WebsiteTest DriveStatus

CrowdStrike

Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.

The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

  • Create API credentials in the CrowdStrike dashboard

  • Install the credentials into your Dropzone tenant (Data Source and Alert Source)

  • Select integration parameters, such as which alert types to sync

Create an API Key

  • As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/

  • From the menu in the upper left, navigate to Support and Resources > API clients and keys

Click API clients and keys

  • On the right, click "Create API Client"

Create API Client

  • On the "Create API Client" page, input "Dropzone AI" in the client name field. Under "Description," write "Dropzone AI Integration Key"

Create API Client Screen

  • Enable the following scopes:

Scope
Read
Write
Used By

Alerts

Alert Source, Data Source

API Integrations

Alert Source, Data Source

Cases

Alert Source, Data Source

Detections

Alert Source, Data Source

Hosts

Data Source

NGSIEM

Data Source

Incidents

Alert Source, Data Source

Quarantined Files

Data Source

Real Time Response

Data Source

Event Streams

Data Source

Threatgraph

Data Source

Identity Protection Entities

Data Source

Identity Protection Timeline

Data Source

Identity Protection GraphQL

Data Source

  • Write permission details

    • Cases: Write permissions are only required when used in Response Actions

    • NGSIEM: Write permissions are required when NextGen SIEM is enabled in order to execute NGSIEM queries (docs)

    • Real Time Response: Write permissions are required when File Retrieval is enabled (docs)

      • Dropzone only uses Real Time Response to perform get <file> commands

    • Identity Protection GraphQL: Write permissions are required when Identity Protection is enabled in order to execute queries for user directory information (docs)

  • When done, click "Create"

  • Copy the Client ID and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively

Copy your API Credentials

Enable Crowdstrike

The Data source integration allows Dropzone AI to interact with your CrowdStrike environment to gather information for use in investigation analysis and interactive chat.

You'll need the following information:

Dropzone Field
Source

Client ID

The "Client ID" value you copied earlier

Client Secret

The "Secret" value you copied earlier

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search CrowdStrike, then click "Configure"

The Crowdstrike Tile

Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.

  • Under the Data Source header, input the Client ID and Client Secret

    • If you use a non-default URL for the CrowdStrike API, configure the API Base URL as well

  • Check the boxes to enable Crowdstrike's Identity Protection, Next-Gen SIEM, and Real Time Response services

    • These services are optional, but enabling them enhances the quality of Dropzone investigations

  • Only check Special Member CID Handling if your Dropzone AI representative indicates that your environment requires it

The CrowdStrike Data Source Configuration

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

PreviousCensysNextCrowdstrike Falcon Intelligence

Last updated

Was this helpful?