrowdStrike. (Tip: fast-forward the video 3:15 minutes for a quick demo)
Additionally, the CrowdStrike Developer Portal provides complete developer documentation for developers with a CrowdStrike account.