CrowdStrike
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for CrowdStrike.
Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source.
The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform.
Integration Overview
To enable these integrations you will perform the following actions:
Create API credentials in the CrowdStrike dashboard
Install the credentials into your Dropzone tenant (Data Source and Alert Source)
Select integration parameters, such as which alert types to sync
Create an API Key
As an Admin, go to your CrowdStrike dashboard, e.g. https://falcon.us-#.crowdstrike.com/
From the menu in the upper left, navigate to Support and Resources > API clients and keys

On the right, click "Create API Client"

On the "Create API Client" page, input "Dropzone AI" in the client name field. Under "Description," write "Dropzone AI Integration Key"

Enable the following scopes:
Alerts
✓
Alert Sources, Data Source
API Integrations
✓
Alert Sources, Data Source
Detections
✓
Alert Sources, Data Source
Hosts
✓
Data Source
NGSIEM
✓
✓
Data Source
Incidents
✓
Alert Sources, Data Source
Quarantined Files
✓
Data Source
Real Time Response
✓
✓
Data Source
Event Streams
✓
Data Source
Threatgraph
✓
Data Source
Identity Protection Entities
✓
Data Source
Identity Protection Timeline
✓
Data Source
Identity Protection GraphQL
✓
Data Source
When done, click "Create"
Copy the Client ID and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively

Enable The Dropzone Data Source Integration
The Data source integration allows Dropzone AI to interact with your CrowdStrike environment to gather information for use in investigation analysis and interactive chat.
You'll need the following information:
Client ID
The "Client ID" value you copied earlier
Client Secret
The "Secret" value you copied earlier
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search CrowdStrike, then click "Configure"

Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.
Under the Data Source header, input the Client ID and Client Secret
Check the boxes to enable Crowdstrike's Identity Protection and Next-Gen SIEM services

Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable The Dropzone Alert Source Integration
The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation.
You'll need the following information:
Client ID
The "Client ID" value you copied earlier
Client Secret
The "Secret" value you copied earlier
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search CrowdStrike, then click "Configure"

Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile.
Under the Alert Source header, input the Client ID and Client Secret

If you wish to enable endpoint detection, check the box labeled "Enable Endpoint Detection." Then select the severity levels you want Dropzone to investigate alerts for
Under Exlusions, you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of Python regexes of the alerts you wish to exclude

If you wish to enable Dropzone to investigate specific endpoint incidents, check the box labeled "Enable Endpoint Incidents." Then select the incident statuses you want Dropzone to investigate alerts for
Enter the minimum incident score you want Dropzone to investigate alerts for

If you wish to enable CloudStrike's Next-Gen SIEM, check the box labeled "Enable Next-gen SIEM." Then select the severity levels you want Dropzone to investigate alerts for
Under "Next-Gen SIEM Alert Exlusions," you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of regexes to exclude alerts

If you wish to enable Dropzone to investigate identity protection alerts, check the box labeled "Enable Identity Protection Alerts." Then select the severity levels you want Dropzone to investigate alerts for

Input your desired poll interval and lookback

Click "Test & Save" to finish
You should begin ingesting alerts immediately.
If you have any errors engage your Dropzone AI support representative.
Last updated
Was this helpful?