CrowdStrike
Last updated
Was this helpful?
Last updated
Was this helpful?
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for CrowdStrike.
Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.
The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.
To enable these integrations you will perform the following actions:
Create API credentials in the CrowdStrike dashboard
Install the credentials into your Dropzone tenant (Data Source and Alert Source)
Select integration parameters, such as which alert types to sync
As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/
From the menu in the upper left, select "Support and Resources" > "API clients and keys"
On the right, click on "Create API Client"
On the "Create API Client" page
Client name: "Dropzone AI"
Description: "Dropzone AI Integration Key"
Enable the following scopes:
Alerts
✓
Alert Sources, Data Source
API Integrations
✓
Alert Sources, Data Source
Detections
✓
Alert Sources, Data Source
Hosts
✓
Data Source
NGSIEM
✓
✓
Data Source
Incidents
✓
Alert Sources, Data Source
Quarantined Files
✓
Data Source
Real Time Response
✓
✓
Data Source
Event Streams
✓
Data Source
Threatgraph
✓
Data Source
Identity Protection Entities
✓
Data Source
Identity Protection Timeline
✓
Data Source
Identity Protection GraphQL
✓
Data Source
Click "Create" when done selecting the above scopes
Record the Client ID and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively
The Data source integration allows Dropzone AI to interact with your CrowdStrike environment to gather information for use in investigation analysis and interactive chat.
You'll need the following information:
Client ID
The "Client ID" from the API Credentials
Client ID
The "Secret" from the API Credentials
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Available"
In the Search bar, search CrowdStrike, then click "Configure"
Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.
Under the Data Source header, input the Client ID and Client Secret
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation.
You'll need the following information:
Client ID
The "Client ID" from the API Credentials
Client ID
The "Secret" from the API Credentials
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Available"
In the Search bar, search CrowdStrike, then click "Configure"
Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.
Under the Alert Source header, input the Client ID and Client Secret
Check the severity levels you want to ingest
Under Exclusion, you may check to enable exclusions from investigations
Click "Test & Save" to finish
You should begin ingesting alerts immediately.
If you have any errors engage your Dropzone AI support representative.
