Follow

How to configure CrowdStrike Integration

Cognito Detect integrates with the CrowdStrike Query API.

Step 1- Obtain CrowdStrike Query API credentials

To activate the CrowdStrike Query API you must have received Query API credentials from Crowdstrike Support. If you already have these you may proceed to Step 2.  If you do not yet have authentication credentials.  An email should be sent to support@crowdstrike.com and request the Query API authentication credentials.

Please note: Crowdstrike is moving to an OAUTH framework but does still support the legacy username/API token authentication method.  Vectra's Crowdstrike integration does not yet support OAUTH authentication and a username/API token should be requested from Crowdstrike.

The credentials should be sent to the email address registered on your CrowdStrike instance.

The API reference may be found at the official CrowdStrike document repository:

https://falcon.crowdstrike.com/support/documentation

The email response from Crowdstrike should include the :

  • Username - (random 20 character alphanumeric string)
  • API Token

Step 2 - Enable Integration in Cognito Detect

In your Cognito Detect brain UI go to:

  • Settings, External Connectors, Edit, CrowdStrike and toggle On.
  • Enter the username and API Token obtained from Step 1 and click Save.
  • Crowdstrike Integration is now complete

Screenshot_2018-10-12_at_11.09.18.png

 

Step 3 - Ensure Firewall allow TCP 443 egress from Brain to falconapi.crowdstrike.com

Firewall from Brain to falconapi.crowdstrike.com FQDN or Ips should be permitted over HTTPS 443.

https://falcon.crowdstrike.com/support/documentation/2/query-api-reference#ip_addresses

Was this article helpful?
1 out of 1 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.