CrowdStrike
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for CrowdStrike.
Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.
The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.
Integration Overview
To enable these integrations you will perform the following actions:
Create API credentials in the CrowdStrike dashboard
Install the credentials into your Dropzone tenant (Data Source and Alert Source)
Select integration parameters, such as which alert types to sync
Create API Credentials
As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/
From the menu in the upper left, select "Support and Resources" > "API clients and keys"
On the right, click on "Create API Client"
On the "Create API Client" page
Client name: "Dropzone AI"
Description: "Dropzone AI Integration Key"
Enable the following scopes:
| Scope | Read | Write | Used By |
|---|---|---|---|
| ✓ | Alert Sources, Data Source | |
| ✓ | Alert Sources, Data Source | |
| ✓ | Alert Sources, Data Source | |
| ✓ | Data Source | |
| ✓ | Alert Sources, Data Source | |
| ✓ | Data Source | |
| ✓ | ✓ | Data Source |
| ✓ | Data Source | |
| ✓ | Data Source |
Click "Create" when done selecting the above scopes
Record the Client ID, and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively
Enable The Dropzone Data Source Integration
The Data source integration allows Dropzone AI to interact with your CrowdStrike environment to gather information for use in investigation analysis and interactive chat.
You'll need the following information:
| Dropzone Field | Source |
|---|---|
Client ID | The "Client ID" from the API Credentials |
Client ID | The "Secret" from the API Credentials |
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
Find the "CrowdStrike" tile and click "Connect"
Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.
Input the Client ID and Client Secret
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable The Dropzone Alert Source Integration
The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation.
You'll need the following information:
| Dropzone Field | Source |
|---|---|
Client ID | The "Client ID" from the API Credentials |
Client ID | The "Secret" from the API Credentials |
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click on "Alert Sources" in the top left corner
Find the "CrowdStrike" tile and click "Connect"
Input the Client ID and Client Secret
Check the severity levels you want to ingest
Click "Test & Save" to finish
You should begin ingesting alerts immediately.
If you have any errors engage your Dropzone AI support representative.
Last updated