CrowdStrike Integration

  • Updated on Jan 27, 2023
  • 8 minutes to read
  • Contributors

Overview

CrowdStrike is an Endpoint Detection and Response (EDR) platform that collects device telemetry data to determine whether a device is in a compromised state. Banyan is able to integrate with CrowdStrike to obtain device information that is unique to the CrowdStrike platform.

Prerequisites

  • A CrowdStrike license of Falcon Enterprise or higher is required. Banyan uses the Falcon Insights capability.

  • the CrowdStrike integration requires the macOS application to be on version 3 or greater.

  • the CrowdStrike Falcon sensor must be present on the device.

  • Some factors available from CrowdStrike require additional features to be turned on from CrowdStrike. Please consult CrowdStrike documentation for the most up-to-date information.

Step 1 - Add Integration

1.1 Navigate from Secure Access > Trust Scoring, and select Trust Integrations.

1.2 Select Add Integration.

Select CrowdStrike as your Integration Partner.

1.4 Enter a recognizable name in the Integration Name field. It is recommended that the Integration Name match the name used when discussing the CrowdStrike instance, such as ‘Production CrowdStrike’ or ‘ CrowdStrike’. This name appears as the source for factors derived from the integration.

1.5 Optional: provide a description of the CrowdStrike tenant being integrated.

To obtain the API details from CrowdStrike, follow this CrowdStrike guide. We require an API Client ID and Secret to provide service-to-service communication.

The API requires a read-only scope for the integration to be successful. We use the API details provided to obtain a short lived OAuth 2.0 token, which is leveraged to gather the information requested by each factor available from the integration.

After creating an API key inside CrowdStrike Falcon, complete the following steps:

1.6 Enter the Client ID in the ID field.

1.7 Enter the Client Secret in Secret field.

In order for an integration to be added within Banyan, a successful test connection must be completed in your CrowdStrike instance.

1.8 To trigger a test connection, select Test Connection. The test connection will result in either a successful or unsuccessful connection response.

Note: Banyan only supports CrowdStrike tenants in the US 1 environment. Please see this page to help determine which environment your CrowdStrike tenant resides.

After a successful test connection has been completed, an Add Integration option will be available.

1.9 Select Add Integration to save the configuration.

Optional: Editing the Integration

To edit the CrowdStrike integration information, complete the following steps:

1. Select the Integration Name that matches the integration you need to change.

2. Select the pencil icon in the top corner of the integration details page.

3. Make any desired changes in the configuration fields.

CrowdStrike Trust Factors

ZTA Score

The ZTA Score is a value CrowdStrike derives from telemetry data obtained from a device through the Falcon sensor. To obtain the ZTA Score from a device, the following CrowdStrike API endpoint is used:

/zero-trust-assessment/entities/assessments/v1

The key value Banyan uses to determine the device’s ZTA Score is overall under resources > assessments, as shown below.

"resources": [
    {
      "aid": "string",
      "assessment": {
        "os": 0,
        "overall": 0,
        "sensor_config": 0,
        "version": "string"
      },

To view the ZTA Score for all devices with CrowdStrike, visit here.

Configuring Factors

Based on CrowdStrike’s recommendations, Banyan has introduced severity settings (moderate and strict) for the ZTA Score. Moderate is defined by a score of 65 or greater. Strict is defined by a score of 75 or greater. The score is the value obtained from the overall field, shown in the code block above.

Banyan does not control how the ZTA Score is set nor does Banyan have insight into how CrowdStrike determines the ZTA Score.

Adding or removing a CrowdStrike Factor
  • To add or remove a CrowdStrike factor, navigate to Trust Profiles under Secure Access > Trust Scoring.

  • Select the relevant Trust Profile, and add or delete the CrowdStrike Factor.

Configuring Remediation for a CrowdStrike Factor

Remediation settings for CrowdStrike factors follow Banyan’s model for configuring remediation messages.

To see the remediation messages for CrowdStrike factors, add the integration prior to seeing the Remediation sections for each factor. Given that there can be multiple CrowdStrike integrations, each factor listed on the Remediation page contains the name of the CrowdStrike instance next to the factor name.


Can’t find what you’re looking for?

We’re happy to help. Contact our team .