Ctrlk
WebsiteTest DriveStatus

CrowdStrike

Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.

The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

  • Create API credentials in the CrowdStrike dashboard

  • Install the credentials into your Dropzone tenant (Data Source and Alert Source)

  • Select integration parameters, such as which alert types to sync

Create an API Key

  • As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/

  • From the menu in the upper left, navigate to Support and Resources > API clients and keys

Click API clients and keys

  • On the right, click "Create API Client"

Create API Client

  • On the "Create API Client" page, input "Dropzone AI" in the client name field. Under "Description," write "Dropzone AI Integration Key"

Create API Client Screen

  • Enable the following scopes:

Scope
Read
Write
Used By

Alerts

Alert Source, Data Source

API Integrations

Alert Source, Data Source

Cases

Alert Source, Data Source

Detections

Alert Source, Data Source

Hosts

Data Source, Remediator Source

NGSIEM

Data Source

Incidents

Alert Source, Data Source

Quarantined Files

Data Source

Real Time Response

Data Source

Event Streams

Data Source

Threatgraph

Data Source

Identity Protection Entities

Data Source

Identity Protection Timeline

Data Source

Identity Protection GraphQL

Data Source

Sandbox (Falcon Intelligence)

Data Source

Indicators of Compromise

Remediator Source

Some of these scopes are only necessary for the Data Source or Remediator integration. If you don't intend to perform those integrations, you may ignore them.

  • Write permission details

    • Cases: Write permissions are only required when used in Response Actions

    • Hosts: Write permissions are only required when used in Remediator Containment Actions

    • NGSIEM: Write permissions are required when NextGen SIEM is enabled in order to execute NGSIEM queries (docs)

    • Real Time Response: Write permissions are required when File Retrieval is enabled (docs)

      • Dropzone only uses Real Time Response to perform get <file> commands

    • Identity Protection GraphQL: Write permissions are required when Identity Protection is enabled in order to execute queries for user directory information (docs)

    • Sandbox (Falcon Intelligence: Write permissions are only required when File Detonation is enabled in order to upload collected or attached files in the Falcon Sandbox

    • Indicators of Compromise: Write permissions are only required when used in Remediator Containment Actions

  • When done, click "Create"

  • Copy the Client ID and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively

Copy your API Credentials

Enable Crowdstrike

The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation.

You'll need the following information:

Dropzone Field
Source

Client ID

The "Client ID" value you copied earlier

Client Secret

The "Secret" value you copied earlier

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search CrowdStrike, then click "Configure"

The Crowdstrike Tile

Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.

  • Under the Alert Source header, input the Client ID and Client Secret. If you use a non-default URL for the CrowdStrike API, configure the API Base URL as well

The CrowdStrike Alert Source Configuration (pt 1)

  • If you wish to enable endpoint detection, check the box labeled "Enable Endpoint Detection." Then select the severity levels you want Dropzone to investigate alerts for

  • Under Exlusions, you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of Python regexes of the alerts you wish to exclude

The CrowdStrike Alert Source Configuration (pt 2)

  • If you wish to enable CrowdStrike's Next-Gen SIEM cases, check the box labeled "Enable Next-gen SIEM Cases"

  • Input the minimum case severity you want Dropzone to investigate

  • Under "Enabled Next-Gen SIEM Case statuses," select the Case statuses you want Dropzone to investigate

The CrowdStrike Alert Source Configuration (pt 3)

  • Under "Case Name Regex Filters," you may choose to filter cases by name. To do so, click "Add Item," then input a list of regexes. Under "Case Name Filter mode," select whether to include or include the cases

The CrowdStrike Alert Source Configuration (pt 4)

  • If you wish to enable CrowdStrike's Next-Gen SIEM alerts, check the box labeled "Enable Next-gen SIEM Alert"

  • Check the box labeled "Include Third Party Sources" if you want Dropzone to be able to ingest Next-gen alerts from other sources integrated into Crowdstrike

  • Check the box labeled "Include Falcon Cloud Security Alert" if you want Dropzone to be able to ingest alerts from Crowdstrike's [Falcon Cloud Security]

  • Check the box for each severity level of alerts you want Dropzone to investigate

The CrowdStrike Alert Source Configuration (pt 5)

  • Under "Next-Gen SIEM Alert Exlusions," you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of regexes to exclude alerts

The CrowdStrike Alert Source Configuration (pt 5)

  • If you wish to enable Drozone to investigate alerts and cases from specific devices, check the box labeled "Enable Device Tag Filtering"

  • Input each device tag individually

The CrowdStrike Alert Source Configuration (pt 6)

  • If you wish to enable Dropzone to investigate identity protection alerts, check the box labeled "Enable Identity Protection Alerts"

  • Select the severity levels you want Dropzone to investigate alerts for

The CrowdStrike Alert Source Configuration (pt 7)

  • Input your Crowdstrike UI Domain for ticket linkback

  • If you wish to enable Dropzone to fetch original third party alerts, check the box labeled "Fetch Original Third Party Alerts" under "Next-Gen SIEM Alert Enrichment Options"

The CrowdStrike Alert Source Configuration (pt 8)

  • Input your desired poll interval and lookback

The CrowdStrike Alert Source Configuration (pt 9)

  • If you wish to further filter alerts using the Python CEL package, check the box labeled "Use advanced filtering"

  • Input your CEL expression, then select whether to include or exclude alerts matching that filter. Add each filter individually using the "Add Item" button

  • Contact your Dropzone AI support representative for more information about this feature

The CrowdStrike Alert Source Configuration (pt 10)

  • Click "Test & Save" to finish

You should begin ingesting alerts immediately.

If you have any errors engage your Dropzone AI support representative.

PreviousCheck Point Harmony Email & CollaborationNextDatadog

Last updated

Was this helpful?