# CrowdStrike Falcon

The NetSPI Platform has a broad integration with CrowdStrike Falcon.

This integration only supports the CrowdStrike Falcon product.

Similar to our other integrations, the CrowdStrike Falcon integration is read-only and does not perform actions to configure systems or otherwise change anything about your CrowdStrike Falcon system.

# Supported asset types

The CrowdStrike integration provides the NetSPI Platform visibility into the following asset types:

• Systems
• IPV4 Addresses
• DNSRecord

# Endpoints Used

This integration needs access to the following API endpoints:

• /devices/queries/devices/v1
• /devices/entities/devices/v2

# Required permissions

This integration needs an API key with the following access permissions:

• Read permissions for Hosts and Host Group

# Configuration steps

Use the section below for configuring CrowdStrike to integrate with the NetSPI Platform.

# Step one: API key creation

1. Log in to the CrowdStrike Falcon administration page, typically: https://falcon.crowdstrike.com/login/).

2. Navigate to Support -> API Clients and Keys.

3. Create a new API key, providing a name, such as "NetSPI Read Only".

4. Select Read permissions for Hosts and Host Groups.

5. Select Add and record the resulting Client ID and API Key for Step two, below.

# Step two: NetSPI Platform CAASM configuration

Use the steps below to configure the CrowdStrike Integration in the NetSPI Platform.

1. Log into the NetSPI Platform as a Client Admin user.

2. Navigate to Settings -> CAASM Integrations to display the Integrations page.

   

3. Select the Integration Library tab -> Integration Categories / Managed Detection and Response (MDR) -> CrowdStrike Falcon integration.

   

   This brings the CrowdStrike Falcon integration card into focus.

   Note

   You can also locate the integration card by:

   • Scrolling down the page on the Integration Library tab
   • Filter the integration options displayed by selecting any of the other left navigation choices besides Integration Categories, e.g., by Modules or Integration Scopes (cloud or on premise)
   • Enter the integration name in the Search integration bar

4. Select the Add button on the CrowdStrike Falcon card to display the CrowdStrike integration configuration page.

   

5. Select and enter values for the following fields.

   1. Select the integration type from the Integration drop-down list. In this case, CrowdStrike Falcon Integration, which is already selected by default.

   2. Select the integration scope from the Scope drop-down list. The CrowdStrike Falcon integration can only run on a cloud scope, which was configured by NetSPI. It displays as Cloud and is the default value for the CrowdStrike Falcon integration.

   3. Enter an integration name and description in the Integration Name and Description fields.

   4. Select the Enabled slider button to display as either on (blue) or off (light gray).

   5. Provide the client_id and client_secret from the CrowdStrike console in the Clien ID and Client Secret fields.

   6. Select Create to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).

   7. Enter a domain in the optional CrowdStrike API Domain field if desired.

   8. If you would like to filter the data from CrowdStrike, create your filter using Falcon Query Language and enter it in the optional filter text box. For instance, if you would like to filter out AWS assets you might enter instance_id:!*'i*' in this field.

6. Select Save to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).