CrowdStrike Plugin for Threat Exchange
CrowdStrike Plugin for Threat Exchange
This document explains how to configure the CrowdStrike v2.1.1 plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches Threat IoCs of type Hash (MD5 and SHA256), Domains, IPv4, IPv6 from CrowdStrike’s Endpoint detections and IOC management page.
This plugin supports sharing the Threat IoCs to CrowdStrike’s IoC management page and can perform Isolate/Remediate actions for hosts. Only file hash IoCs activate prevention; Domain, IPv4, IPv6 don’t trigger prevention in CrowdStrike. Sharing URL information from Netskope Cloud Exchange to CrowdStrike is not recommended, as CrowdStrike currently only supports ingesting SHA256, MD5, Domain, IPv4, and IPv6.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Secure Web Gateway subscription for URL sharing.
- A Threat Protection subscription for malicious file hash sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A CrowdStrike instance.
- Connectivity to any one of the following hosts:
- Commercial cloud (api.crowdstrike.com)
- US 2 (api.us-2.crowdstrike.com)
- Falcon on GovCloud (api.laggar.gcw.crowdstrike.com)
- EU cloud (api.eu-1.crowdstrike.com)
CE Version Compatibility
Netskope CE v4.2.0 and v5.0.1
CrowdStrike Plugin Support
The plugin supports pulling and pushing of Domains, IPv4, IPv6, SHA256 and MD5 to/from CrowdStrike. The plugin also supports performing Isolate and Remediate actions on the CrowdStrike hosts.
Fetched indicator types |
SHA256, MD5, Domain, IPv4, IPv6 |
Shared indicator types |
SHA256, MD5, Domain, IPv4, IPv6 |
Permissions
Scope | Read | Write |
---|---|---|
Detections | Yes | No |
IoC Management | Yes | Yes |
Hosts | Yes | Yes |
IoCs (Indicators of Compromise) | Yes | No |
Performance Matrix
Here is the performance reading conducted by pulling and sharing 100K indicators from/to CrowdStrike on a Large Cloud Exchane Stack with these specifications.
Stack details |
Size: Large RAM: 32 GB CPU: 16 Cores |
Indicators fetched from CrowdStrike’s IoC Management page |
~25K per minute |
Indicators fetched from CrowdStrike’s Endpoint Detection page |
~15K per minute |
Indicators shared with CrowdStrike | ~2K per minute |
Mappings
Here is the list of fields that are pulled from CrowdStrike and mapped in Netskope CE.
Severity Mapping
Netskope CE Severity | Third-Party Severity |
---|---|
Unknown | Informational |
Low | Low |
Medium | Medium |
High | High |
Critical | Critical |
Endpoint Detection Page Mapping
Netskope CE Fields | CrowdStrike API Response Fields |
---|---|
value |
ioc_value |
type |
ioc_type |
comments |
ioc_description |
firstSeen |
first_behavior / (timestamp) |
lastSeen |
last_behavior / (timestamp) |
severity |
severity |
reputation |
confidence/10 |
IoC Management Page Mapping
Netskope CE Fields | CrowdStrike API Response Fields |
---|---|
value |
value |
type |
type |
severity |
severity |
firstSeen |
created_on |
lastSeen |
modified_on |
comment Format: Comment format: Source: <Source Value>, action: <Action Value>, platforms: <Platform Value>, metadata fields: <Metadata Value> |
Combination of Source, action, platforms, and metadata fields |
tags |
tags + [“non-CrowdStrike-discovered”] |
API Details
List of APIs Used
Use Case | Method | Endpoint | API Scope |
---|---|---|---|
Get auth token | POST | /oauth2/token | None |
Pull detection ids from Endpoint Detections | GET | /detects/queries/detects/v1 | Detections (Read) |
Pull detection details | POST | /detects/entities/summaries/GET/v1 | Detections (Read) |
Pull indicators from Custom IoC Management and check the existence of indicators on IoC Management | GET | /iocs/combined/indicator/v1 | IoC Management (Read) |
Push indicators to Custom IoC Management | POST | /iocs/entities/indicators/v1 | IoC Management (Write) |
Pull the host IDs from the indicator value for the Isolate/Remediate action | GET | /indicators/queries/devices/v1 | IoCs (Indicators of Compromise) (Read) |
Perform Isolate/Remediate action | POST | /devices/entities/devices-actions/v2 | Hosts (Write) |
Get Auth token
API Endpoint: /oauth2/token
Method: POST
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Payload:
Parameter | Value |
---|---|
grant_type | client_credentials |
client_id | <Client ID> |
client_secret | <Client Secret> |
Sample API Response:
{ "access_token": "", "expires_in": 1799, "token_type": "bearer" }
Pull Detection ID from Endpoint Detection Page
API Endpoint: /detects/queries/detects/v1
Method: GET
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Parameters:
Key | Value | Description |
---|---|---|
last_behavior | 2023-07-08T01:01:41Z’ | Timestamp in the TZ format. |
behaviors.ioc_type | [‘hash_md5′,’md5′,’hash_sha256’, ‘sha256’, ‘domain’] | Can be a string or array of strings containing the IOC types. |
limit | 9999 (Max limit) Default (100) | Limit for 1 page. |
offset | 0 for the first API call and increase the offset with the limit for the next page, like 1000. |
Sample API Response:
{ "meta": { "query_time": 0.007558762, "pagination": { "offset": 0, "limit": 1000, "total": 10 }, "powered_by": "legacy-detects", "trace_id": "f63fd86d-5250-4d9c-8325-5a40a8cf18e0" }, "resources": [ "ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180388797004" ], "errors": [] }
Pull Details for Detections
Endpoint: /detects/entities/summaries/GET/v1
Method: POST
Parameters: None
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Payload:
Key | Value | Description |
---|---|---|
ids | [ “ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180388797004”, “ldt:f07ebcd9d8134ee0a0f918945adce610:60130986422”, “ldt:f07ebcd9d8134ee0a0f918945adce610:60132252838”, “ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180391698520”, “ldt:f07ebcd9d8134ee0a0f918945adce610:60135750172″, “ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180392568360”, “ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180393439796”, “ldt:6e9d3f6e1a0b4807a4ba4da376a6ebbc:180395120976”, “ldt:f07ebcd9d8134ee0a0f918945adce610:60136097348”, “ldt:f07ebcd9d8134ee0a0f918945adce610:60137031658” ] |
Maximum 1000 records can be proceed via API in one API call. |
Sample API Response:
{ "meta": { "query_time": 0.007152826, "powered_by": "legacy-detects", "trace_id": "be79e912-2300-42b4-9e1c-f315c2afe9e1" }, "resources": [ { "cid": "c17f3a80ded0418eb107db3d26a27983", "created_timestamp": "2023-05-05T18:36:32.165672843Z", "detection_id": "ldt:f92fddba4189497b959283d96c078c39:240923307930", "device": { "device_id": "f92fddba4189497b959283d96c078c39", "cid": "c17f3a80ded0418eb107db3d26a27983", "agent_load_flags": "0", "agent_local_time": "2023-03-28T16:13:55.025Z", "agent_version": "6.52.16606.0", "bios_manufacturer": "LENOVO", "bios_version": "N14ET48W (1.26 )", "config_id_base": "65994753", "config_id_build": "16606", "config_id_platform": "3", "external_ip": "144.253.103.82", "hostname": "LGOODSELL-TEST", "first_seen": "2022-02-07T15:50:35Z", "last_seen": "2023-05-05T17:55:50Z", "local_ip": "192.168.1.24", "mac_address": "34-02-86-57-99-82", "major_version": "10", "minor_version": "0", "os_version": "Windows 10", "platform_id": "0", "platform_name": "Windows", "product_type": "1", "product_type_desc": "Workstation", "status": "normal", "system_manufacturer": "LENOVO", "system_product_name": "20BS0031US", "groups": [ "3990bfdee0a644fead26bf973a40d6ba" ], "modified_timestamp": "2023-05-05T17:57:19Z" }, "behaviors": [ { "device_id": "f92fddba4189497b959283d96c078c39", "timestamp": "2023-05-05T18:36:23Z", "behavior_id": "5785", "filename": "rundll32.exe", "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe", "alleged_filetype": "exe", "cmdline": "rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh", "scenario": "known_malware", "objective": "Falcon Detection Method", "tactic": "Custom Intelligence", "tactic_id": "CSTA0005", "technique": "Indicator of Compromise", "technique_id": "CST0005", "display_name": "IOCPolicySHA256Critical", "description": "Your IOC management action for this SHA256 hash is set to detect and/or block", "severity": 90, "confidence": 100, "ioc_type": "hash_sha256", "ioc_value": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa", "ioc_source": "library_load", "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe", "user_name": "Safebreach-Testing", "user_id": "S-1-5-21-817438771-1587030272-1855951177-1073", "control_graph_id": "ctg:f92fddba4189497b959283d96c078c39:240923307930", "triggering_process_graph_id": "pid:f92fddba4189497b959283d96c078c39:3634948035040", "sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa", "md5": "ef3179d498793bf4234f708d3be28633", "parent_details": { "parent_sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", "parent_md5": "f586835082f632dc8d9404d83bc16316", "parent_cmdline": "C:\\WINDOWS\\system32\\svchost.exe -k wsappx -p -s AppXSvc", "parent_process_graph_id": "pid:f92fddba4189497b959283d96c078c39:3634313213300" }, "pattern_disposition": 0, "pattern_disposition_details": { "indicator": false, "detect": false, "inddet_mask": false, "sensor_only": false, "rooting": false, "kill_process": false, "kill_subprocess": false, "quarantine_machine": false, "quarantine_file": false, "policy_disabled": false, "kill_parent": false, "operation_blocked": false, "process_blocked": false, "registry_operation_blocked": false, "critical_process_disabled": false, "bootup_safeguard_enabled": false, "fs_operation_blocked": false, "handle_operation_downgraded": false, "kill_action_failed": false, "blocking_unsupported_or_disabled": false, "suspend_process": false, "suspend_parent": false } }, { "device_id": "f92fddba4189497b959283d96c078c39", "timestamp": "2023-05-05T18:36:23Z", "behavior_id": "5319", "filename": "rundll32.exe", "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe", "alleged_filetype": "exe", "cmdline": "rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh", "scenario": "intel_detection", "objective": "Falcon Detection Method", "tactic": "Custom Intelligence", "tactic_id": "CSTA0005", "technique": "Indicator of Compromise", "technique_id": "CST0005", "display_name": "CustomIOCHashCritical", "description": "A SHA256 hash matched a Custom Intelligence Indicator (Custom IOC) with critical severity.", "severity": 90, "confidence": 100, "ioc_type": "hash_sha256", "blocking_unsupported_or_disabled": false, "suspend_process": false, "suspend_parent": false } } ], "email_sent": true, "first_behavior": "2023-05-05T18:36:23Z", "last_behavior": "2023-05-05T18:36:23Z", "max_confidence": 100, "max_severity": 90, "max_severity_displayname": "Critical", "show_in_ui": true, "status": "new", "hostinfo": { "domain": "" }, "seconds_to_triaged": 0, "seconds_to_resolved": 0, "behaviors_processed": [ "pid:f92fddba4189497b959283d96c078c39:3634948035040:5785", "pid:f92fddba4189497b959283d96c078c39:3634948035040:5319" ], "date_updated": "2023-05-05T18:39:34Z" } ], "errors": [] }
Pull Indicators from IoC Management
Endpoint: /iocs/combined/indicator/v1
Method: GET
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Parameters:
Key | Value | Description |
---|---|---|
limit | 2000 | Max limit for 1 page. |
offset | Empty string for first API call and add limit to for next API calls, like offset+=limit. | The offset to start retrieving records from. |
after | WzE2NjU1MTQ1MDQzODYsIjEzM2U2YzUwNjA5NzJjYmEyY2UwODg2ODQ3 MzRiMzc1ZTZkZGFlMzNjNTlmNzJhYjFkZmQ0NTlmNmVhY2QzMWYiXQ== |
A pagination token used with the limit parameter to manage pagination of results. On your first request, don’t provide an ‘after’ token. On subsequent requests, provide the ‘after’ token from the previous response to continue from that place in the results.
To access more than 10k indicators, use the ‘after’ parameter instead of ‘offset’. |
filter | type: [‘md5’,’sha256’, ’domain’,’ipv4’,ipv6’] + modified_on:> ‘2023-07-08T01:01:41Z’ | Perform filtering on the basis of indicator type and the modified time of indicator. |
sort | modified_on | Sort indicators on modified time. |
Sample API Response:
{ "meta": { "query_time": 0.035081512, "pagination": { "limit": 1, "total": 640, "offset": 1, "after": "WzE2ODkyNjE2NjI2MjcsIjM4MDI2Yzk5MzQ1ZGI5NDE4NGMwYTY3MTIwOGUwZGQwNWY4NmNjNzlhMmI2NTRjNTVjNzg0NTQ5YzZiYmMxNzAiXQ==" }, "powered_by": "ioc-manager", "trace_id": "0dddfbcf-e93f-4ae0-b143-6c79912224cb" }, "errors": null, "resources": [ { "id": "38026c99345db94184c0a671208e0dd05f86cc79a2b654c55c784549c6bbc170", "type": "md5", "value": "00000d9007e7a6b0842e802957137079", "source": "Netskope_CSPlugin_v3", "action": "detect", "severity": "high", "metadata": { "filename": "unused" }, "platforms": [ "windows" ], "expired": false, "deleted": false, "applied_globally": true, "from_parent": false, "created_on": "2023-07-13T15:21:02.627637187Z", "created_by": "cc5fc723039543d29a796a349d2f1525", "modified_on": "2023-07-13T15:21:02.627637187Z", "modified_by": "cc5fc723039543d29a796a349d2f1525" } ] }
Match IOC Existence on IoC Management
API Endpoint: /iocs/combined/indicator/v1
Method: GET
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Parameters:
Key | Value |
---|---|
limit | 2000 |
filter | Value: [<IOC Values>] |
Sample API Response:
{ "meta": { "query_time": 0.022017219, "pagination": { "limit": 100, "total": 1, "offset": 1, "after": "WzE3MTI1NjE2NTU2MzIsImY4NjU1ZDM2OTJiNDllNjVhNWEzMmRmYTM4N2QzZTI3NTk3NTRhOGI0Y2ZjNDI0YzhmODBmZDY1NzZjMGJjOGEiXQ==" }, "powered_by": "ioc-manager", "trace_id": "8ab48640-e2ef-4cf0-b631-d33f897defb1" }, "errors": null, "resources": [ { "id": "f8655d3692b49e65a5a32dfa387d3e2759754a8b4cfc424c8f80fd6576c0bc8a", "type": "md5", "value": "4309e189b0e68c2c0f554dd4202d00bd", "source": "Netskope_CSPlugin_v3", "action": "detect", "severity": "high", "metadata": { "filename": "testpdv_5e67ccdec797303d7973900c3c1ed399_4309e189b0e68c2c0f554dd4202d00bd_1712561301_sha256-blacklist-sample.txt" }, "platforms": [ "windows" ], "expired": false, "deleted": false, "applied_globally": true, "from_parent": false, "created_on": "2024-04-04T15:42:22.809754471Z", "created_by": "cc5fc723039543d29a796a349d2f1525", "modified_on": "2024-04-08T07:34:15.632004689Z", "modified_by": "cc5fc723039543d29a796a349d2f1525" } ] }
Update Indicator on IoC Management
API Endpoint: iocs/entities/indicators/v1
Method: PATCH
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Payload:
Key | Value | Description |
---|---|---|
indicators | [{ “id”: “f8655d3692b49e65a5a32dfa387d3e2759754a8b4cfc424c8f80fd6576c0bc8a”, “source”: “Netskope_CSPlugin_v3”, “action”: “no_action”, “platforms”: [“windows”], “applied_globally”: true, “severity”: “critical”, “tags”: [“netskope-ce”], “type”: “md5”, “description”: “This is a test indicator.”, “value”: “4309e189b0e68c2c0f554dd4202d00bd” }] |
List of dictionaries containing indicator payloads. |
comment | Indicators updated from Netskope Cloud Exchange. |
Sample API Response:
{ "meta": { "query_time": 0.253615007, "pagination": { "limit": 0, "total": 1 }, "powered_by": "ioc-manager", "trace_id": "8dd3a607-8bec-46f5-a79c-9692d6d92818" }, "errors": null, "resources": [ { "id": "f8655d3692b49e65a5a32dfa387d3e2759754a8b4cfc424c8f80fd6576c0bc8a", "type": "md5", "value": "4309e189b0e68c2c0f554dd4202d00bd", "source": "Netskope_CSPlugin_v3", "action": "no_action", "severity": "critical", "description": "This is a test indicator.", "metadata": { "filename": "testpdv_5e67ccdec797303d7973900c3c1ed399_4309e189b0e68c2c0f554dd4202d00bd_1712565995_sha256-blacklist-sample.txt" }, "platforms": [ "windows" ], "tags": [ "netskope-ce" ], "expired": false, "deleted": false, "applied_globally": true, "from_parent": false, "created_on": "2024-04-04T15:42:22.809754471Z", "created_by": "cc5fc723039543d29a796a349d2f1525", "modified_on": "2024-04-08T08:52:28.142410877Z", "modified_by": "61794791c7554fecab6a975090f98f6d" } ] }
Push Indicator to IoC Management
API Endpoint: iocs/entities/indicators/v1
Method: PATCH
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Data:
Key | Value | Description |
---|---|---|
indicators | [ { “action”: “allow”, “applied_globally”: true, “description”: “This is a test indicator from netskope.”, “platforms”: [ “linux” ], “severity”: “High”, “source”: “Netskope – Cloud Threat Exchange | netskope”, “tags”: [ “netskope” ], “type”: “md5”, “value”: “d60fbc101972fe1ed086fdf05b520dfa” } ] |
List of dictionaries containing indicator payloads. |
comment | Indicators shared from Netskope Cloud Exchange. |
Get Host IDs from Indicator Value
API Endpoint: /indicators/queries/devices/v1
Method: GET
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Parameters:
Key | Value | Description |
---|---|---|
type | md5 | Indicator types possible values are sha256, md5, domain, ipv4 and ipv6 |
value | 4309e189b0e68c2c0f554dd4202d00bd | Hash or Actual IoC Value |
limit | 100 | Max limit for hosts |
offset | “” | Empty string or offset got from previous API call |
Sample API Response:
{ "meta": { "query_time": 6.8e-8, "pagination": { "offset": "", "limit": 100 }, "trace_id": "2039578c-1e94-4e56-a2c7-58bea1c12857", "entity": "/devices/entities/devices/v1{?ids*}" }, "resources": [ "9d4f598cec024ac2bf3c5e2afdc69129", "331c40581b7a4d4a81863bf630edc868" ], "errors": [] }
Perform Isolate/Remediate Action
API Endpoint: devices/entities/devices-actions/v2
Method: POST
Headers:
Key | Value |
---|---|
User-Agent | netskope-ce-5.0.1-cte-crowdstrike/2.1.1 |
Authorization | Bearer <Bearer Token> |
Payload:
Key | Value |
---|---|
action_parameters | [ { “name”: “unhide_host”, “value”: “unhide_host” } ] |
ids | [<Host IDs>] |
Sample API Response:
{ "meta": { "query_time": 17.960566309, "powered_by": "device-api", "trace_id": "d7fa97da-83c3-4349-b870-e19d85983605" }, "resources": [ { "id": "331c40581b7a4d4a81863bf630edc868", "path": "/devices/entities/devices/v1" } ], "errors": [] }
Note
In the plugin, the Isolate/Remediate action is performed in batches, like for containment and lift containment, the batch size will be 5000, and for hide_host and unhide_host, the batch size will be 100.
User Agent
The user-agent added in this plugin is in the following format:
<vendor>-<integration name>/<version>
For example:
netskope-ce-5.0.1-cte-crowdstrike/2.1.1
Workflow
- Create a custom File Profile.
- Create a Malware Detection Profile.
- Create a Real-time Protection Policy.
- Get your CrowdStrike API credentials.
- Configure the CrowdStrike Plugin.
- Configure sharing between Netskope and CrowdStrike.
- Validate the CrowdStrike Plugin.
Click play to watch a video.
Create a Secure Web Gateway Custom File Profile for CrowdStrike
- In the Netskope UI, go to Policies , select File , and click New File Profile.
- Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
- Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
- Click Next.
- Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
- Click Save.
- To publish this profile into the tenant, click Apply Changes in the top right.
Create a Malware Detection Profile for CrowdStrike
- In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
- Click Next.
- Click Next again.
- Select the File Profile you created in the previous section and click Next.
- Enter a Malware Detection Profile name and click Save Malware Detection Profile.
- To publish this profile in the tenant, click Apply Changes in the top right.
Create a Real-time Threat Protection Policy for CrowdStrike
These instructions apply to the new Real-time Protection policy workflow.
- In the Netskope UI, go to Policies > Real-time Protection.
- Click New Policy and select Threat Protection.
- For Source, leave the default (User = All Users)
- For Destination: select Category
- The Category section expands and allows you to search and select categories. Click Select All. When finished, click outside of the Category section.
- When the Activities & Constraints section opens, click Edit.
- Select Upload and Download, and then click Save.
- For Profile & Action, click in the text field.
- Select the Malware Detection profile you created in the previous section.
- For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
- Select a template to choose which block message is sent to the user.
- For Set Policy, enter a descriptive Policy Name.
- Click Save in the top right to save the policy.
- Choose the To the top option when it appear. (Or appropriate location in your security policy.)
- To publish this policy into the tenant, select Apply Changes in the top right.
Get your CrowdStrike Client ID and Client Secret
- Log in to your CrowdStrike platform and go to Support and Resources > API Client and Keys.
- Click Create API Client. Add the Client name and provide the scopes listed below.
API Scopes permissions
Scope Read Write Detections Yes No IoC Management Yes Yes Hosts Yes Yes IoCs (Indicators of Compromise) Yes No - Copy the Client ID and Secret, and then click Create.
Get your Host ID for the Isolate/Remediate Hosts Action
To perform the Isolate/Remediate Hosts action it is mandatory to have the hosts for the IOCs on whom you want to perform the action for present on the CrowdStrike platform or the host on which you want to perform action on CrowdStrike should have some IoCs associated to that Hosts . To check the same follow these steps:
- Copy the IoC that you want to use for performing the Isolate/Remediate action.
- Go to the CrowdStrike platform and search the IoC on CrowdStrike’s Endpoint Detection page from the top left menu’s Endpoint Security.
- You’ll see the detections listed as shown in above screenshot. Click on any one of the listed detections, and click See Full Detection on the bottom of the page.
- Go to details, and scroll down to Hosts, you will find the host ID. Copy the Host ID.
Configure the CrowdStrike Plugin
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the CTE CrowdStrike plugin to open the plugin configuration pages.
- Enter the Basic Information:
- Configuration Name: Plugin configuration name.
- Sync Interval: Interval to fetch data from this plugin source.
- Aging Criteria: Expire indicators after a specific time.
- Override Reputation: Set value to override reputation of indicators received from this configuration. Leave empty to keep default.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Use system proxy configured in Settings.
- Click Next.
- Enter the Configuration Parameters:
- Base URL: Base URL of CrowdStrike instance, like https://api.crowdstrike.com.
- Client ID: Client ID generated from the CrowdStrike platform.
- Client Secret: Client Secret generated from the CrowdStrike platform.
- Enable Polling: Enable/Disable polling Threat IoCs from CrowdStrike. Disable if you only need to push Threat IoCs to CrowdStrike.
- Indicator Source Page: The source page from which plugin should pull the indicators.
- Type of Threat data to pull: Type of Threat data to pull. Allowed values are SHA256, MD5, Domain, IPv4 and IPv6.
- Initial Range: Number of days Threat IoCs to pull in the initial run.
- Indicator Batch Size: The origin of this Threat IoC. This field can be utilized to trace the origin of the IoC on the CrowdStrike Custom IOC. Limited to 200 characters.
- IoC Source: This field indicates the origin of the Threat IoC on the CrowdStrike IoC Management Page. If left blank, it defaults to Netskope – Cloud Threat Exchange. Otherwise, specify a value that will be displayed as Netskope – Cloud Threat Exchange | <IoC Source Value>. Limited to 200 characters.
Note that IoCs present on the IoC Management and Endpoint Detection pages in Crowdstrike UI won’t be pulled if the source is starting from Netskope – Cloud Threat Exchange. - Click Save.
Configure a Threat Exchange Business Rule for CrowdStrike
A Business Rule is used to filter out the indicators that are to be shared. In order to share IoCs with CrowdStrike, create a business rule using these steps:
- Go to Threat Exchange > Business Rules and click Create New Rule.
- Add the Rule name and select the fields through which you want to filter the IoCs.
- Click Save.
Configure Threat Exchange Sharing for CrowdStrike
CrowdStrike v2.0.2 supports performing Remediate and Isolate actions on the Hosts. This plugin also updates the already shared Indicators on CrowdStrike when reshared.
CrowdStrike Actions
Perform Action
- No Action: Save the indicator for future use, but take no action. No severity is required.
- Allow: This applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided.
- Block, Hide Detection: This applies to hashes only. Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections. Has a default severity value.
- Block: This applies to hashes only. Add the indicator to the Block list using which the prevention policy will block the processes on the host from which this indicator is generated.
- Detect Only: Show it as detection and take no action on it.
Isolate/Remediate Hosts
- Contain: Contains the host and stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
- Lift Containment: Lifts containment on the host and returns its network communications to normal.
- Hide Host: Deletes a host. After the host is deleted, no new detections for the host will be reported via the UI or API. A maximum of 100 hosts can be hidden at a time.
- Unhide Host: Restores a host if deleted. Detection reporting resumes after the host is restored.
To configure sharing:
- Go to Threat Exchange > Sharing and click Add Sharing Configuration.
- Select Source configuration (Source from which you want to share data to CrowdStrike), select a Business Rule, and Destination.
- Select a Target value and Action type.
- Click Save.
Validate the CrowdStrike Plugin
Validate the Pull
Indicators from CrowdStrike are pulled from these pages:
- Endpoint security > Endpoint Detection
- Endpoint security > IOC Management
Note:
- IoCs that have a Source other than Netskope – Cloud Threat Exchange will be pulled from CrowdStrike.
- In the CrowdStrike UI, Netskope – Cloud Threat Exchange will be displayed as Netskope Cloud Threat Exchange.
Indicators stored in Cloud Exchange can be verified at Threat Exchange > Threat IoCs. Search the CrowdStrike IoCs by filtering indicators from CrowdStrike.
Example: Add a query on the Threat IoCs page like “sources.source Is equal “CTE CrowdStrike” && type IN (“<IOC_TYPE>”)“
You can also verify the indicators pulled in Cloud Exchange from the logs available at Logging in Netskope Cloud Exchange.
CTE CrowdStrike [CTE CrowdStrike]: Successfully fetched 1 indicator(s) for 1 detection id(s) from CrowdStrike Endpoint Detections in total 1 pages.
CTE CrowdStrike [CTE CrowdStrike]: Successfully fetched 99999 indicator(s) from CrowdStrike Custom IOC Management in total 50 pages.
Validate the Push
Shared IoCs to CrowdStrike can be verified from the logs available at Logging in Netskope Cloud Exchange.
Note that if the IoCs are already present on the CrowdStrike, it will be updated.
CTE CrowdStrike [CTE CrowdStrike]: Successfully shared 4 indicator(s) with CrowdStrike Custom IOC Management. 0 indicator(s) failed to be shared.
CTE CrowdStrike [CTE CrowdStrike]: Successfully filtered 4 indicators out of 5, received from the business rule.
IoCs shared on CrowdStrike can be verified from the Endpoint security > IoC Management page.
IoCs shared to perform isolate/remediate host action on the specific host on CrowdStrike can be verified from Endpoint security > Host Management.
Search the host ID for which the action has been performed and check the Containment Status. Currently, the Status of the Host is Lift Containment.
Add sharing to perform “Contain” Operation on the host. After sharing has been initiated, go to logging and search for “Successfully executed”.
Go back to the CrowdStrike platform and check if the status has been changed or not. Follow the same steps for other Isolate/Remediate actions.
Troubleshooting
Receiving the same IoC from Crowdstrike Endpoint detection, that was shared to CrowdStrike’s Custom IoC Management page with action “Detect Only” (Loopback Issue)
You are facing the loopback issue.
What to do:
Update the plugin to the latest version(2.1.1), as the issue is addressed in that.
Receiving an error while configuring the plugin
You are facing an issue while configuring the CrowdStrike plugin.
What to do:
Make sure correct credentials are provided, and generated credentials are having needed permissions. Follow these steps to generate credentials and adding permissions.
Unable to pull data from the CrowdStrike Platform
If you are facing an issue while pulling the data from the CrowdStrike plugin, follow these steps:
What to do:
- Go to the Cloud Exchange Logging page. Verify if any error has occurred, and then fix it.
- Go to the CrowdStrike UI to verify if the Client ID/Secret are present, and not expired.
Receiving an error while updating the plugin using the plugin repository
If you are facing an issue updating the configured CrowdStrike plugin, follow these steps:
What to do:
- Close the plugin repo page once you pull and download the plugin updates.
- Go to the Threat Exchange > Plugins.
- To edit the plugin, go to the Configuration Parameter page and remove the selected value from the Type of Threat Data to pull field, and then select the IoC type that you want to pull.
- Select the source page from the Indicator Source Page dropdown.
- Click Save.
- Click on the enable plugin icon and enable the plugin. The plugin will be updated with the latest changes and start working as expected.
Receiving error 500 Server error while updating/sharing the IOCs to CrowdStrike
If you are receiving the below error message in logs while sharing the IOCs to CrowdStrike, it might be because of the batch size provided in the plugin configuration for sharing being large.
What to do: Change the batch size for the sharing from the plugin configuration by following these steps:
- Edit the CrowdStrike plugin from Threat Exchange > Plugins.
- Reduce the Indicator Batch size parameter and save the plugin.
Not able to share IoCs from Netskope Cloud Exchange to CrowdStrike Plugin
If you are not able to share IoCs from Netskope to CrowdStrike, that could be due to one of these reasons:
- The IoCs present for Netskope plugin are of invalid type.
- Proper Permissions are not set for the Client ID, Client Secret for CrowdStrike.
What to do:
- Make sure that valid types of IoCs are present.
- Make sure that all the needed permissions are set for Client ID and Client Secret for CrowdStrike.
Known Behavior
CrowdStrike supports sharing of only 1M IoCs to the IoC Management Page so if the page already has exceeded the limit IoCs won’t be shared from Netskope Cloud Exchange and the user will first have to delete the existing IoCs.
Known Issue
When sharing file hashes with CrowdStrike IoC Management, previously deleted file hashes may cause issues. If a user deletes file hashes for any reason and they are successfully removed from the UI and not returned via the GET /iocs/combined/indicator/v1 endpoint, the plugin will treat them as new indicators. Consequently, it will attempt to share them using the POST /iocs/entities/indicators/v1 endpoint. This results in a 409 Conflict error due to the hash pairs already existing in the system, as indicated by the following API response:
{ "meta": { "query_time": 24.138019618, "powered_by": "ioc-manager", "trace_id": "bc6c0a83-b883-4289-8d1e-d9ad37aec273" }, "errors": [ { "code": 409, "message": "type sha256 and value 7440f5212e00eaa2b9425e0cb29f7e92c481e82a9cefc313177aa61fbb9e8a60 pair already exists." }, { "code": 409, "message": "type md5 and value 328f95a67c92885fbaf9946c913149bd pair already exists." }, { "code": 409, "message": "type sha256 and value e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3 pair already exists." } ], "resources": [] }