CrowdStrike Plugin for Threat Exchange

This document explains how to configure the CrowdStrike integration with the Cloud Threat Exchange module of the Netskope CE platform. This CrowdStrike v2.0.0 plugin integration allows you to pull indicators of type SHA256, MD5, IPv4, IPv6, and Domain from CrowdStrike’s Endpoint Detection and IoC Management pages. This plugin also supports sharing of the indicators to CrowdStrike’s Custom IoC.

Prerequisites

To complete this configuration, you need:

• A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
• A Secure Web Gateway subscription for URL sharing.
• A Threat Protection subscription for malicious file hash sharing.
• A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
• A CrowdStrike instance.
• Connectivity to any one of the following hosts:
  • Commercial cloud (api.crowdstrike.com)
  • US 2 (api.us-2.crowdstrike.com)
  • Falcon on GovCloud (api.laggar.gcw.crowdstrike.com)
  • EU cloud (api.eu-1.crowdstrike.com)

CrowdStrike Plugin Support

Fetched indicator types	SHA256, MD5, Domain, IPv4, IPv6
Shared indicator types	SHA256, MD5, Domain, IPv4, IPv6

Permissions

API Scopes permissions

Scope	Read	Write
Detections	Yes	No
IOC Management	Yes	Yes
Hosts	Yes	Yes
IOCs(Indicators of Compromise)	Yes	No

Performance Matrix

Below is the performance reading conducted by pulling and sharing 100K indicators from/to CrowdStrike on a Large CE Stack with the below specifications

Stack details	Size: Large RAM: 32 GB CPU: 16 Cores
Indicators fetched from CrowdStrike	~14K per minute
Indicators shared with CrowdStrike	~3K per minute

API Details

List of APIs used

Use Case	Method	Endpoint	API Scope
Get auth token	POST	/oauth2/token	None
Pull detection ids from Endpoint Detections	GET	/detects/queries/detects/v1	Detections (Read)
Pull detection details	POST	/detects/entities/summaries/GET/v1	Detections (Read)
Pull indicators from Custom IOC Management and check the existence of indicators on IOC Management	GET	/iocs/combined/indicator/v1	IOC Management (Read)
Push indicators to Custom IOC Management	POST	/iocs/entities/indicators/v1	IOC Management (Write)
Pull the host IDs from the indicator value for the Isolate/Remediate action	GET	indicators/queries/devices/v1	IOCs (Indicators of Compromise) (Read)
Perform Isolate/Remediate action	POST	/devices/entities/devices-actions/v2	Hosts (Write)

User Agent

The user-agent added in this plugin is in the following format –/

netskope-ce-4.2.0-cte-crowdstrike/2.0.0

Field Mappings for Pull

Below is the list of fields that are pulled from CrowdStrike and mapped in Netskope CE.

Endpoint Detection Page Mapping

Netskope CE Fields	CrowdStrike API Response Fields
value	ioc_value
type	ioc_type
comments	ioc_description
firstSeen	first_behavior / (timestamp)
lastSeen	last_behavior / (timestamp)
severity	severity
reputation	confidence/10

IOC Management Page Mapping

Netskope CE Fields	CrowdStrike API Response Fields
value	value
type	type
severity	severity
firstSeen	created_on
lastSeen	modified_on
comment Format: Comment format: Source: , action: , platforms: , metadata fields:	Combination of Source, action, platforms, metadata fields
tags	tags + [“non-CrowdStrike-discovered”]

Workflow

Click play to watch a video.

Create a Secure Web Gateway Custom File Profile for CrowdStrike

1. In the Netskope UI, go to Policies , select File , and click New File Profile.
2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
4. Click Next.
5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
6. Click Save.
7. To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile for CrowdStrike

1. In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
2. Click Next. 
3. Click Next again.
4. Select the File Profile you created in the previous section and click Next.
5. Enter a Malware Detection Profile name and click Save Malware Detection Profile.
6. To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-time Threat Protection Policy for CrowdStrike

These instructions apply to the new Real-time Protection policy workflow.

1. In the Netskope UI, go to Policies > Real-time Protection. 
2. Click New Policy and select Threat Protection.
3. For Source, leave the default (User = All Users)
4. For Destination: select Category
5. The Category section expands and allows you to search and select categories. Click Select All. When finished, click outside of the Category section.
6. When the Activities & Constraints section opens, click Edit.
7. Select Upload and Download, and then click Save.
8. For Profile & Action, click in the text field.
9. Select the Malware Detection profile you created in the previous section.
10. For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
11. Select a template to choose which block message is sent to the user.
12. For Set Policy, enter a descriptive Policy Name.
13. Click Save in the top right to save the policy.
14. Choose the To the top option when it appear. (Or appropriate location in your security policy)
15. To publish this policy into the tenant, select Apply Changes in the top right.

Get your CrowdStrike Client ID and Client Secret

1. Log in to your CrowdStrike platform and go to Support and Resources > API Client and Keys.

   

2. Click Create API Client. Add the Client name and provide these scopes.

   

   API Scopes permissions

   Scope	Read	Write
   Detections	Yes	No
   IOC Management	Yes	Yes
   Hosts	Yes	Yes
   IOCs(Indicators of Compromise)	Yes	No

3. Copy the Client ID and Secret, and then click Create.

Configure the Crowdstrike Plugin

1. Log in to Cloud Exchange and go to Settings > Plugins.
2. Search for and select the CrowdStrike v2.0.0 (CTE) plugin box to open the plugin creation pages.

   

3. For Basic Information, enter and select these values:
   • Configuration Name: Unique name for the configuration
   • Sync Interval: Leave default or change based on your requirement.
   • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
   • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
   • Enable SSL Validation: Enable SSL Certificate validation.
   • Use System Proxy: Enable if the proxy is required for communication

   

4. Click Next.
5. For Configuration Parameters, enter and select these values:
   • Base URL: Base URL for Crowdstrike API Endpoints.
   • Client ID: Crowdstrike API Client ID.
   • Client Secret: Crowdstrike API Client Secret.
   • Enable Polling: Enable/Disable polling data from CrowdStrike.
   • Indicator Source Page: The page from which you want to pull data from. The data pulled from the IoC Management page will be tagged as “non-CrowdStrike-discovered”
   • Type of Threat data to pull: Type of Threat data to pull. Supported types are SHA256, MD5, Domain, IPv4 and, IPv6.
   • Initial Range: Number of days to pull the data for the initial run.
   • Indicator Batch Size: Number of Indicators to push in one API call. (Applicable only while sharing IoCs)
   • IoC Source: The source where this indicator originated. This can be used for tracking where this indicator was defined.

   

6. Click Save.

   

   Note

   Before CrowdStrike v2.0.0 the indicators were only pulled from the CrowdStrike > EndPoint detection page > Behaviours. In this update, we have added support to pull data from the CrowdStrike > IOC Management page. So all the MD5, SHA256, Domains, IPv4, and, IPv6 available on both the Endpoint Detection and IOC Management page will be pulled from the CrowdStrike platform to Netskope CE.

   Earlier the plugin configuration had Malware, Malsite, and Both as options for the “Type of ThreatData to pull” field, it has now been updated to the following:

   CrowdStrike v1.0.3	CrowdStrike v2.0.0
   Malware	MD5 and SHA256
   Malsite	Domains

   In order to pull malware-type indicators from CrowdStrike select MD5 and SHA256 in the Type of ThreatData to pull the field from the plugin configuration. In order to pull the Malsite type of data select Domains, IPv4, and IPv6.

Configure a Threat Exchange Business Rule for CrowdStrike

A Business Rule is used to filter out the indicators that are to be shared. In order to share IoCs with CrowdStrike, create a business rule using the following steps:

1. Go to Threat Exchange > Business Rules click Create New Rule.
2. Add the Rule name and select the fields through which you want to filter the IoCs.

   

   

3. Click Save.

Add a Threat Exchange Sharing Configuration

CrowdStrike v2.0.0 supports performing Remediate and Isolate actions on the Hosts. This plugin also updates the already shared Indicators on CrowdStrike when reshared.

CrowdStrike Actions

Perform Action

• No Action: Save the indicator for future use, but take no action. No severity is required.
• Allow: This applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided.
• Block, Hide Detection: This applies to hashes only. Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections. Has a default severity value.
• Block: This applies to hashes only. Add the indicator to the Block list using which the prevention policy will block the processes on the host from which this indicator is generated.
• Detect Only: Show it as detection and take no action on it.

Isolate/Remediate Hosts

• Contain: Contains the host and stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
• Lift Containment: Lifts containment on the host and returns its network communications to normal.
• Hide Host: Deletes a host. After the host is deleted, no new detections for the host will be reported via the UI or API. A maximum of 100 hosts can be hidden at a time.
• Unhide Host: Restores a host. Detection reporting resumes after the host is restored.

To configure sharing:

1. Go to Threat Exchange > Sharing and click Add Sharing Configuration.
2. Select Source configuration (Source from which you want to share data to CrowdStrike), select Business Rule, and Destination.

   

3. Select the Target value and Action type.

   

4. Click Save.

   Note

   In CrowdStrike v2.0.0, the labels for the “Action” field of “Perform Action” Target have been updated and are now in sync with the CrowdStrike platform. Updated labels for the Action parameter are as follows:

   CrowdStrike v1.0.3	CrowdStrike v2.0.0
   No Action	No Action (Applies to all indicator types)
   Allow	Allow (Applies to hashes only)
   Prevent_no_ui	Block, hide detection (Applies to hashes only)
   Prevent	Block (Applies to hashes only)
   Detect	Detect only (Applies to all indicator types)

Validate the CrowdStrike Plugin

Validate Pull

1. Indicators from CrowdStrike are pulled from Endpoint security > Endpoint Detection > Detections and Endpoint security > IOC Management.

   

   

2. Indicators stored in CE can be verified from Threat Exchange > Threat IoCs.
3. Search the CrowdStrike IoCs by filtering indicators from CrowdStrike.

   For example, add a query on the Threat IoCs page like sources.source Is equal

   

4. You can also verify the indicators pulled in CE from the Logs available on the Logging page.

   

Validate Push

1. Shared IoCs in Netskope CE can be verified from logs available on the Logging page of Threat Exchange.

   

2. IoCs shared on CrowdStrike can be verified from Endpoint security > IOC Management.

   

Troubleshooting

Receiving an error while updating the plugin using the plugin repository

If you are facing an issue updating the configured CrowdStrike plugin, follow these steps:

1. Close the plugin repo page once you pull and download the plugin updates.
2. Go to Threat Exchange > Plugins.
3. To edit the plugin, go to the Configuration Parameter page and remove the selected value from the Type of Threat Data to pull field, and then select the IoC type that you want to pull.
4. Select the source page from the Indicator Source Page dropdown.
5. Save the plugin.
6. Click on the enable plugin icon and enable the plugin. The plugin will be updated with the latest changes and start working as expected.

Receiving error 500 Server error while updating/sharing the IoCs to CrowdStrike

If you are receiving the below error message in logs while sharing the IoCs to CrowdStrike, it might be because of the batch size provided in the plugin configuration for sharing being large.



Change the batch size for the sharing from the plugin configuration by following the below steps:

1. Edit the CrowdStrike plugin from Threat Exchange > Plugins.
2. Reduce the Indicator Batch size parameter and save the plugin.