CrowdStrike Plugin for Threat Exchange

CrowdStrike Plugin for Threat Exchange

This document explains how to configure the CrowdStrike integration with the Cloud Threat Exchange module of the Netskope CE platform. This CrowdStrike v2.0.2 plugin integration allows you to pull indicators of type SHA256, MD5, IPv4, IPv6, and Domain from CrowdStrike’s Endpoint Detection and IoC Management pages. This plugin also supports sharing of the indicators to CrowdStrike’s Custom IoC Management page.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing.
  • A Threat Protection subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A CrowdStrike instance.
  • Connectivity to any one of the following hosts:
    • Commercial cloud (api.crowdstrike.com)
    • US 2 (api.us-2.crowdstrike.com)
    • Falcon on GovCloud (api.laggar.gcw.crowdstrike.com)
    • EU cloud (api.eu-1.crowdstrike.com)
CE Version Compatibility

Netskope CE v4.2.0 and v5.0.1

CrowdStrike Plugin Support

Fetched indicator types

SHA256, MD5, Domain, IPv4, IPv6

Shared indicator types

SHA256, MD5, Domain, IPv4, IPv6

Permissions

API Scopes permissions

Scope Read Write
Detections Yes No
IoC Management Yes Yes
Hosts Yes Yes
IoCs (Indicators of Compromise) Yes No
Performance Matrix

Here is the performance reading conducted by pulling and sharing 100K indicators from/to CrowdStrike on a Large CE Stack with the below specifications.

Stack details

Size: Large

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from CrowdStrike’s IoC Management page

~11K per minute

Indicators fetched from CrowdStrike’s Endpoint detection page

~8K per minute

Indicators shared with CrowdStrike ~2K per minute
Mappings

Here is the list of fields that are pulled from CrowdStrike and mapped in Netskope CE.

Severity Mapping
Netskope CE Severity Third-Party Severity
Unknown Informational
Low Low
Medium Medium
High High
Critical Critical
Endpoint Detection Page Mapping
Netskope CE Fields CrowdStrike API Response Fields

value

ioc_value

type

ioc_type

comments

ioc_description

firstSeen

first_behavior / (timestamp)

lastSeen

last_behavior / (timestamp)

severity

severity

reputation

confidence/10

IoC Management Page Mapping
Netskope CE Fields CrowdStrike API Response Fields

value

value

type

type

severity

severity

firstSeen

created_on

lastSeen

modified_on

comment

Format: Comment format: Source: <Source Value>,

 action: <Action Value>, platforms: <Platform Value>, metadata fields: <Metadata Value>

Combination of Source, action, platforms, and metadata fields

tags

tags + [“non-CrowdStrike-discovered”]

API Details
List of APIs Used
Use Case Method Endpoint API Scope
Get auth token POST /oauth2/token None
Pull detection ids from Endpoint Detections GET /detects/queries/detects/v1 Detections (Read)
Pull detection details POST /detects/entities/summaries/GET/v1 Detections (Read)
Pull indicators from Custom IoC Management and check the existence of indicators on IoC Management GET /iocs/combined/indicator/v1 IoC Management (Read)
Push indicators to Custom IoC Management POST /iocs/entities/indicators/v1 IoC Management (Write)
Pull the host IDs from the indicator value for the Isolate/Remediate action GET /indicators/queries/devices/v1 IoCs (Indicators of Compromise) (Read)
Perform Isolate/Remediate action POST /devices/entities/devices-actions/v2 Hosts (Write)
Get Auth token

API Endpoint: /oauth2/token
Method: POST
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2

Payload:

Parameter Value
grant_type client_credentials
client_id <Client ID>
client_secret <Client Secret>

Sample API Response:

{
    "access_token": "",
    "expires_in": 1799,
    "token_type": "bearer"
}
Pull Detection ID from Endpoint Detection Page

API Endpoint: /detects/queries/detects/v1
Method: GET
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Parameters:

Key Value Description
last_behavior 2023-07-08T01:01:41Z’ Timestamp in the TZ format.
behaviors.ioc_type [‘hash_md5′,’md5′,’hash_sha256’, ‘sha256’, ‘domain’] Can be a string or array of strings containing the IOC types.
limit 9999 (Max limit) Default (100) Limit for 1 page.
offset 0 for the first API call and increase the offset with the limit for the next page, like 1000.  

Sample API Response:

{
  "meta": {
    "query_time": 0.007558762,
    "pagination": {
      "offset": 0,
      "limit": 1000,
      "total": 10
    },
    "powered_by": "legacy-detects",
    "trace_id": "f63fd86d-5250-4d9c-8325-5a40a8cf18e0"
  },
  "resources": [
    "ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180388797004"
  ],
  "errors": []
}
Pull Details for Detections

Endpoint: /detects/entities/summaries/GET/v1
Method: POST
Parameters: None
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Payload:

Key Value Description
ids [
“ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180388797004”,
“ldt:f07ebcd9d8134ee0a0f918945adce610:60130986422”,
“ldt:f07ebcd9d8134ee0a0f918945adce610:60132252838”,
“ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180391698520”,
“ldt:f07ebcd9d8134ee0a0f918945adce610:60135750172″,
“ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180392568360”,
“ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180393439796”, “ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180395120976”,
“ldt:f07ebcd9d8134ee0a0f918945adce610:60136097348”, “ldt:f07ebcd9d8134ee0a0f918945adce610:60137031658”
]
Maximum 1000 records can be proceed via API in one API call.

Sample API Response:

{
  "meta": {
    "query_time": 0.007152826,
    "powered_by": "legacy-detects",
    "trace_id": "be79e912-2300-42b4-9e1c-f315c2afe9e1"
  },
  "resources": [
    {
      "cid": "c17f3a80ded0418eb107db3d26a27983",
      "created_timestamp": "2023-05-05T18:36:32.165672843Z",
      "detection_id": "ldt:f92fddba4189497b959283d96c078c39:240923307930",
      "device": {
        "device_id": "f92fddba4189497b959283d96c078c39",
        "cid": "c17f3a80ded0418eb107db3d26a27983",
        "agent_load_flags": "0",
        "agent_local_time": "2023-03-28T16:13:55.025Z",
        "agent_version": "6.52.16606.0",
        "bios_manufacturer": "LENOVO",
        "bios_version": "N14ET48W (1.26 )",
        "config_id_base": "65994753",
        "config_id_build": "16606",
        "config_id_platform": "3",
        "external_ip": "144.253.103.82",
        "hostname": "LGOODSELL-TEST",
        "first_seen": "2022-02-07T15:50:35Z",
        "last_seen": "2023-05-05T17:55:50Z",
        "local_ip": "192.168.1.24",
        "mac_address": "34-02-86-57-99-82",
        "major_version": "10",
        "minor_version": "0",
        "os_version": "Windows 10",
        "platform_id": "0",
        "platform_name": "Windows",
        "product_type": "1",
        "product_type_desc": "Workstation",
        "status": "normal",
        "system_manufacturer": "LENOVO",
        "system_product_name": "20BS0031US",
        "groups": [
          "3990bfdee0a644fead26bf973a40d6ba"
        ],
        "modified_timestamp": "2023-05-05T17:57:19Z"
      },
      "behaviors": [
        {
          "device_id": "f92fddba4189497b959283d96c078c39",
          "timestamp": "2023-05-05T18:36:23Z",
          "behavior_id": "5785",
          "filename": "rundll32.exe",
          "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe",
          "alleged_filetype": "exe",
          "cmdline": "rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh",
          "scenario": "known_malware",
          "objective": "Falcon Detection Method",
          "tactic": "Custom Intelligence",
          "tactic_id": "CSTA0005",
          "technique": "Indicator of Compromise",
          "technique_id": "CST0005",
          "display_name": "IOCPolicySHA256Critical",
          "description": "Your IOC management action for this SHA256 hash is set to detect and/or block",
          "severity": 90,
          "confidence": 100,
          "ioc_type": "hash_sha256",
          "ioc_value": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
          "ioc_source": "library_load",
          "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe",
          "user_name": "Safebreach-Testing",
          "user_id": "S-1-5-21-817438771-1587030272-1855951177-1073",
          "control_graph_id": "ctg:f92fddba4189497b959283d96c078c39:240923307930",
          "triggering_process_graph_id": "pid:f92fddba4189497b959283d96c078c39:3634948035040",
          "sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
          "md5": "ef3179d498793bf4234f708d3be28633",
          "parent_details": {
            "parent_sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7",
            "parent_md5": "f586835082f632dc8d9404d83bc16316",
            "parent_cmdline": "C:\\WINDOWS\\system32\\svchost.exe -k wsappx -p -s AppXSvc",
            "parent_process_graph_id": "pid:f92fddba4189497b959283d96c078c39:3634313213300"
          },
          "pattern_disposition": 0,
          "pattern_disposition_details": {
            "indicator": false,
            "detect": false,
            "inddet_mask": false,
            "sensor_only": false,
            "rooting": false,
            "kill_process": false,
            "kill_subprocess": false,
            "quarantine_machine": false,
            "quarantine_file": false,
            "policy_disabled": false,
            "kill_parent": false,
            "operation_blocked": false,
            "process_blocked": false,
            "registry_operation_blocked": false,
            "critical_process_disabled": false,
            "bootup_safeguard_enabled": false,
            "fs_operation_blocked": false,
            "handle_operation_downgraded": false,
            "kill_action_failed": false,
            "blocking_unsupported_or_disabled": false,
            "suspend_process": false,
            "suspend_parent": false
          }
        },
        {
          "device_id": "f92fddba4189497b959283d96c078c39",
          "timestamp": "2023-05-05T18:36:23Z",
          "behavior_id": "5319",
          "filename": "rundll32.exe",
          "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe",
          "alleged_filetype": "exe",
          "cmdline": "rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh",
          "scenario": "intel_detection",
          "objective": "Falcon Detection Method",
          "tactic": "Custom Intelligence",
          "tactic_id": "CSTA0005",
          "technique": "Indicator of Compromise",
          "technique_id": "CST0005",
          "display_name": "CustomIOCHashCritical",
          "description": "A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) with critical severity.",
          "severity": 90,
          "confidence": 100,
          "ioc_type": "hash_sha256",
            "blocking_unsupported_or_disabled": false,
            "suspend_process": false,
            "suspend_parent": false
          }
        }
      ],
      "email_sent": true,
      "first_behavior": "2023-05-05T18:36:23Z",
      "last_behavior": "2023-05-05T18:36:23Z",
      "max_confidence": 100,
      "max_severity": 90,
      "max_severity_displayname": "Critical",
      "show_in_ui": true,
      "status": "new",
      "hostinfo": {
        "domain": ""
      },
      "seconds_to_triaged": 0,
      "seconds_to_resolved": 0,
      "behaviors_processed": [
        "pid:f92fddba4189497b959283d96c078c39:3634948035040:5785",
        "pid:f92fddba4189497b959283d96c078c39:3634948035040:5319"
      ],
      "date_updated": "2023-05-05T18:39:34Z"
    }
  ],
  "errors": []
}
Pull Indicators from IoC Management

Endpoint: /iocs/combined/indicator/v1
Method: GET
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Parameters:

Key Value Description
limit 2000 Max limit for 1 page.
offset Empty string for first API call and add limit to for next API calls, like offset+=limit. The offset to start retrieving records from.
after WzE2NjU1MTQ1MDQzODYsIjEzM2U2YzUwNjA5NzJjYmEyY2UwODg2ODQ3
MzRiMzc1ZTZkZGFlMzNjNTlmNzJhYjFkZmQ0NTlmNmVhY2QzMWYiXQ==
A pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an ‘after’ token. On subsequent requests, provide the ‘after’ token from the previous response to continue from that place in the results.

To access more than 10k indicators, use the ‘after’ parameter instead of ‘offset’.

filter type: [‘md5’,’sha256’, ’domain’,’ipv4’,ipv6’] + modified_on:> ‘2023-07-08T01:01:41Z’ Perform filtering on the basis of indicator type and the modified time of indicator.
sort modified_on Sort indicators on modified time.

Sample API Response:

{
  "meta": {
    "query_time": 0.035081512,
    "pagination": {
      "limit": 1,
      "total": 640,
      "offset": 1,
      "after": "WzE2ODkyNjE2NjI2MjcsIjM4MDI2Yzk5MzQ1ZGI5NDE4NGMwYTY3MTIwOGUwZGQwNWY4NmNjNzlhMmI2NTRjNTVjNzg0NTQ5YzZiYmMxNzAiXQ=="
    },
    "powered_by": "ioc-manager",
    "trace_id": "0dddfbcf-e93f-4ae0-b143-6c79912224cb"
  },
  "errors": null,
  "resources": [
    {
      "id": "38026c99345db94184c0a671208e0dd05f86cc79a2b654c55c784549c6bbc170",
      "type": "md5",
      "value": "00000d9007e7a6b0842e802957137079",
      "source": "Netskope_CSPlugin_v3",
      "action": "detect",
      "severity": "high",
      "metadata": {
        "filename": "unused"
      },
      "platforms": [
        "windows"
      ],
      "expired": false,
      "deleted": false,
      "applied_globally": true,
      "from_parent": false,
      "created_on": "2023-07-13T15:21:02.627637187Z",
      "created_by": "cc5fc723039543d29a796a349d2f1525",
      "modified_on": "2023-07-13T15:21:02.627637187Z",
      "modified_by": "cc5fc723039543d29a796a349d2f1525"
    }
  ]
}
Match IOC Existence on IoC Management

API Endpoint: /iocs/combined/indicator/v1
Method: GET
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Parameters:

Key Value
limit 2000
filter Value: [<IOC Values>]

Sample API Response:

{
    "meta": {
        "query_time": 0.022017219,
        "pagination": {
            "limit": 100,
            "total": 1,
            "offset": 1,
            "after": "WzE3MTI1NjE2NTU2MzIsImY4NjU1ZDM2OTJiNDllNjVhNWEzMmRmYTM4N2QzZTI3NTk3NTRhOGI0Y2ZjNDI0YzhmODBmZDY1NzZjMGJjOGEiXQ=="
        },
        "powered_by": "ioc-manager",
        "trace_id": "8ab48640-e2ef-4cf0-b631-d33f897defb1"
    },
    "errors": null,
    "resources": [
        {
            "id": "f8655d3692b49e65a5a32dfa387d3e2759754a8b4cfc424c8f80fd6576c0bc8a",
            "type": "md5",
            "value": "4309e189b0e68c2c0f554dd4202d00bd",
            "source": "Netskope_CSPlugin_v3",
            "action": "detect",
            "severity": "high",
            "metadata": {
                "filename": "testpdv_5e67ccdec797303d7973900c3c1ed399_4309e189b0e68c2c0f554dd4202d00bd_1712561301_sha256-blacklist-sample.txt"
            },
            "platforms": [
                "windows"
            ],
            "expired": false,
            "deleted": false,
            "applied_globally": true,
            "from_parent": false,
            "created_on": "2024-04-04T15:42:22.809754471Z",
            "created_by": "cc5fc723039543d29a796a349d2f1525",
            "modified_on": "2024-04-08T07:34:15.632004689Z",
            "modified_by": "cc5fc723039543d29a796a349d2f1525"
        }
    ]
}
Update Indicator on IoC Management

API Endpoint: iocs/entities/indicators/v1
Method: PATCH
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Payload:

Key Value Description
indicators [{
“id”: “f8655d3692b49e65a5a32dfa387d3e2759754a8b4cfc424c8f80fd6576c0bc8a”,
“source”: “Netskope_CSPlugin_v3”,
“action”: “no_action”,
“platforms”: [“windows”],
“applied_globally”: true,
“severity”: “critical”,
“tags”: [“netskope-ce”],
“type”: “md5”,
“description”: “This is a test indicator.”,
“value”: “4309e189b0e68c2c0f554dd4202d00bd”
}]
List of dictionaries containing indicator payloads.
comment Indicators updated from Netskope Cloud Exchange.  

Sample API Response:

{
    "meta": {
        "query_time": 0.253615007,
        "pagination": {
            "limit": 0,
            "total": 1
        },
        "powered_by": "ioc-manager",
        "trace_id": "8dd3a607-8bec-46f5-a79c-9692d6d92818"
    },
    "errors": null,
    "resources": [
        {
            "id": "f8655d3692b49e65a5a32dfa387d3e2759754a8b4cfc424c8f80fd6576c0bc8a",
            "type": "md5",
            "value": "4309e189b0e68c2c0f554dd4202d00bd",
            "source": "Netskope_CSPlugin_v3",
            "action": "no_action",
            "severity": "critical",
            "description": "This is a test indicator.",
            "metadata": {
                "filename": "testpdv_5e67ccdec797303d7973900c3c1ed399_4309e189b0e68c2c0f554dd4202d00bd_1712565995_sha256-blacklist-sample.txt"
            },
            "platforms": [
                "windows"
            ],
            "tags": [
                "netskope-ce"
            ],
            "expired": false,
            "deleted": false,
            "applied_globally": true,
            "from_parent": false,
            "created_on": "2024-04-04T15:42:22.809754471Z",
            "created_by": "cc5fc723039543d29a796a349d2f1525",
            "modified_on": "2024-04-08T08:52:28.142410877Z",
            "modified_by": "61794791c7554fecab6a975090f98f6d"
        }
    ]
}
Push Indicator to IoC Management

API Endpoint: iocs/entities/indicators/v1
Method: PATCH
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Data:

Key Value Description
indicators [
{
“action”: “allow”,
“applied_globally”: true,
“description”: “This is a test indicator from netskope.”,
“platforms”: [
“linux”
],
“severity”: “High”,
“source”: “netskope”,
“tags”: [
“netskope”
],
“type”: “md5”,
“value”: “d60fbc101972fe1ed086fdf05b520dfa”
}
]
List of dictionaries containing indicator payloads.
comment Indicators shared from Netskope Cloud Exchange.  
Get Host IDs from Indicator Value

API Endpoint: /indicators/queries/devices/v1
Method: GET
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Parameters:

Key Value Description
type md5 Indicator types possible values are sha256, md5, domain, ipv4 and ipv6
value 4309e189b0e68c2c0f554dd4202d00bd Hash or Actual IoC Value
limit 100 Max limit for hosts
offset “” Empty string or offset got from previous API call

Sample API Response:

{
    "meta": {
        "query_time": 6.8e-8,
        "pagination": {
            "offset": "",
            "limit": 100
        },
        "trace_id": "2039578c-1e94-4e56-a2c7-58bea1c12857",
        "entity": "/devices/entities/devices/v1{?ids*}"
    },
    "resources": [
        "9d4f598cec024ac2bf3c5e2afdc69129",
        "331c40581b7a4d4a81863bf630edc868"
    ],
    "errors": []
}
Perform Isolate/Remediate Action

API Endpoint: devices/entities/devices-actions/v2
Method: POST
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-crowdstrike/2.0.2
Authorization Bearer <Bearer Token>

Payload:

Key Value
action_parameters [
{
“name”: “unhide_host”,
“value”: “unhide_host”
}
]
ids [<Host IDs>]

Sample API Response:

{
    "meta": {
        "query_time": 17.960566309,
        "powered_by": "device-api",
        "trace_id": "d7fa97da-83c3-4349-b870-e19d85983605"
    },
    "resources": [
        {
            "id": "331c40581b7a4d4a81863bf630edc868",
            "path": "/devices/entities/devices/v1"
        }
    ],
    "errors": []
}

Note

In the plugin, the Isolate/Remediate action is performed in batches, like for containment and lift containment, the batch size will be 5000, and for hide_host and unhide_host, the batch size will be 100.

User Agent

The user-agent added in this plugin is in the following format:

 <vendor>-<integration name>/<version>

For example:

netskope-ce-5.0.1-cte-crowdstrike/2.0.2

Workflow

  1. Create a custom File Profile.
  2. Create a Malware Detection Profile.
  3. Create a Real-time Protection Policy.
  4. Get your CrowdStrike API credentials.
  5. Configure the CrowdStrike Plugin.
  6. Configure sharing between Netskope and CrowdStrike.
  7. Validate the CrowdStrike Plugin.

Click play to watch a video.




 

Create a Secure Web Gateway Custom File Profile for CrowdStrike

  1. In the Netskope UI, go to Policies , select File , and click New File Profile.
  2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
  3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
  4. Click Next.
  5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
  6. Click Save.
  7. To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile for CrowdStrike

  1. In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
  2. Click Next
  3. Click Next again.
  4. Select the File Profile you created in the previous section and click Next.
  5. Enter a Malware Detection Profile name and click Save Malware Detection Profile.
  6. To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-time Threat Protection Policy for CrowdStrike

These instructions apply to the new Real-time Protection policy workflow.

  1. In the Netskope UI, go to Policies > Real-time Protection. 
  2. Click New Policy and select Threat Protection.
  3. For Source, leave the default (User = All Users)
  4. For Destination: select Category
  5. The Category section expands and allows you to search and select categories. Click Select All. When finished, click outside of the Category section.
  6. When the Activities & Constraints section opens, click Edit.
  7. Select Upload and Download, and then click Save.
  8. For Profile & Action, click in the text field.
  9. Select the Malware Detection profile you created in the previous section.
  10. For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
  11. Select a template to choose which block message is sent to the user.
  12. For Set Policy, enter a descriptive Policy Name.
  13. Click Save in the top right to save the policy.
  14. Choose the To the top option when it appear. (Or appropriate location in your security policy.)
  15. To publish this policy into the tenant, select Apply Changes in the top right.

Get your CrowdStrike Client ID and Client Secret

  1. Log in to your CrowdStrike platform and go to Support and Resources > API Client and Keys.
  2. Click Create API Client. Add the Client name and provide these scopes.

    API Scopes permissions

    Scope Read Write
    Detections Yes No
    IoC Management Yes Yes
    Hosts Yes Yes
    IoCs (Indicators of Compromise) Yes No
  3. Copy the Client ID and Secret, and then click Create.

Configure the CrowdStrike Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins.
  2. Search for and select the CrowdStrike v2.0.2 (CTE) plugin box to open the plugin creation pages.
  3. For Basic Information, enter and select these values:
    • Configuration Name: Unique name for the configuration
    • Sync Interval: Interval to fetch data from this plugin source. Leave default or change based on your requirement.
    • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration. Leave empty to keep default.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. For Configuration Parameters, enter and select these values:
    • Base URL: Base URL for CrowdStrike instance, like https://api.crowdstrike.com.
    • Client ID: Client ID generated from the CrowdStrike platform. Client ID can be generated from the Support and resources > API clients and keys page.
    • Client Secret: Client Secret generated from the CrowdStrike platform. Client Secret can be generated from the Support and resources > API clients and keys page.
    • Enable Polling: Enable/Disable polling Threat IoCs from CrowdStrike. Disable if you only need to push Threat IoCs to CrowdStrike.
    • Indicator Source Page: The source page from which plugin should pull the indicators.
    • Type of Threat data to pull: Type of Threat data to pull. Supported types are SHA256, MD5, Domain, IPv4 and, IPv6.
    • Initial Range: Number of days to pull the data for the initial run.
    • Indicator Batch Size: The origin of this Threat IoC. This field can be utilized to trace the origin of the IoC on the CrowdStrike Custom IoC. Limited to 200 characters.
    • IoC Source: The source where this indicator originated. This can be used for tracking where this indicator was defined.
  6. Click Save.

Configure a Threat Exchange Business Rule for CrowdStrike

A Business Rule is used to filter out the indicators that are to be shared. In order to share IoCs with CrowdStrike, create a business rule using these steps:

  1. Go to Threat Exchange > Business Rules and click Create New Rule.
  2. Add the Rule name and select the fields through which you want to filter the IoCs.
  3. Click Save.

Configure Threat Exchange Sharing for CrowdStrike

CrowdStrike v2.0.2 supports performing Remediate and Isolate actions on the Hosts. This plugin also updates the already shared Indicators on CrowdStrike when reshared.

CrowdStrike Actions

Perform Action

  • No Action: Save the indicator for future use, but take no action. No severity is required.
  • Allow: This applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided.
  • Block, Hide Detection: This applies to hashes only. Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections. Has a default severity value.
  • Block: This applies to hashes only. Add the indicator to the Block list using which the prevention policy will block the processes on the host from which this indicator is generated.
  • Detect Only: Show it as detection and take no action on it.

Isolate/Remediate Hosts

  • Contain: Contains the host and stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
  • Lift Containment: Lifts containment on the host and returns its network communications to normal.
  • Hide Host: Deletes a host. After the host is deleted, no new detections for the host will be reported via the UI or API. A maximum of 100 hosts can be hidden at a time.
  • Unhide Host: Restores a host. Detection reporting resumes after the host is restored.

To configure sharing:

  1. Go to Threat Exchange > Sharing and click Add Sharing Configuration.
  2. Select Source configuration (Source from which you want to share data to CrowdStrike), select a Business Rule, and Destination.
  3. Select a Target value and Action type.
  4. Click Save.

Validate the CrowdStrike Plugin

Validate the Pull

  1. Indicators from CrowdStrike are pulled from the Endpoint security > Endpoint Detection and Endpoint security > IOC Management pages
  2. Indicators stored in CE can be verified from Threat Exchange > Threat IoCs.
  3. Search the CrowdStrike IoCs by filtering indicators from CrowdStrike.

    For example, add a query on the Threat IoCs page, like sources.source Is equal <plugin name>.

  4. You can also verify the indicators pulled in CE from the logs available on the Logging page.

Validate the Push

  1. Shared IoCs in Netskope CE can be verified from logs available on the Logging page of Threat Exchange.
  2. IoCs shared on CrowdStrike can be verified from Endpoint security > IoC Management.
  3. IoCs shared to perform isolate/remediate host action on the specific host on CrowdStrike can be verified from Endpoint security > Host Management.
  4. Validate the Push for IoCs on which Isolate/Remediate Action has been performed.
    1. Go to CrowdStrike platform > Host Management and look for the host on which the action needs to be performed. Currently, the Status of the Host is Lift Containment.
    2. Add sharing to perform the Contain Operation on the host. After sharing has been initiated, go to Logging and search for Successfully executed.
    3. Go to the CrowdStrike platform and check if the status has been changed or not.
    4. Now Update the sharing to perform the Hide Host Operation and go to Logging to verify the logs.
    5. Now go to the CrowdStrike platform and check whether the host is visible on the Host Management page or not. Ideally it should not be visible.
    6. Now Update the sharing to perform the Unhide Host Operation and go to Logging to verify the logs.
    7. Now go to the CrowdStrike platform and check whether the host is visible on the Host Management page or not. Ideally, it should be visible.

Troubleshooting

Receiving an error while updating the plugin using the plugin repository

If you are facing an issue updating the configured CrowdStrike plugin, follow these steps:

  1. Close the plugin repo page after you pull and download the plugin updates.
  2. Go to Threat Exchange > Plugins.
  3. To edit the plugin, go to the Configuration Parameter page and remove the selected value from the Type of Threat Data to pull value, and then select the IoC type that you want to pull.
  4. Select the source page from the Indicator Source Page dropdown.
  5. Save the plugin.
  6. Click on the enable plugin icon and enable the plugin. The plugin will be updated with the latest changes and start working as expected.
Receiving error 500 Server error while updating/sharing the IoCs to CrowdStrike

If you are receiving the below error message in logs while sharing the IoCs to CrowdStrike, it might be because of the batch size provided in the plugin configuration for sharing being large.

Change the batch size for the sharing from the plugin configuration by following these steps:

  1. Edit the CrowdStrike plugin from Threat Exchange > Plugins.
  2. Reduce the Indicator Batch size parameter and save the plugin.
Not able to share IOCs from Netskope CE to the CrowdStrike Plugin

If you are not able to share IoCs from Netskope to CrowdStrike, it could be due to one of these reasons:

  • The IoCs present for Netskope plugin are of invalid type.
  • Proper Permissions are not set for the Client ID, Client Secret for CrowdStrike.

What to do:

  • Make sure that valid types of IoCs are present.
  • Make sure that all the needed permissions are set for Client ID, Client Secret for CrowdStrike.

Known Behavior

CrowdStrike supports sharing of only 1M IoCs to the IoC Management Page so if the page already has exceeded the limit IoCs won’t be shared from Netskope CE and the user will first have to delete the existing IoCs.

Share this Doc

CrowdStrike Plugin for Threat Exchange

Or copy link

In this topic ...