CrowdStrike
Last updated
Last updated
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for CrowdStrike.
Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.
The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.
To enable these integrations you will perform the following actions:
Create API credentials in the CrowdStrike dashboard
Install the credentials into your Dropzone tenant (Data Source and Alert Source)
Select integration parameters, such as which alert types to sync
As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/
From the menu in the upper left, select "Support and Resources" > "API clients and keys"
On the right, click on "Create API Client"
On the "Create API Client" page
Client name: "Dropzone AI"
Description: "Dropzone AI Integration Key"
Enable the following scopes:
Click "Create" when done selecting the above scopes
Record the Client ID, and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively
The Data source integration allows Dropzone AI to interact with your CrowdStrike environment to gather information for use in investigation analysis and interactive chat.
You'll need the following information:
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
Find the "CrowdStrike" tile and click "Connect"
Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.
Input the Client ID and Client Secret
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation.
You'll need the following information:
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click on "Alert Sources" in the top left corner
Find the "CrowdStrike" tile and click "Connect"
Input the Client ID and Client Secret
Check the severity levels you want to ingest
Click "Test & Save" to finish
You should begin ingesting alerts immediately.
If you have any errors engage your Dropzone AI support representative.
| Scope | Read | Write | Used By |
|---|---|---|---|
| Dropzone Field | Source |
|---|---|
| Dropzone Field | Source |
|---|---|
Alerts
✓
Alert Sources, Data Source
API Integrations
✓
Alert Sources, Data Source
Detections
✓
Alert Sources, Data Source
Hosts
✓
Data Source
Incidents
✓
Alert Sources, Data Source
Quarantined Files
✓
Data Source
Real Time Response
✓
✓
Data Source
Event Streams
✓
Data Source
Threatgraph
✓
Data Source
Client ID
The "Client ID" from the API Credentials
Client ID
The "Secret" from the API Credentials
Client ID
The "Client ID" from the API Credentials
Client ID
The "Secret" from the API Credentials
