Follow

CrowdStrike OAuth2 Migration FAQ

Why is this important?

On October 29th, CrowdStrike will deprecate the legacy authentication method used to access some of their REST API endpoints. This includes the two device endpoints used by Vectra for the CrowdStrike External Connector integration, which are used by Cognito Detect for host context and identification:

  • /devices/queries/devices/v1
  • /devices/entities/devices/v1

If you have the CrowdStrike External Connector integration enabled, you must migrate your legacy CrowdStrike credentials to the new OAuth2 credentials prior to the October 29th cutoff date. Failure to migrate to the new credentials will result in a loss of communication between Cognito Detect and your CrowdStrike instance and prevent Cognito Detect from properly identifying CrowdStrike hosts on your network.

What are the important dates to know?

Cognito Release Version 6.0 will become generally available (GA) on August 25th. This release will provide a mechanism for you to migrate your legacy credentials to the new CrowdStrike OAuth2 credentials. Please note: You will need to obtain your CrowdStrike OAuth2 credentials from CrowdStrike prior to beginning the migration process. On October 29th, CrowdStrike will deprecate the legacy authentication method and any CrowdStrike External Connectors that have not been migrated will cease to operate normally. 

How do I obtain my OAuth2 credentials from CrowdStrike?

  1. Log into your CrowdStrike Falcon instance and click the Falcon icon at the top left corner.
    Screen_Shot_2020-08-25_at_4.26.53_PM.png


  2. Select "API Clients and Keys" under the Support section.
    Screen_Shot_2020-08-25_at_4.27.11_PM.png


  3. From the API Clients and Keys screen, click on "Add new API client".
    Screen_Shot_2020-08-25_at_4.28.45_PM.png


  4. In the "Add new API client" popup, give the client a name, description and grant it Host Read permissions. Click Add.
    Screen_Shot_2020-08-25_at_4.29.44_PM.png


  5. After clicking Add, your client will be created. Please record the Client ID and Secret. You will later input these values into the Cognito Detect External Connector as part of your OAuth2 migration.
    Screen_Shot_2020-08-25_at_4.30.06_PM.pngPlease note: This is the only time you will be able to view this secret in the Falcon UI. You must start over and create a new API client if you do not record the secret at this time.

What permissions are required on the CrowdStrike side for my OAuth2 credentials to work properly with Cognito Detect?

Hosts Read is the only permission needed. The permissions get set by you whenever you create the new CrowdStrike API client in step 4 above.

host.read.png

I have my new OAuth credentials from CrowdStrike, how do I migrate my credentials in Vectra?

  1. Log into your Cognito Detect instance and navigate to the Settings -> External Connectors page. If you had the CrowdStrike External Connector previously enabled, you will see the following notification reminding you to update your CrowdStrike External Connector:
    Screen_Shot_2020-08-25_at_2.06.32_PM.png

  2. Click the Edit button to configure the CrowdStrike External Connector settings:
    Screen_Shot_2020-08-25_at_2.29.17_PM.png

  3. Click on the "Change to OAuth2 authentication" link.
    Screen_Shot_2020-08-25_at_2.29.17_PM.png
    Please note: Your existing legacy credentials have been set to read-only as they will no longer be required after the migration is complete. The migration process will not delete your legacy credentials until after your new OAuth2 credentials have been validated.

  4. Once you click the "Change to OAuth2 authentication" link, you will be able to enter your new CrowdStrike OAuth2 credentials.
    Screen_Shot_2020-08-25_at_2.48.26_PM.png
    Please Note: You will need to select a CrowdStrike URL from the dropdown. For most users, this will be api.crowdstrike.com. Only select api.laggar.gwc.crowdstrike.com if your CrowdStrike instance is running on AWS GovCloud. If you are uncertain as to which CrowdStrike URL you should choose, hit the Cancel button and refer back to the CrowdStrike URL used by your legacy credentials from step 2 above.

  5. Enter your CrowdStrike Client ID and Client Secret in the boxes provided and hit the Save button.
    Please Note: In the event that your credentials are mistyped, or you have not assigned the correct Host Read permissions, you will receive an error message indicating that the configuration cannot be saved:
    Screen_Shot_2020-08-25_at_3.00.10_PM.png

    After hitting the Save button, Cognito Detect will perform a connection check to your CrowdStrike instance to validate your new OAuth2 credentials. Your legacy credentials will not be deleted until after your OAuth2 credentials have been validated with CrowdStrike instance.

  6. If the connection check is successful, your new OAuth2 credentials have been validated against your CrowdStrike instance, and you will see a message indicating that your new settings have been saved:
    Screen_Shot_2020-08-25_at_3.17.46_PM.png


  7. Returning to the External Connectors page will now indicate a successful connection to CrowdStrike and the update notification message will have cleared:Screen_Shot_2020-08-25_at_3.20.49_PM.png

How will I know if I need to update my credentials?

You will see an indicator reminding you to update your CrowdStrike credentials in one of two places:

  1. On the External Connector page:Screen_Shot_2020-08-25_at_2.06.32_PM.png


  2. On any Host with CrowdStrike host artifacts:
    Screen_Shot_2020-08-25_at_3.30.41_PM.png

My credentials have been updated, how long will it take for the settings to take effect? 

Cognito Detect will begin identifying CrowdStrike hosts using the new OAuth2 settings immediately.

Will this change how Cognito Detect interacts with my CrowdStrike instance?

After the OAuth2 migration has been completed, there are no changes to the method or frequency that Cognito Detect uses to poll CrowdStrike for host information. This is simply a change in the way Cognito Detect authenticates against the CrowdStrike device APIs. Cognito Detect will continue to use the same CrowdStrike device APIs used prior to the OAuth2 migration.

Was this article helpful?
1 out of 1 found this helpful

Download PDF

0 Comments

Article is closed for comments.