Netskope Help

Configure CrowdStrike

A CrowdStrike integration requires that you have configured an API Client in CrowdStrike. Also, your CrowdStrike API Client ID and Secret are required to complete these steps. The API Client Secret is only shown when the API Client is created or reset. For more details, refer to the Defining your first API Client section in Getting Access to the CrowdStrike APIs.

Note

Netskope posts malware hashes to CrowdStrike. However, unless that malware was actually detonated on a CrowdStrike-protected endpoint, you will not be able to see Netskope-supplied hashes in the CrowdStrike console. CrowdStrike has implemented its custom Indicators of Compromise (IOC) interactions this way. For more details, refer to How to Consume Threat Feeds.

After Netskope pushes the malware hash file to CrowdStrike, endpoints are checked to see if that malware hash file exists. If so, Netskope retrieves the identity of the endpoints and captures the details in a SkopeIT alert. If no endpoints have the malware hash file, Netskope publishes the Indicators of Compromise IOC into CrowdStrike's Custom IOC repository.

You can see subsequent file matches in CrowdStrike against those IOCs when looking at the Detections page, scrolling down into Tactics and Techniques, and looking for Custom Intelligence via Indicators of Compromise. To see the actual contents of that file, you will need to run the appropriate API query as documented by CrowdStrike.

To create an API Client in CrowdStrike:

  1. In the CrowdStrike UI, go to the API Clients and Keys page.

    CSclient_keys.png
  2. Enter a client name, and then change the API Scopes. Deactivate all scopes except for Host (= Read) and IOCs (= Read+Write). When finished, click Add.

    CSclientScopes.png
  3. In the API Client Created dialog, copy the Client ID and Secret. These are needed to integrate CrowdStrike with Netskope. When finished, click Done.

    CSclientSecret.png
  4. The new API Client is shown on the API Clients and Keys page.

    CSapiClient.png

    Proceed below to integrate CrowdStrike with Netskope.

To configure a CrowdStrike integration in the Netskope UI:

  1. Go to Settings > Threat Protection > Integration.

  2. Click the CrowdStrike application box to create the integration.

  3. Enter and select parameters for each field:

    CrowdstrikeDialog.png
    • API Client ID: Enter your CrowdStrike API Client ID.

    • API Client Secret: Enter your CrowdStrike API Client Secret.

    • Type: Enable Cloud.

    • Server: Enter one of these URLs: api.crowdstrike.com, api.eu-1.crowdstrike.com, api.us-2.crowdstrike.com, or api.laggar.gcw.crowdstrike.com. For more information, refer to: Auth Token APIs

    • Instance Name: Enter a name for this integration.

  4. When finished, click Save.

After configuring CrowdStrike, create a remediation profile to use in a policy that identifies threats so Netskope can take remedial actions.

  1. Create a Remediation Profile that specifies the CrowdStrike integration.

    1. Go to Policies > Threat Protection > Remediation Profiles, and then click New Malware Remediation Profile.

    2. Select the CrowdStrike EDR server and select the Actions to perform:

      • Alert: Malware Remediation alerts provide CrowdStrike endpoints information. 

      • Isolate: This option is not currently supported.

      • Add to Watchlist/Blocklist: Adds the detected malware file MD5 as a custom IoC in CrowdStrike.

      When finished, click Next.

      CrowdStrikeRemProfile.png
    3. Name the profile and click Save Malware Remediation Profile.

  2. Specify the Remediation profile in an API Data Protection or Real-time Protection policy (for Real-time Protection, see the next step).

    For an API Data Protection policy, go to Settings > Threat Protection > API Data Protection. Scroll down to the Settings section and click Edit Settings. Enable one or more Remediation Endpoints checkboxes, depending on severity preferred, and then select the CrowdStrike remediation profile. When finished, click Save.

    CrowdStrikeIntrospectionInstance.png

    For more details about using threat protection in an API Data Protection policy, refer to: Configure Threat Protection for API Data Protection.

  3. For an Real-time Protection policy, go to Policies > Real-time Protection and click New Policy. While creating the policy, in the Action section, select an an option from the Action dropdown list, and then select a CrowdStrike Remediation profile from the dropdown list. Finish creating the Real-time Protection policy.

    CSinlinePolicy.png

    For more details about using threat protection in an Real-time Protection policy, refer to: Configure Threat Protection for a Real-time Protection Policy

After a Remediation Profile has been added in policy settings, Remediation alerts will get generated in SkopeIT when malware gets detected.

EDRskopITalert.png