CrowdStrike v1.0.0 Plugin for Risk Exchange

CrowdStrike v1.0.0 Plugin for Risk Exchange

This document explains how to configure the CrowdStrike v1.0.0 plugin with the Risk Exchange module of the Netskope Cloud Exchange platform. This plugin fetches hosts and their respective ZTA scores from the Host Setup and Management > Host Management page on the CrowdStrike tenant. It also supports the Put RTR Script action on hosts.

Netskope normalization score calculation = CrowdStrike host assessment overall score * 10.

Prerequisites

To complete this integration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances).
  • A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
  • CrowdStrike instance credentials (Client ID, Client Secret) for the API Token.
  • CrowdStrike Real-Time Response Administrator role for Put RTR Script action.
  • For each platform (Windows, Mac), there should be a response policy with Real-Time Response (High-Risk Commands) enabled.
  • Connectivity to the following host: https://falcon.crowdstrike.com.
CE Version Compatibility

Netskope CE v5.1.0

CrowdStrike Plugin Support

This plugin fetches hosts and their respective ZTA scores from the CrowdStrike tenant. It also supports the Put RTR Script action on hosts.

Type of data pulled Hosts
Actions Supported
  • Put RTR Script
  • No Action
Mappings

Mappings are used to view the pulled Hosts and their respective details. Fields mapped during the plugin configuration will be visible on the Records page after the data is pulled. Here are the suggested mappings to use while configuring the plugin.

Pull Mapping for Hosts
Plugin Field Label Expected Data Type Suggested Field Label Suggested Aggregate Strategy
Host ID String Agent ID Unique
System Serial Number String System Serial Number Overwrite
Overall Assessment Score Number Overall Assessment Score Overwrite
Netskope Normalized Score Number Normalized Score Overwrite
Score to file mapping (for action put RTR Script)

These mappings are considered when the action Put RTR Script is performed on the Hosts. A file will be created on the Host machine on the behalf of the performed action. The name of the file depends on the configuration you done on the Action Configuration. If any static value of score is provided, a file name will be dependent on that, and if a business rule is used, then the file name will depend on the score pulled for the Hosts.

Score File Name
Less than 26 crwd_zta_1_25.txt
26 to 51 crwd_zta_26_50.txt
51 to 76 crwd_zta_51_75.txt
76 to 100 crwd_zta_76_100.txt
Permissions
API Scope Permissions

Refer to the Get Client ID and Client Secret section for obtaining and providing API scopes permissions.

Read

Scope Read Write
Hosts Yes No
Real time response (admin) Yes
Real time response Yes No
Zero Trust Assessment Yes
Response Policy Permissions

Refer to Add Permission for Response Policy (RTR script Permission) section for obtaining and providing Response Policy permissions.

Category Type Permission Status
Real Time Response Custom Scripts Falcon Scripts Enable
Real Time Response High risk commands put Enable

Note: Response policy permissions are only needed when you want to use the Put RTR Script action.

API Details
List of APIs Used
API Detail Method Endpoint API Scope
Get auth token POST /oauth2/token None
Fetch Records GET /devices​/queries​/devices-scroll​/v1 Hosts (Read)
Fetch Scores GET /zero-trust-assessment​/entities​/assessments​/v1 Zero Trust Assessment (Read)
Put file on RTR cloud POST /real-time-response/entities/put-files/v1 Real time response admin (Write)
Get platform name POST /devices/entities/devices/v2 Hosts (Read)
Check Script Existence GET /real-time-response/queries/scripts/v1 Real time response (Read)
Create Score Files Removal Script on RTR Cloud POST /real-time-response/entities/scripts/v1 Real time response admin (Write)
Get session ID POST /real-time-response/entities/sessions/v1 Real time response (Read)
Change directory POST /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Remove file from device POST /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Get status of command GET /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Put the file on device POST /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Delete the session DELETE /real-time-response/entities/sessions/v1 Real time response (Read)
Get Auth Token

API Endpoint: /oauth2/token
Method: POST
Parameter

Key Value
grant_type client_credentials
client_id <Client ID>
client_secret <Client Secret>

Sample API Response

{
 "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzphNDdiNTc2MS0zYzk3LTQwMmItOTgzNi0wNmNhODI0NTViOTMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJlZTA5YTc3MjAwNzc0MzYwOTlhYTM5N2M2MTJlYTQzYiIsImV4cCI6MTcwMzI0MDQzOSwiZXh0Ijp7InN1Yl90eXBlIjoiY2xpZW50In0sImlhdCI6MTcwMzIzODYzOSwiaXNzIjoiaHR0cHM6Ly9hcGkuY3Jvd2RzdHJpa2UuY29tLyIsImp0aSI6ImQ5ZTlmZWI4LTM0ODAtNDM2NC1hYzI2LTBhZjgzNDdlOWY2OSIsIm5iZiI6MTcwMzIzODYzOSwic2NwIjpbXSwic3ViIjoiZWUwOWE3NzIwMDc3NDM2MDk5YWEzOTdjNjEyZWE0M2IiLq_wgw5-EAB-hHiRB-coF2Yy_PeP-8IvjWQVIjlDJrRmRQ-s-NmAkm8XaG9GojFZvaT-sufiBxKEDmpdntABNkEG1fcbVvd7tVW-vi36PFPoc3p1t4sbaMhf9_Kts8iAHsv6BudVyFsPhPAreGc2OXUFT39ZvuDTN5BxOFiPT_9_gadXt-7N*************************************************************************************",
 "expires_in": 1799,
 "token_type": "bearer"
}
Fetch Records

API endpoint: /devices/queries/devices-scroll/v1

Method: GET

Parameters

Key Value
limit 5000
offset “”

Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Sample API Response

{
    "meta": {
        "query_time": 0.025422559,
        "pagination": {
            "offset": 1,
            "limit": 1,
            "total": 21
        },
        "powered_by": "device-api",
        "trace_id": "5f1a1eeb-9d8b-4412-8523-0fc933a0bf6f"
    },
    "resources": [
        "89b9743fcb6b4ccaa09600ac5204bac4"
    ],
    "errors": []
}
Fetch Scores

API Endpoint: /zero-trust-assessment​/entities​/assessments​/v1
Method: GET
Parameters

Key Value
ids [<Host Ids>]

Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Sample API Response

{
    "meta": {
        "query_time": 0.003210238,
        "trace_id": "ba076fd9-7340-49f3-a9a2-41b6f2eb94d9"
    },
    "errors": [],
    "resources": [
        {
            "aid": "e039334e8b0e4747bdfc7a29406ec8e1",
            "cid": "c17f3a80ded0418eb107db3d26a27983",
            "system_serial_number": "FVHX2HEDJ1WK",
            "event_platform": "Mac",
            "product_type_desc": "Workstation",
            "modified_time": "2024-05-01T08:42:07Z",
            "sensor_file_status": "confirmed",
            "assessment": {
                "sensor_config": 66,
                "os": 72,
                "overall": 68,
                "version": "3.8.1"
            },
            "assessment_items": {
                "os_signals": [
                    {
                        "signal_id": "mac_os_version",
                        "signal_name": "macOS Version",
                        "group_name": "macOS",
                        "criteria": "macOS version is ≥11.0",
                        "meets_criteria": "yes"
                    }
                ],
                "sensor_signals": [
                    {
                        "signal_id": "ml_cloud_antimalware_detection_mac",
                        "signal_name": "Cloud ML - Cloud Anti-malware - Detection for macOS",
                        "group_name": "Prevention",
                        "criteria": "Cloud ML - Cloud Anti-malware Detection: set to Aggressive or higher",
                        "meets_criteria": "yes"
                    },
                                   ]
            }
        }
    ]
}
Put a File on the RTR Cloud

API Endpoint: /real-time-response/entities/put-files/v1
Method: POST
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Data

{
  "description": "file representing a ZTA score of 1_25",
  "name": "crwd_zta_1_25.txt",
  "comments_for_audit_log": "uploade file representing a ZTA score of 1_25 for Netskope ZTA-RTR integration"
}

Sample API Response

{
  "meta": {
    "query_time": 0.536670425,
    "writes": {
      "resources_affected": 1
    },
    "powered_by": "empower-api",
    "trace_id": "d4bddc66-83fd-4875-9016-a17899fd83ba"
  }
}
Check Script Existence

API Endpoint: /real-time-response/queries/scripts/v1
Method: GET
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Parameters

Key Value
filter name: ‘<Script name>

API Response

{
    "meta": {
        "query_time": 0.025087906,
        "pagination": {
            "offset": 0,
            "limit": 100,
            "total": 1
        },
        "powered_by": "empower-api",
        "trace_id": "0e9ccedb-58c9-44a9-842c-620977f096b1"
    },
    "resources": [
        "bab3f0ff134311efb74642cd23408b64_ee09a7720077436099aa397c612ea43b"
    ]
}
Create Score Files Removal Script on the RTR Cloud

API Endpoint: /real-time-response/entities/scripts/v1
Method: POST
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Data

Key Value
name Name of script
permission_type public
description Description for file.

Files
Upload the script file.
For python script add below tuple in files parameter for requests

[
                (
                    "file",
                    (
                        "",
                        file,
                        "application/octet-stream",
                    ),
                )
            ]

API Response

{
    "meta": {
        "query_time": 0.947792627,
        "writes": {
            "resources_affected": 1
        },
        "powered_by": "empower-api",
        "trace_id": "eed1850a-0c07-488a-b36d-a70d5e904d71"
    }
}
Get a Platform Name

API Endpoint: /devices/entities/devices/v2
Method: GET
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Parameters

Key Value
Ids [<Host ID>]

API Response

{
    "meta": {
        "query_time": 0.001626152,
        "powered_by": "device-api",
        "trace_id": "8adcbd8a-40cd-4086-8e5d-5d3962fb1073"
    },
    "resources": [
        {
            "device_id": "d2abab7b4c6a4d9998b298b19bbda31f",
            "cid": "c17f3a80ded0418eb107db3d26a27983",
            "agent_load_flags": "0",
            "agent_local_time": "2023-12-22T11:19:53.929Z",
            "agent_version": "7.05.17603.0",
            "bios_manufacturer": "Apple Inc.",
            "bios_version": "515.0.0.0.0",
            "config_id_base": "65994753",
            "config_id_build": "17603",
            "config_id_platform": "4",
            "cpu_signature": "526057",
            "external_ip": "117.217.127.213",
            "mac_address": "dc-a9-04-99-43-aa",
            "hostname": "ITs-MacBook-Pro.local",
            "first_seen": "2023-12-18T08:46:57Z",
            "last_login_timestamp": "2023-12-21T08:00:38Z",
            "last_login_user": "it",
            "last_login_uid": "501",
            "last_login_user_sid": "S-1-5-21-1276927669-3124867281-3856135234-2002",
            "last_seen": "2023-12-22T11:46:27Z",
            "local_ip": "172.20.10.87",
            "major_version": "22",
            "minor_version": "6",
            "os_version": "Ventura (13)",
            "os_build": "22G120",
            "platform_id": "1",
            "platform_name": "Mac",
            "policies": [
                {
                    "policy_type": "prevention",
                    "policy_id": "e17fdf411592409794d748e907da9967",
                    "applied": true,
                    "settings_hash": "528b286b",
                    "assigned_date": "2023-12-18T08:48:02.464865254Z",
                    "applied_date": "2023-12-18T08:48:08.608666735Z",
                    "rule_groups": []
                }
            ],
            "reduced_functionality_mode": "yes",
            "device_policies": {
                "prevention": {
                    "policy_type": "prevention",
                    "policy_id": "e17fdf411592409794d748e907da9967",
                    "applied": true,
                    "settings_hash": "528b286b",
                    "assigned_date": "2023-12-18T08:48:02.464865254Z",
                    "applied_date": "2023-12-18T08:48:08.608666735Z",
                    "rule_groups": []
                },
                "sensor_update": {
                    "policy_type": "sensor-update",
                    "policy_id": "766825ba2e2847f8a9134f7f48f44214",
                    "applied": true,
                    "settings_hash": "tagged|3;101",
                    "assigned_date": "2023-12-18T09:00:47.465877148Z",
                    "applied_date": "2023-12-18T09:03:49.721523878Z",
                    "uninstall_protection": "ENABLED"
                },
                "device_control": {
                    "policy_type": "device-control",
                    "policy_id": "6e4a89125c4343f3ab42cbf2fa482702",
                    "applied": true,
                    "assigned_date": "2023-12-18T08:48:02.464932037Z",
                    "applied_date": "2023-12-18T08:49:48.770860727Z"
                },
                "global_config": {
                    "policy_type": "globalconfig",
                    "policy_id": "e2289d74264744f38e62d1146b13189d",
                    "applied": true,
                    "settings_hash": "1fda691c",
                    "assigned_date": "2023-12-22T11:20:01.358167731Z",
                    "applied_date": "2023-12-22T11:21:05.552056147Z"
                },
                "remote_response": {
                    "policy_type": "remote-response",
                    "policy_id": "70d43a45f67149e8b54c8d80ac00df10",
                    "applied": true,
                    "settings_hash": "797eb425",
                    "assigned_date": "2023-12-18T08:48:02.464926863Z",
                    "applied_date": "2023-12-18T08:48:08.689092082Z"
                },
                "firewall": {
                    "policy_type": "firewall",
                    "policy_id": "b1a5ff10a3c44f66a47c7f08f2e372e5",
                    "applied": true,
                    "assigned_date": "2023-12-18T08:48:02.464940776Z",
                    "applied_date": "2023-12-18T08:48:08.752377285Z",
                    "rule_set_id": "b1a5ff10a3c44f66a47c7f08f2e372e5"
                }
            },
            "groups": [],
            "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "product_type_desc": "Workstation",
            "provision_status": "Provisioned",
            "serial_number": "C02V10FEHV2T",
            "status": "normal",
            "system_manufacturer": "Apple Inc.",
            "system_product_name": "MacBookPro14,2",
            "tags": [],
            "modified_timestamp": "2023-12-22T11:46:35Z",
            "meta": {
                "version": "110",
                "version_string": "6:10864108136"
            },
            "kernel_version": "22.6.0",
            "chassis_type": "9",
            "chassis_type_desc": "Laptop"
        }
    ],
    "errors": null
}
Get a Session ID

API Endpoint: real-time-response/entities/sessions/v1
Method: POST
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0
Content-Type application/json

Data

Key Value
device_id <Device ID>
origin Netskope
queue_offline True

Sample API Response

{
    "meta": {
        "query_time": 0.315515137,
        "powered_by": "empower-api",
        "trace_id": "0483a37f-896b-4bb3-bf1e-8f8b3618a2e2"
    },
    "resources": [
        {
            "session_id": "a26ad68e-1272-482b-95b5-78ee27344d80",
            "scripts": [
                {
                    "command": "cat",
                    "description": "Read a file from disk and display as ASCII",
                    "examples": "cat foo.txt\r\ncat -n foo.txt\r\ncat -t foo.txt\r\ncat -t -n foo.txt",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 582,
                            "created_at": "2019-07-03T18:52:15Z",
                            "updated_at": "2019-07-03T18:52:15Z",
                            "script_id": 527,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "Path",
                            "description": "path to cat",
                            "default_value": "",
                            "required": true,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        },
                        {
                    "command": "getsid",
                    "description": "Enumerate local users and Security Identifiers (SID)",
                    "examples": "getsid\r\n    List all users and associated SIDs\r\ngetsid foo\r\n    List users and associated SIDs matching substring \"foo\"",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 661,
                            "created_at": "2020-04-02T03:31:02Z",
                            "updated_at": "2020-04-02T03:31:02Z",
                            "script_id": 557,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "UserName",
                            "description": "Partial or full username to filter results",
                            "default_value": "",
                            "required": false,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }
                    ]
                },
                {
                    "command": "ls",
                    "description": "Display the contents of the specified path",
                    "examples": "ls\r\nls -l\r\nls -L\r\nls -t\r\nls -l -@\r\nls -R\r\nls -l -R\r\nls -l -t -R -L",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 576,
                            "created_at": "2019-07-03T18:51:13Z",
                            "updated_at": "2019-07-03T18:51:13Z",
                            "script_id": 526,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "Path",
                            "description": "Path ",
                            "default_value": ".",
                            "required": false,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }                    ]
                },
                {
                    "command": "mount",
                    "description": "List or mount filesystem volumes",
                    "examples": "Executable by all RTR roles:\r\nmount\r\nExecutable by privileged RTR users only:\r\nmount -t=nfs \"host:/exports/filesystem\" \"/mnt/filesystem\"\r\n    Mount the NFS filesystem located at \"/exports/filesystem\" on \"host\" to the local destination \"/mnt/filesystem\"\r\nmount -t=smbfs \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n    Mount the SMB \"/filesystem\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"\r\nmount -t=smbfs -o=nobrowse \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n    Mount the SMB \"/filesystem\" with option \"nobrowse\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": []
                },
                {
                    "command": "netstat",
                    "description": "Display routing information or network connections",
                    "examples": "netstat\r\nnetstat -nr",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                            {
                            "id": 973,
                            "created_at": "2023-11-20T23:23:37Z",
                            "updated_at": "2023-11-20T23:23:37Z",
                            "script_id": 539,
                            "arg_type": "flag",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "n",
                            "description": "Flag to show network addresses as numbers",
                            "default_value": "",
                            "required": false,
                            "sequence": 2,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }
                    ]
                },
                {
                    "command": "users",
                    "description": "Get details about local users",
                    "examples": "users\r\n    List details about all local users\r\nusers foo\r\n    List details about local user \"foo\"",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 679,
                            "created_at": "2020-04-02T03:31:12Z",
                            "updated_at": "2020-04-02T03:31:12Z",
                            "script_id": 565,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "UserName",
                            "description": "Username to filter results",
                            "default_value": "",
                            "required": false,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }
                    ]
                }
            ],
            "existing_aid_sessions": 1,
            "created_at": "2023-12-22T15:47:24.904481922Z",
            "offline_queued": true
        }
    ],
    "errors": null
}
Change a Directory

API Endpoint: /real-time-response/entities/admin-command/v1

Method: POST
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Data

Key Value
base_command cd
command_string cd “/Library/Application Support/Netskope/STAgent” or
cd “C:\Program Files (x86)\Netskope\STAgent”
persist True
session_id 30b171e9-26ca-4856-b00e-10d5c4be765e

Sample API Response

{
    "meta": {
        "query_time": 0.052249291,
        "powered_by": "empower-api",
        "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "queued_command_offline": false
        }
    ],
    "errors": null
}
Put a File on a Device

API Endpoint: /real-time-response/entities/admin-command/v1

Method: POST
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Data

Key Value
base_command put
command_string put crwd_zta_1_25.txt
persist True
session_id <Session ID>

Sample API Response

{
    "meta": {
        "query_time": 0.052249291,
        "powered_by": "empower-api",
        "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "queued_command_offline": false
        }
    ],
    "errors": null
}
Remove a File from a Device

API Endpoint: /real-time-response/entities/admin-command/v1

Method: POST
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Data

Key Value
base_command rm
command_string rm crwd_zta_1_25.txt
persist True
session_id 30b171e9-26ca-4856-b00e-10d5c4be765e

Sample API Response

{
    "meta": {
        "query_time": 0.052249291,
        "powered_by": "empower-api",
        "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "queued_command_offline": false
        }
    ],
    "errors": null
}
Get a Command Status

API Endpoint: /real-time-response/entities/admin-command/v1
Method: GET
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Parameters

Key Value
cloud_request_id 399d6ed9-e2c5-4e72-8618-97515f69dc72
sequence_id 0

Sample API Response

{
    "meta": {
        "query_time": 0.30452861,
        "powered_by": "empower-api",
        "trace_id": "f2fbc47d-a6e5-4ddf-9bb0-778fd7b32017"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "task_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "complete": true,
            "stdout": "",
            "stderr": "/Library/Application Support/Netskope/STAgent does not exist\n",
            "base_command": "cd"
        }
    ],
    "errors": []
}
Delete a Session

API Endpoint: /real-time-response/entities/sessions/v1

Method: DELETE
Headers

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.1.0-cre-crowdstrike/1.0.0
Content-Type application/json

Parameter

Key Value
session_id 30b171e9-26ca-4856-b00e-10d5c4be765e

Sample API Response

Status code: 204

No Content
Performance Matrix

Here is the performance matrix conducted on a Large CE Stack with these specifications by pulling 500K applications.

Stack Size Large
RAM: 32 GB
Core: 16
Time taken to store the pulled and updated host records ~20 mins
User Agent

netskope-ce-5.1.0-cre-crowdstrike/1.0.0

Workflow

  1. Get your Client ID and Client Secret.
  2. Add Permission for the RTR Script.
  3. Configure the CrowdStrike plugin.
  4. Add a Business Rule.
  5. Add Actions.
  6. Validate the plugin.

Click play to watch a video.

 

Get your Client ID and Client Secret

  1. Log in to CrowdStrike and go to the menu Icon > Support and resources > API clients and keys.
  2. Click Create API client.
  3. Add the following scopes for using the CrowdStrike CRE plugin, and then click Save.
    API Scope Permissions
    Scope Read Write
    Hosts Yes No
    Real time response (admin) Yes
    Real time response Yes No
    Zero Trust Assessment Yes
  4. Make a Note of the Client ID and Secret. These are needed to configure the plugin.

Add a Permission for a Response Policy (RTR script Permission)

  1. Log in to Falcon CrowdStrike UI.
  2. Click on the menu button in the top left corner, and go to Host setup and management > Response policies.

  3. For Windows, go to the policy that is to be used, and click on the policy Name.
  4. Enable these permissions.

Response Policy Permissions

Category Type Permission Status
Real Time Response Custom Scripts Falcon Scripts Enable
Real Time Response High risk commands put Enable

Also, refer to the below screenshot.

Or you can directly go to your Host from Host setup and management > Host management. Click on your hostname and scroll down to Response Policy info, and then click on the policy name from the left pop-up menu.

Configure the CrowdStrike Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the CrowdStrike v1.0.0 (CRE) plugin box.
  2. For Basic Information, add a plugin configuration name, and change the sync interval if needed. 
  3. Click Next. For Configuration Parameters, enter the Base URL, Client ID, Client Secret, and Maximum Score (Maximum Score is the configuration parameter through which the plugin fetches scores of Hosts less than or equal to a given value).
  4. Click Next. Select the Entity from the Entity dropdown, and then provide the field mappings as per your need.
    Note that the Host ID field will be required to pull the hosts and to perform action on the Hosts.
  5. Click Save.

Add a Risk Exchange Business Rule for CrowdStrike

  1. In Risk Exchange go to Business Rules.
  2. Click Create New Rule in the top right corner.
  3. Enter a Rule Name. Select the Entity for the Fields that were configured for the CrowdStrike plugin, and then configure the query based on your requirements. The this example fetches all the Hosts fetched from the CrowdStrike plugin.
  4. Click Save.

Add Risk Exchange Actions for CrowdStrike

This CrowdStrike plugin supports the following two action types:

  • Put RTR Script: The Put RTR Script action will put a file on the host depending on their respective score.
  • No Action: No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the generate alerts toggle button.

Note that you can perform the actions on the hosts pulled from CrowdStrike on the Netskope Tenant.

Put RTR Script Action

  1. In Cloud Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business Rule and Configuration (your plugin).
  3. For Action, select Put RTR Script and chose the Action Parameters from their respective dropdowns.
  4. Enable the Require Approval toggle if approval is needed before performing action on the Hosts.
    Notes:
    • If Static is selected in the Score dropdown, and a value is provided, then the provided value will be considered as score while performing the Put RTR Script action.
    • Fields mapped with the Host ID while configuring the plugin will be required to perform action on the Hosts.
  5. Click Save.

No Action

  1. Go to Actions and click Add Action Configuration.
  2. Select a Business Rule and Configuration (your plugin).
  3. For Actions, select No actions from the dropdown, and if you want, enable the Generate Alert toggle button to generate alerts in the CTO module.
  4. Enable the Require Approval toggle if approval is needed before performing action on the Users.
  5. Click Save.

Validate the CrowdStrike Plugin

Validation in Cloud Exchange

To validate the pulling in Cloud Exchange:

  1. In Risk Exchange, go to Records and select the Entity that was selected while configuring the field mappings for Hosts to view the pulled Hosts.
  2. Go to Logging and search for the logs of the plugin.

  3. In Logging, verify the action performed for a host if the action is performed on a Mac/Windows machine.
  4. When a user matches one of the configured business rules, the configured action will be performed on the user. This can be seen at Risk Exchange > Action Logs.

Validate in CrowdStrike

The Hosts are pulled from the Host setup and management > Host management page from the CrowdStrike platform.


If you want to validate the Put RTR Script action, and check the file added on the Host machine, here is the workflow.

Workflow

Step 1: Check Host Existence
When the action is triggered, the plugin first checks whether the Host with the given Host ID exists on the CrowdStrike platform.
Step 2: Evaluate the Host Presence

  • If the Host does not exist, the plugin does not perform any further action and raises a warning.
  • If the Host exists, the plugin proceeds with the following operations.

Step 3: Create Score Files on the  RTR Cloud
The plugin creates a file for each risk score range on the RTR cloud.
For example, if the score is between 1-25, the file is named crwd_zta_1_25.txt.
Note that if a file with the same name already exists, the API will not create a new one.
Step 4: Establish a Host Session
After the necessary files are created, the plugin initiates a session with the Host using the Host ID.
Step 5: Retrieve a Host OS
The plugin fetches the operating system (OS) information for the respective Host.
Step 6: Change the Directory Based on OS

  • Depending on the Host’s OS, the plugin sends an API call to change the directory to the appropriate location.
    • For Mac: cd “/Library/Application Support/Netskope/STAgent"
    • For Windows: cd “/Program Files (x86)/Netskope/STAgent”
  • The plugin waits up to 5 minutes for the command to execute. If it takes longer, a timeout error is raised. This timeout applies to commands in steps 6, 7, and 8.

Step 7: Check if the script for removal of file for OS is present on the RTR Cloud

  • In order to remove the existing files from the host machine, the plugin needs to check if the removal of script already exists on RTR cloud or not.
  • As Put RTR Script action supports Windows and macOS, the files Windows Score File Removal Script and Mac Score File Removal Script should be present on RTR cloud.

Step 8: Create a script if it does not exist on RTR cloud
If the Script for the respective OS does not exist on RTR cloud, create one.
Step 9: Remove existing files from host machine
Execute the script for the respective OS for the host machine to remove the existing files.
Step 10: Upload New Score File

  • After removing old score files, the plugin performs a PUT command to upload the new score file.
  • If the existing score was 12 (requiring crwd_zta_1_25.txt), and the score changes to 48, the new file (crwd_zta_26_50.txt) is uploaded.

Step 11: Delete Host Session
After completing all the steps, the plugin deletes the session created with the Host to free resources and ensure proper cleanup.
Steps to Validate an Action on CrowdStrike

  1. In CrowdStrike, go to Host setup and management > Host management.
  2. Search for your Host using your Host Name or Host ID. Click on the Hostname.
  3. From the left popup menu, click on the Settings icon > Connect to Host.

To check the file added on the Host, go to the below path after connecting to the Host and check the respective score file created.

  • For Windows: C:\\Program Files (x86)\\Netskope\\STAgent
  • For MAC: /Library/Application Support/Netskope/STAgent

Troubleshoot the CrowdStrike Plugin

Unable to configure the CrowdStrike plugin

If you are unable to configure the CrowdStrike plugin, it could be due to one of these reasons:

  • Provided Incorrect Client ID, Client Secret.
  • Provided Credentials don’t have sufficient permissions.

To resolve these issues, follow these steps:

  1. To get the Client ID, Client Secret, follow the steps in Get your Client ID and Client Secret.
  2. To provide proper permissions to the configuration parameter, follow the steps in Add a Permissions for a Response Policy.
Unable to pull Hosts

If you are unable to pull Hosts from the CrowdStrike plugin, it could be due to one of these reasons:

  • No Hosts are present on the CrowdStrike platform.
  • An error is received while pulling Hosts from the platform.
  • Mapping is not added while configuring the plugin in the entity source page.

To resolve these issues, follow these steps:

  1. Check on the CrowdStrike platform if Hosts exists or not.
  2. Receiving 500 error: The server might be down. Wait for a while and check later.
  3. Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permissions for the Client ID and Secret.
  4. If there is no error in the logs, it might be the case that the hosts are not available on the Platform to pull. Check the Host available on CrowdStrike and confirm the same.
  5. Make sure that the mapping is added and the Host ID field is mapped while configuring the plugin.
Unable to fetch the scores of pulled Host

If you are not able to pull scores for all or some Hosts from the Platform, it could be due to one of these reasons:

  • Maximum Score value provided in the plugin configuration.
  • The score field is not mapped while configuring the plugin.

To resolve these issues, follow these steps:

  1. Check the plugin configuration parameter page. Increase the value of Maximum Score in the plugin configuration. Since the plugin pulls Host scores whose value will be less than or equal to the mentioned value in the Maximum Score field.
  2. Make sure to map the overallAssessmentScore field to get scores pulled.
Unable to View Hosts details on the Record

If you are unable to view Hosts details on the record table, it could be due to one of these reasons:

  • Mapping for all the CrowdStrike fields is not provided while configuring the CRE CrowdStrike plugin.
  • Pulled Hosts are displayed in a row with comma separated values.

To resolve these issues, follow these steps:

  1. Make sure to provide the needed mapping while configuring the plugin.
  2. Make sure that the fields created in an entity are according to the mappings.
Unable to perform action on the Hosts

If you are unable to perform action on the Host, it could be due to one of these reasons:

  • Insufficient permission was provided for the action.
  • Receiving error while performing an action.
  • Host is not present on the CrowdStrike Platform.
  • “Require Approval” toggle button is enabled while configuring the Action, and request is not approved.

To resolve these issues, follow these steps:

  1. Insufficient permission was provided for the action. Verify if the RTR script permission is provided.
  2. If the host machine is down or does not exist, the plugin won’t be able to successfully perform the put RTR Script action. Verify that the host is accessible.
  3. If the host is Linux, the action won’t be performed, since Linux is NOT a supported OS.
  4. If too many actions are performed on a host, you might run into a 425 error, which will add the action to the queue. You should wait for a while before retrying to perform the action.
  5. Go to the CrowdStrike Platform, verify if the host on which action needs to be performed is present or not.
  6. Go to Action Logs, select the logs that you want to approve the requests for and click on the approve icon, or disable the Require Approval toggle from the configured action, and then perform the action again.
Share this Doc

CrowdStrike v1.0.0 Plugin for Risk Exchange

Or copy link

In this topic ...