CrowdStrike Falcon Identity Protection v1.0.0 Plugin for Risk Exchange
CrowdStrike Falcon Identity Protection v1.0.0 Plugin for Risk Exchange
This document explains how to configure the CrowdStrike Falcon Identity Protection v1.0.0 plugin with the Risk Exchange module of the Netskope Cloud Exchange platform.This plugin fetches users and their respective scores from Identity Protection > Users page of CrowdStrike Falcon Identity Protection. This plugin does not support any actions to be performed on users.
Netskope normalization score calculation = | (1 – (CrowdStrike Falcon Identity Protection Risk Score))|*1000
Prerequisites
To complete this integration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
- Connectivity to the CrowdStrike platform.
- Connectivity to one of the following hosts:
- https://api.crowdstrike.com (Commercial cloud (api.crowdstrike.com))
- https://api.us-2.crowdstrike.com (US 2 (api.us-2.crowdstrike.com))
- https://api.laggar.gcw.crowdstrike.com (Falcon on GovCloud (api.laggar.gcw.crowdstrike.com))
- https://api.eu-1.crowdstrike.com ( EU cloud (api.eu-1.crowdstrike.com))
Note that you just need any one of the URLs above for the plugin.
CE Version Compatibility
Netskope CE: v5.1.0
CrowdStrike Falcon Identity Protection Plugin Support
This plugin fetches users and their respective scores from Identity Protection > Users page of CrowdStrike Falcon Identity Protection. This plugin does not support any actions to be performed on users.
Type of data pulled | Users |
Actions Supported | Not Supported |
Mappings
Plugin Field | Expected Datatype | Suggested Field Name | Suggested Field Action |
---|---|---|---|
emailAddress | String | Unique | |
riskScore | Number | riskScore | Overwrite |
Note that the user score you’ll see will be different from what you see in the CrowdStrike Identity Protection Platform.
The platform displays CrowdStrike’s Identity Protection Risk Score in the scale of 1 – 10 (1 > minimum risk, 10 > maximum risk) but the fetch records API returns
Netskope normalization score calculation > | (1 – (CrowdStrike Falcon Identity Protection Risk Score))|*1000
Permissions
Below are the permissions needed for the URE CrowdStrike Falcon Identity Protection plugin.
Scope | Read | Write |
---|---|---|
Identity Protection GraphQL | – | Yes |
Identity Protection Timeline | Yes | – |
Identity Protection Entities | Yes | No |
API Details
List of APIs used
API Endpoint | Method | API Client Scope | Use Case |
---|---|---|---|
identity-protection/combined/graphql/v1 | POST | Identity Protection GraphQL Identity Protection Timeline |
Pull Users and Scores |
Fetch Records
API Endpoint: identity-protection/combined/graphql/v1
Method: POST
Parameters:
Key | Value | Description |
---|---|---|
creationTime | 2022-12-26T17:05:20Z | Timestamp in “%Y-%m-%dT%H:%M:%SZ” format. |
after | null | null for first API call and endCursor (eyJjcmVhdGlvblRpbWUiOnsiJGRhdGUiOiIyMDIyLTA5LTE3 VDA4OjI2OjM0LjAwMFoifSwiX2lkIjoiYjM2NTNmNTMtYjNjOS0zYTY5LWFlZDQtYzJjNDhiYzliYjNkIn0=) |
Data:
query ($after: Cursor, $creationTime: DateTimeInput) { entities(types: [USER], sortKey: CREATION_TIME, sortOrder: DESCENDING, first: 1000, accountCreationStartTime: $creationTime, after: $after,archived: false) { nodes { primaryDisplayName secondaryDisplayName ... on UserEntity { emailAddresses } riskScore } pageInfo { hasNextPage endCursor } } }
Sample API Response:
{ "data": { "entities": { "nodes": [ { "primaryDisplayName": "Customer 2 Admin", "secondaryDisplayName": "customer2@demo.netskope.pro", "emailAddresses": [ "customer2@demo.netskope.pro" ], "riskScore": 0.15 } ], "pageInfo": { "hasNextPage": true, "endCursor": "eyJjcmVhdGlvblRpbWUiOnsiJGRhdGUiOiIyMDIzLTExLTI3VDA5OjMzOjM2LjAwMFoifSwiX2lkIjoiZjY0YzNhYTctZmMwMi0zMDNlLWFiNTItNGU5MmViYzgxNTdjIn0=" } } }, "extensions": { "runTime": 569, "remainingPoints": 499999, "reset": 9969, "consumedPoints": 1 } }
Fetch Scores
API Endpoint: identity-protection/combined/graphql/v1
Method: POST
Variables:
Key | Value | Description |
---|---|---|
[“Dev7979user7979@bddev.com”] | List of email addresses. |
Data:
query ($email: [String!]) { entities(types: [USER], first: 1, emailAddresses: $email, archived: false) { nodes { ... on UserEntity { emailAddresses } riskScore } } }
Sample API Response:
{ "data": { "entities": { "nodes": [ { "emailAddresses": [ "Dev7979user7979@bddev.com" ], "riskScore": 0.67 } ] } }, "extensions": { "runTime": 26, "remainingPoints": 499999, "reset": 6445, "consumedPoints": 1 } }
Performance Matrix
Below is the performance reading conducted on a Large CE Stack by pulling 500K User scores from CrowdStrike to Netskope CE.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Time taken to store the pulled and updated user records | ~ 25 mins |
User Agent
netskope-ce-5.1.0-cre-crowdstrike-falcon-identity-protection/1.0.0
Workflow
- Get your Client ID and Client Secret.
- Configure the CrowdStrike Falcon Identity Protection plugin.
- Configure a business rule.
- Configure an action.
- Validate the plugin.
Click play to watch a video.
Get your Client ID and Client Secret
- Log in to your CrowdStrike platform, go to the menu Icon, and select Support and resources > API clients and Keys.
- Click Add new API Client.
Add the following scopes while adding the API Client:
Scope Read Write Identity Protection GraphQL – Yes Identity Protection Timeline Yes – Identity Protection Entities Yes No - Make a note of the Base URL, Client ID, and Secret. You need these to configure the plugin.
Configure the CrowdStrike Falcon Identity Protection Plugin
- Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the CrowdStrike Falcon Identity Protection (CRE) plugin box.
- Enter a Configuration Name and a Sync Interval.
- Click Next, and then enter the Configuration Parameters:
- Base URL: Enter the Base URL from the CrowdStrike Platform.
- Client ID: Enter the Client ID generated from the CrowdStrike Platform.
- Client Secret: Enter the Client Secret generated from the CrowdStrike Platform.
- Initial Range (in days): Enter the number of days to fetch the data for the initial run.
- Click Next, and provide the mappings according to your needs.
- Click Save. The Plugin configuration will be available on the Plugins page.
Add a Risk Exchange Business Rule for CrowdStrike Falcon Identity Protection
- In Risk Exchange, go to Business Rules.
- Click Create New Rule.
- Enter the Rule Name, select the Entity and fields that were mapped while configuring the plugin, and add filters per your needs.
- Click Save.
Add Risk Exchange Actions for CrowdStrike Falcon Identity Protection
The CrowdStrike Falcon Identity Protection plugin supports the following action types:
No Action
This action does not perform any action on the users, but can generate alerts in CTO if the Generate Alerts toggle button is enabled.
Note that you can perform the actions on the users pulled from CrowdStrike Falcon Identity Protection on the Netskope tenant.
To configure this action:
- Go to Risk Exchange > Actions and click Add Action Configuration.
- Select the Business rule, the plugin configuration, and No action in Actions dropdown. Enable the toggle button for Require Approval if approval is required before performing the Generate Alert action.
- And similarly enable Perform action during the maintenance Window if you wish to perform an action during the Maintenance Window. Click Save.
- Manual Sync the action if users are already present in Records. To Validate the generated alerts, go to Ticket Orchestrator > Alerts.
Validate the CrowdStrike Falcon Identity Protection Plugin
Validate on CE
To validate the pulling and storing of users from the CrowdStrike into Cloud Exchange:
- Go to the Logging and search for the plugin logs.
- Go to the Records, and select the Entity that was selected while configuring the CrowdStrike IP plugin to view the pulled users.
Validate on CrowdStrike
To verify if the User scores are available on the platform to pull, follow the below steps:
- Log in to CrowdStrike Falcon Platform.
- Go to Identity protection > Users.
- Here you’ll see the users.
Troubleshooting the CrowdStrike Falcon Identity Protection Plugin
Unable to configure the CrowdStrike Identity Protection plugin
If you are unable to configure the CrowdStrike Identity Protection plugin, then it could be due to one of these reasons:
- Client Secret has been Reset for the particular Client ID.
- Required Permissions are not given to the API Client.
- Invalid values provided to the configuration parameters.
What to do:
- Make sure that latest Client Secret is used for the API Client
- Make sure valid values are provided in the configuration parameters. Go to the Logging page and verify the log message.
- Provide the required permissions to the API Client using which configuration parameters are created.
Unable to pull user score from the CrowdStrike platform
If you are unable to pull any user scores, it could be due to one of these reasons:
- No Users are available to be pulled.
- Insufficient plugin permission was provided to the Client ID and Client Secret.
- The API response has no value in the emailAddresses field.
- The API response has multiple email addresses in the email-addresses field.
What to do:
- No Users are available to be pulled.
Check the CrowdStrike platform to see if the users are available to be pulled from the steps provided in the CrowdStrike validation.
Note that only Unarchived users are pulled from the CrowdStrike platform. - Insufficient plugin permission was provided to the Client ID and Client Secret.
Verify the permissions required for the plugin.