WebsiteTest Drive

CrowdStrike

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for CrowdStrike.

Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.

The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

  • Create API credentials in the CrowdStrike dashboard

  • Install the credentials into your Dropzone tenant (Data Source and Alert Source)

  • Select integration parameters, such as which alert types to sync

Create an API Key

  • As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/

  • From the menu in the upper left, navigate to Support and Resources > API clients and keys

Click API clients and keys

  • On the right, click "Create API Client"

Create API Client

  • On the "Create API Client" page, input "Dropzone AI" in the client name field. Under "Description," write "Dropzone AI Integration Key"

Create API Client Screen

  • Enable the following scopes:

Scope
Read
Write
Used By

Alerts

✓

Alert Sources, Data Source

API Integrations

✓

Alert Sources, Data Source

Detections

✓

Alert Sources, Data Source

Hosts

✓

Data Source

NGSIEM

✓

✓

Data Source

Incidents

✓

Alert Sources, Data Source

Quarantined Files

✓

Data Source

Real Time Response

✓

✓

Data Source

Event Streams

✓

Data Source

Threatgraph

✓

Data Source

Identity Protection Entities

✓

Data Source

Identity Protection Timeline

✓

Data Source

Identity Protection GraphQL

✓

Data Source

  • When done, click "Create"

  • Copy the Client ID and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively

Copy your API Credentials

Enable The Dropzone Data Source Integration

The Data source integration allows Dropzone AI to interact with your CrowdStrike environment to gather information for use in investigation analysis and interactive chat.

You'll need the following information:

Dropzone Field
Source

Client ID

The "Client ID" value you copied earlier

Client Secret

The "Secret" value you copied earlier

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search CrowdStrike, then click "Configure"

The Crowdstrike Tile

Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.

The CrowdStrike Data Source Configuration

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation.

You'll need the following information:

Dropzone Field
Source

Client ID

The "Client ID" value you copied earlier

Client Secret

The "Secret" value you copied earlier

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search CrowdStrike, then click "Configure"

The Crowdstrike Tile

Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.

  • Under the Alert Source header, input the Client ID and Client Secret

The CrowdStrike Alert Source Configuration (pt 1)

  • If you wish to enable endpoint detection, check the box labeled "Enable Endpoint Detection." Then select the severity levels you want Dropzone to investigate alerts for

  • Under Exlusions, you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of Python regexes of the alerts you wish to exclude

The CrowdStrike Alert Source Configuration (pt 2)

  • If you wish to enable Dropzone to investigate specific endpoint incidents, check the box labeled "Enable Endpoint Incidents." Then select the incident statuses you want Dropzone to investigate alerts for

  • Enter the minimum incident score you want Dropzone to investigate alerts for

Crowdstrike utilizes an incident scoring system to indicate the severity and potential impact of an incident. The numbers range from 0 (no risk) to 100 (critical risk). If you wish for Dropzone to be able to investigate all alerts, choose 0 as the minimum incident score.

The CrowdStrike Alert Source Configuration (pt 3)

  • If you wish to enable CloudStrike's Next-Gen SIEM, check the box labeled "Enable Next-gen SIEM." Then select the severity levels you want Dropzone to investigate alerts for

  • Under "Next-Gen SIEM Alert Exlusions," you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of regexes to exclude alerts

The CrowdStrike Alert Source Configuration (pt 4)

  • If you wish to enable Dropzone to investigate identity protection alerts, check the box labeled "Enable Identity Protection Alerts." Then select the severity levels you want Dropzone to investigate alerts for

The CrowdStrike Alert Source Configuration (pt 5)

  • Input your desired poll interval and lookback

The CrowdStrike Alert Source Configuration (pt 6)

  • Click "Test & Save" to finish

You should begin ingesting alerts immediately.

If you have any errors engage your Dropzone AI support representative.

PreviousCross-Account Access via ConsoleNextDatadog

Last updated

Was this helpful?