CrowdStrike Falcon Identity Protection Plugin for User Risk Exchange
CrowdStrike Falcon Identity Protection Plugin for User Risk Exchange
This document explains how to configure the CrowdStrike Identity Protect URE integration with the User Cloud Risk Exchange module of the Netskope Cloud Exchange platform. This integration collects user email and their scores from CrowdStrike’s Identity Protection platform to Netskope.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
- Your CrowdStrike instance credentials (Base URI, Client ID, Client Secret) for the API Token.
- Permissions for the plugin.
- Connectivity to the following hosts:
- https://api.crowdstrike.com (Commercial cloud
api.crowdstrike.com) - https://api.us-2.crowdstrike.com (US 2
api.us-2.crowdstrike.com) - https://api.laggar.gcw.crowdstrike.com (Falcon on GovCloud
api.laggar.gcw.crowdstrike.com) - https://api.eu-1.crowdstrike.com ( EU cloud
api.eu-1.crowdstrike.com)
Note
You need any one of the URLs as mentioned above for the plugin.
- https://api.crowdstrike.com (Commercial cloud
Actions
| Fetched record types | Users |
| Actions | No Actions |
Mappings
Score Pull
| CrowdStrike Fields | Netskope CE Fields |
| emailAddresses | uid (Email) |
| riskScore | score |
Note: The user score you’ll see will be different from what you see in the CrowdStrike Identity Protection Platform.
Formula to convert CrowdStrike’s Identity Protection Risk Score to Netskope Cloud Exchange Risk score
Netskope Risk Score scale: 0 – 1000 (0-maximum risk 1000- minimum risk)
CrowdStrike Risk score scale: 0 – 1 ( 0 -> minimum risk 1 -> maximum risk)
Formula: |(1 – (CrowdStrike Identity Protection Risk Score))| *1000
Permissions
Here are the permissions needed for the URE CrowdStrike Falcon Identity Protection plugin.
| Scope | Read | Write |
| Identity Protection GraphQL | – | Yes |
| Identity Protection Timeline | Yes | – |
Performance Matrix
Below is the performance reading conducted on a Large CE Stack by pulling 50K User scores from CrowdStrike to Netskope CE.
| Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
| Users fetched from third-party product | ~10K per minute |
User Agent
netskope-ce-4.1.0-ure-crowdstrike_identity_protect-v1.0.0
Workflow
- Create your CrowdStrike API credentials.
- Configure the Crowdstrike Plugin for User Risk Exchange.
- Configure Business Rules for the CrowdStrike plugin.
- Configure Actions for the CrowdStrike plugin.
- Validate the CrowdStrike plugin.
Click play to watch a video.
- Log in into your Crowdstrike platform. Go to the Menu Icon > Support and then Resources > API Clients and Keys.
- Click Add New API Client.
- Add the following scopes while adding the API Client:
Scope Read Write Identity Protection GraphQL – Yes Identity Protection Timeline Yes – - Copy the Base URL, Client ID, and Client Secret.
- Save your changes.
Configure the CrowdStrike Falcon Identity Protection Plugin
-
-
- In Cloud Exchange, go to Settings > Plugins. Search for and click on the CrowdStrike Falcon Identity Protection (URE) plugin box.
- Add a Configuration Name, Sync Interval, and Use System Proxy (if needed) for configuring the plugin.
- Click Next and enter the Base URL, Client ID, Client Secret, and an Initial Range.
- Click Next and set the score range from the Select Range page (recommend that you keep the default).
- Your plugin configuration will be seen in User Risk Exchange > Plugins.
- In Cloud Exchange, go to Settings > Plugins. Search for and click on the CrowdStrike Falcon Identity Protection (URE) plugin box.
-
Configure a User Risk Exchange Business Rule for CrowdStrike Falcon Identity Protection
-
- Go to User Risk Exchange > Business Rule.
- Click Create New Rule.
- Enter the Rule Name and configure the query based on your requirements. The below example fetches all the users/hosts fetched by the CrowdStrike Identity Protection configuration.
- Click Save.
Configure Actions for CrowdStrike Falcon Identity Protection
The User Risk Exchange CrowdStrike plugin supports the following action types:
No Action: This action does not perform any action on the host but can generate alerts in CTO if generate Alerts is enabled.
To configure this action:
-
- Go to User Risk Exchange > Actions.
- Click Add Action Configuration.
- Select a Business Rule, a plugin configuration, and leave the default action.
- To generate Alerts in the Ticket Orchestrator module, enable Generate Alert, and similarly, enable Perform Action during Maintenance Window if you wish to perform this action during the Maintenance Window.
- Click Save.
Validate the CloudStrike Falcon Identity Protection Plugin
Validate Pull in Cloud Exchange
-
- Go to the User Risk Exchange > Users.
- You’ll see users similar to what is shown below.
Verify the same from plugin logs. Go to Logging and search for logs from the CrowStrike Falcon Identity Protection plugin.
Note
The user score you’ll see will be different from what you see in the CrowdStrike Identity Protection Platform.
Formula to Convert CrowdStrike’s Identity Protection Risk Score to Netskope Cloud Exchange Risk Score
Netskope Risk Score scale: 0 – 1000 (0-maximum risk 1000- minimum risk)
CrowdStrike Risk score scale: 0 – 1 ( 0 -> minimum risk 1 -> maximum risk)
Formula: |(1 – (CrowdStrike Identity Protection Risk Score))| *1000
Validate Pull in CrowdStrike Identity
-
- Log in to CrowdStrike Falcon platform.
- Go to Identity Protection > Users.
- Here you’ll see the users. As shown in the below screenshot.
Troubleshooting
Unable to pull user score from the CrowdStrike platform.
If you are unable to pull any user scores, it could be one of the following.
- No Users are available to be pulled.
- Insufficient plugin permission was provided to the Client ID and Client Secret.
- The API response has no value in the “emailAddresses” field.
- The API response has multiple email addresses in the “email-addresses” field.
What to do:
- No Users are available to be pulled.
Check the CrowdStrike platform to see if the users are available to be pulled from the steps provided in the Crowdstrike validation. Only Unarchived users are pulled from the CrowdStrike platform. - Insufficient plugin permission was provided to the Client ID and Client Secret.
Verify the permissions required for the plugin.
