Note: If configuring IP ranges to exclude from access in CrowdStrike, ensure that only UI IPs are limited and that API IPs are not limited. API IPs must be reachable in order for the CrowdStrike integration to function properly.
Overview
CrowdStrike is an Endpoint Detection and Response (EDR) platform that collects device telemetry data to determine whether a device is in a compromised state. SonicWall Cloud Secure Edge (CSE) is able to integrate with CrowdStrike to obtain device information that is unique to the CrowdStrike platform.
Prerequisites
-
A CrowdStrike license of Falcon Enterprise or higher is required. CSE uses the Falcon Insights capability.
-
the CrowdStrike integration requires the macOS application to be on version 3 or greater.
-
the CrowdStrike Falcon sensor must be present on the device.
-
Some factors available from CrowdStrike require additional features to be turned on from CrowdStrike. Please consult CrowdStrike documentation for the most up-to-date information.
Step 1 - Add Integration
1.1 Navigate from Trust > Integrations.
1.2 Select + Add Integration.
1.3 Select CrowdStrike
as your Integration Partner.
1.4 Enter a recognizable name in the Integration Name field. It is recommended that the Integration Name match the name used when discussing the CrowdStrike instance, such as ‘Production CrowdStrike’ or ‘
1.5 Optional: provide a description of the CrowdStrike tenant being integrated.
To obtain the API details from CrowdStrike, follow this CrowdStrike guide. We require an API Client ID and Secret to provide service-to-service communication.
The API requires all read-only
scopes for the integration to be successful. We use the API details provided to obtain a short lived OAuth 2.0 token, which is leveraged to gather the information requested by each factor available from the integration.
After creating an API key inside CrowdStrike Falcon, complete the following steps:
1.6 Enter the Client ID in the ID field.
1.7 Enter the Client Secret in Secret field.
1.8 Select Add Integration to save the configuration.
Note: Once the configuration is saved, a test connection is automatically run.
Optional: Editing the Integration
To edit the CrowdStrike integration information, complete the following steps:
1. Select the Integration Name that matches the integration you need to change.
2. Select the pencil icon in the top corner of the integration details page.
3. Make any desired changes in the configuration fields.
CrowdStrike Trust Factors
ZTA Score
The ZTA Score is a value CrowdStrike derives from telemetry data obtained from a device through the Falcon sensor. To obtain the ZTA Score from a device, the following CrowdStrike API endpoint is used:
/zero-trust-assessment/entities/assessments/v1
The key value CSE uses to determine the device’s ZTA Score is overall
under resources
> assessments
, as shown below.
"resources": [
{
"aid": "string",
"assessment": {
"os": 0,
"overall": 0,
"sensor_config": 0,
"version": "string"
},
To view the ZTA Score for all devices with CrowdStrike, visit here.
Registered With
The Registered With factor validates that the device is registered with the CrowdStrike environment. Registered With is a boolean (true/false) factor, and it is derived from the following CrowdStrike API endpoint:
/zero-trust-assessment/entities/assessments/v1
The Registered With factor is satisfied if CSE receives a valid response from the endpoint above.
Configuring Factors
Based on CrowdStrike’s recommendations, CSE has introduced severity settings (moderate and strict) for the ZTA Score. Moderate is defined by a score of 65 or greater. Strict is defined by a score of 75 or greater. The score is the value obtained from the overall
field, shown in the code block above.
CSE does not control how the ZTA Score is set nor does CSE have insight into how CrowdStrike determines the ZTA Score.
Adding or removing a CrowdStrike Factor
-
To add or remove a CrowdStrike factor, navigate to Profiles under Trust.
-
Select the relevant Trust Profile, and add or delete the CrowdStrike Factor.
Configuring Remediation for a CrowdStrike Factor
Remediation settings for CrowdStrike factors follow CSE’s model for configuring remediation messages.
To see the remediation messages for CrowdStrike factors, add the integration prior to seeing the Remediation sections for each factor. Given that there can be multiple CrowdStrike integrations, each factor listed on the Remediation page contains the name of the CrowdStrike instance next to the factor name.