Cognito Detect integrates with the CrowdStrike Query API.
Step 1- Obtain CrowdStrike Query API credentials
To activate the CrowdStrike Query API you must have received Query API credentials from Crowdstrike Support. If you already have these you may proceed to Step 2. If you do not yet have authentication credentials. An email should be sent to firstname.lastname@example.org and request the Query API authentication credentials.
Please note: Crowdstrike is moving to an OAUTH framework but does still support the legacy username/API token authentication method. Vectra's Crowdstrike integration does not yet support OAUTH authentication and a username/API token should be requested from Crowdstrike.
The credentials should be sent to the email address registered on your CrowdStrike instance.
The API reference may be found at the official CrowdStrike document repository:
The email response from Crowdstrike should include the :
- Username - (random 20 character alphanumeric string)
- API Token
Step 2 - Enable Integration in Cognito Detect
In your Cognito Detect brain UI go to:
- Settings, External Connectors, Edit, CrowdStrike and toggle On.
- Enter the username and API Token obtained from Step 1 and click Save.
- Crowdstrike Integration is now complete
Step 3 - Ensure Firewall allow TCP 443 egress from Brain to falconapi.crowdstrike.com
Firewall from Brain to falconapi.crowdstrike.com FQDN or Ips should be permitted over HTTPS 443.