CrowdStrike Integration

  • Updated on Sep 07, 2022
  • 8 minutes to read
  • Contributors

Overview

CrowdStrike is an Endpoint Detection and Response (EDR) platform that collects device telemetry data to determine whether a device is in a compromised state. Banyan is able to integrate with CrowdStrike to obtain device information that is unique to the CrowdStrike platform.

Prerequisites

  • the CrowdStrike integration requires the macOS application to be on version 3 or greater.

  • the CrowdStrike Falcon sensor must be present on the device.

  • Some factors available from CrowdStrike require additional features to be turned on from CrowdStrike. Please consult CrowdStrike documentation for the most up-to-date information.

Step 1 - Add Integration

1.1 To configure Banyan’s CrowdStrike integration, navigate to Settings.

1.2 In Settings, select Trust Integrations, under the TrustScore Settings on the left pane.

1.3 Select Add Integration.

Within the Add Integration window, CrowdStrike will be automatically selected.

Note: As we add more integrations, this experience will change to include the additional partners in the drop down menu.

1.4 Enter a recognizable name in the Integration Name field. It is recommended that the Integration Name match the name used when discussing the CrowdStrike instance, such as ‘Production CrowdStrike’ or ‘ CrowdStrike’. This name appears as the source for factors derived from the integration.

1.5 Optional: provide a description of the CrowdStrike tenant being integrated.

Note: The Integration Partner is pre-selected to CrowdStrike. No additional action is required in this dropdown menu.

To obtain the API details from CrowdStrike, follow this CrowdStrike guide. We require an API Client ID and Secret to provide service-to-service communication.

The API requires a read-only scope for the integration to be successful. We use the API details provided to obtain a short lived OAuth 2.0 token, which is leveraged to gather the information requested by each factor available from the integration.

After creating an API key inside CrowdStrike Falcon, complete the following steps:

1.6 Enter the Client ID in the ID field.

1.7 Enter the Client Secret in Secret field.

In order for an integration to be added within Banyan, a successful test connection must be completed in your CrowdStrike instance.

1.8 To trigger a test connection, select Test Connection. The test connection will result in either a successful or unsuccessful connection response.

Banyan only supports CrowdStrike tenants in the US 1 environment. Please see this page to help determine which environment your CrowdStrike tenant resides.

After a successful test connection has been completed, an Add Integration option will be available.

1.9 Select Add Integration to save the configuration.

Optional: Editing the Integration

To edit the CrowdStrike integration information, complete the following steps:

1. Select the Integration Name that matches the integration you need to change.

2. Select the pencil icon in the top corner of the integration details page.

3. Make any desired changes in the configuration fields.

In order for an integration to be saved within Banyan, a successful test connection must be completed in your CrowdStrike instance. To trigger a test connection, select Test Connection. The test connection will result in either of a successful or unsuccessful connection response.

After a successful test connection is completed, an option to Save will become available.

4. Select Save to save the configuration.

Available Factors

Available factors of a CrowdStrike integration are shown after the integration of the CrowdStrike tenant is successfully added within the Command Center. Some factors have configurations that can be changed to meet the requirements for one’s organization. Other factors are only available to turn on and off representing a true or false for that factor. For example, a factor “Registered With” is a boolean resulting in a check if that device has a record within the CrowdStrike tenant. The following table shows the available factors and which Operating Systems they are supported on:

Factor Name MacOS Windows Linux Android iOS
ZTA Score    

The following table shows the APIs from CrowdStrike used to obtain the required information for each factor:

Factor Name CrowdStrike API Endpoint
ZTA Score /zero-trust-assessment/entities/assessments/v1
ZTA Score

The ZTA Score is a value CrowdStrike derives from telemetry data obtained from a device through the Falcon sensor. To obtain the ZTA Score from a device, the following CrowdStrike API endpoint is used:

/zero-trust-assessment/entities/assessments/v1

The key value Banyan uses to determine the device’s ZTA Score is overall under resources > assessments, as shown below.

"resources": [
    {
      "aid": "string",
      "assessment": {
        "os": 0,
        "overall": 0,
        "sensor_config": 0,
        "version": "string"
      },

To view the ZTA Score for all devices with CrowdStrike, visit here.

Configuration Options

Based on CrowdStrike’s recommendations, Banyan has introduced severity settings (moderate and strict) for the ZTA Score. Moderate is defined by a score of 65 or greater. Strict is defined by a score of 75 or greater. The score is the value obtained from the overall field, shown in the code block above.

Banyan does not control how the ZTA Score is set nor does Banyan have insight into how CrowdStrike determines the ZTA Score.

Configuring Factors:

  • Factors of CrowdStrike follow Banyan’s model of Device Scoring.

Enabling/Disabling a CrowdStrike Factor:

  • To enable or disable a CrowdStrike factor, navigate to Settings.

  • Within Settings select, Device Scoring under the TrustScore Settings on the left pane.

Locate the CrowdStrike factors required to enable or disable by looking at the Source column and finding the Name corresponding to the correct CrowdStrike instance.

  • To enable the service, toggle the Status to show blue.

  • To enable the service, toggle the Status to show gray.

Configuring Remediation for a CrowdStrike Factor

Remediation settings for CrowdStrike factors follow Banyan’s model for configuring remediation messages.

To see the remediation messages for CrowdStrike factors, add the integration prior to seeing the Remediation sections for each factor. Given that there can be multiple CrowdStrike integrations, each factor listed on the Remediation page contains the name of the CrowdStrike instance next to the factor name.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.