CrowdStrike Falcon Endpoint Protection API
TL;DR
To integrate CrowdStrike Falcon EDR with Query:
- Configure the required API connection parameters for CrowdStrike as mentioned in the 'Prerequisites' section of this document.
- Add a CrowdStrike connection source in Query with the connection parameters.
- Test the integration with Test connection link.
- Perform searches for alerts, users, devices, and file hashes.
Overview
CrowdStrike Falcon is one of the leaders in the Endpoint Protection Platform (EPP) market. By integrating with Query, you can:
- Search detections for users' names, email addresses, devices, and file hashes.
- Get context on devices from CrowdStrike Falcon.
Prerequisites
To add Crowdstrike as a connection source in Query, make sure you have the following connection parameters:
- CrowdStrike API URL
- Falcon API Client ID
- Falcon Secret Access Key
Gathering CrowdStrike Falcon API Keys
- Login to the Falcon UI with an account with permission to create API keys.
- In the dropdown in the upper left, click Support and Resources -> API clients and keys:
- Next, click Create API client in the upper right corner:
- Configure a Client name and add a Description
- Query only requires Read access to a few scopes. Below are some recommended Read scopes:
- Alerts
- Detections
- Hosts
- Indicators
- Reports
- MalQuery
- Host Groups
- Click Create
Adding a connection source in Query
- Go to the Connections page, click Add Connections, and select CrowdStrike from the Endpoint category.
- In the General tab, add the following details:
- Name - This is the display name in the UI. For example, you can use:
- CrowdStrike
- CrowdStrike Corporate or Division
- CrowdStrike
- CrowdStrike API URL - The API URL (ex: https://api.crowdstrike.com)
- Falcon API Client ID
- Falcon Secret Access Key
- Name - This is the display name in the UI. For example, you can use:
- Click the Save button on the top right corner of the screen to save the connection source.
- To test the connection credentials, click on 'Test Connection.' You will see a successful connection message if the credentials are valid. If the test connection fails, then check if the connection parameters are correct. If necessary, change appropriately and retest.
Resources
- Access CrowdStrike API documentation here https://developer.crowdstrike.com/
Updated about 1 year ago