CrowdStrike v1.0.0 Plugin for Risk Exchange
CrowdStrike v1.0.0 Plugin for Risk Exchange
This document explains how to configure the CrowdStrike v1.0.0 plugin with the Risk Exchange module of the Netskope Cloud Exchange platform. This plugin fetches hosts and their respective ZTA scores from the Host Setup and Management > Host Management page on the CrowdStrike tenant. It also supports the Put RTR Script action on hosts.
Netskope normalization score calculation = CrowdStrike host assessment overall score * 10.
Prerequisites
To complete this integration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
- CrowdStrike instance credentials (Client ID, Client Secret) for the API Token.
- CrowdStrike Real-Time Response Administrator role for Put RTR Script action.
- For each platform (Windows, Mac), there should be a response policy with Real-Time Response (High-Risk Commands) enabled.
- Connectivity to the following host: https://falcon.crowdstrike.com.
CE Version Compatibility
Netskope CE v5.1.0
CrowdStrike Plugin Support
This plugin fetches hosts and their respective ZTA scores from the CrowdStrike tenant. It also supports the Put RTR Script action on hosts.
Type of data pulled | Hosts |
Actions Supported |
|
Mappings
Mappings are used to view the pulled Hosts and their respective details. Fields mapped during the plugin configuration will be visible on the Records page after the data is pulled. Here are the suggested mappings to use while configuring the plugin.
Pull Mapping for Hosts
Plugin Field Label | Expected Data Type | Suggested Field Label | Suggested Aggregate Strategy |
---|---|---|---|
Host ID | String | Agent ID | Unique |
System Serial Number | String | System Serial Number | Overwrite |
Overall Assessment Score | Number | Overall Assessment Score | Overwrite |
Netskope Normalized Score | Number | Normalized Score | Overwrite |
Score to file mapping (for action put RTR Script)
These mappings are considered when the action Put RTR Script is performed on the Hosts. A file will be created on the Host machine on the behalf of the performed action. The name of the file depends on the configuration you done on the Action Configuration. If any static value of score is provided, a file name will be dependent on that, and if a business rule is used, then the file name will depend on the score pulled for the Hosts.
Score | File Name |
---|---|
Less than 26 | crwd_zta_1_25.txt |
26 to 51 | crwd_zta_26_50.txt |
51 to 76 | crwd_zta_51_75.txt |
76 to 100 | crwd_zta_76_100.txt |
Permissions
API Scope Permissions
Refer to the Get Client ID and Client Secret section for obtaining and providing API scopes permissions.
Read
Scope | Read | Write |
---|---|---|
Hosts | Yes | No |
Real time response (admin) | – | Yes |
Real time response | Yes | No |
Zero Trust Assessment | Yes | – |
Response Policy Permissions
Refer to Add Permission for Response Policy (RTR script Permission) section for obtaining and providing Response Policy permissions.
Category | Type | Permission | Status |
---|---|---|---|
Real Time Response | Custom Scripts | Falcon Scripts | Enable |
Real Time Response | High risk commands | put | Enable |
Note: Response policy permissions are only needed when you want to use the Put RTR Script action.
API Details
List of APIs Used
API Detail | Method | Endpoint | API Scope |
---|---|---|---|
Get auth token | POST | /oauth2/token | None |
Fetch Records | GET | /devices/queries/devices-scroll/v1 | Hosts (Read) |
Fetch Scores | GET | /zero-trust-assessment/entities/assessments/v1 | Zero Trust Assessment (Read) |
Put file on RTR cloud | POST | /real-time-response/entities/put-files/v1 | Real time response admin (Write) |
Get platform name | POST | /devices/entities/devices/v2 | Hosts (Read) |
Check Script Existence | GET | /real-time-response/queries/scripts/v1 | Real time response (Read) |
Create Score Files Removal Script on RTR Cloud | POST | /real-time-response/entities/scripts/v1 | Real time response admin (Write) |
Get session ID | POST | /real-time-response/entities/sessions/v1 | Real time response (Read) |
Change directory | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Remove file from device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Get status of command | GET | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Put the file on device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Delete the session | DELETE | /real-time-response/entities/sessions/v1 | Real time response (Read) |
Get Auth Token
API Endpoint: /oauth2/token
Method: POST
Parameter
Key | Value |
---|---|
grant_type | client_credentials |
client_id | <Client ID> |
client_secret | <Client Secret> |
Sample API Response
{ "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzphNDdiNTc2MS0zYzk3LTQwMmItOTgzNi0wNmNhODI0NTViOTMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJlZTA5YTc3MjAwNzc0MzYwOTlhYTM5N2M2MTJlYTQzYiIsImV4cCI6MTcwMzI0MDQzOSwiZXh0Ijp7InN1Yl90eXBlIjoiY2xpZW50In0sImlhdCI6MTcwMzIzODYzOSwiaXNzIjoiaHR0cHM6Ly9hcGkuY3Jvd2RzdHJpa2UuY29tLyIsImp0aSI6ImQ5ZTlmZWI4LTM0ODAtNDM2NC1hYzI2LTBhZjgzNDdlOWY2OSIsIm5iZiI6MTcwMzIzODYzOSwic2NwIjpbXSwic3ViIjoiZWUwOWE3NzIwMDc3NDM2MDk5YWEzOTdjNjEyZWE0M2IiLq_wgw5-EAB-hHiRB-coF2Yy_PeP-8IvjWQVIjlDJrRmRQ-s-NmAkm8XaG9GojFZvaT-sufiBxKEDmpdntABNkEG1fcbVvd7tVW-vi36PFPoc3p1t4sbaMhf9_Kts8iAHsv6BudVyFsPhPAreGc2OXUFT39ZvuDTN5BxOFiPT_9_gadXt-7N*************************************************************************************", "expires_in": 1799, "token_type": "bearer" }
Fetch Records
API endpoint: /devices/queries/devices-scroll/v1
Method: GET
Parameters
Key | Value |
---|---|
limit | 5000 |
offset | “” |
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Sample API Response
{ "meta": { "query_time": 0.025422559, "pagination": { "offset": 1, "limit": 1, "total": 21 }, "powered_by": "device-api", "trace_id": "5f1a1eeb-9d8b-4412-8523-0fc933a0bf6f" }, "resources": [ "89b9743fcb6b4ccaa09600ac5204bac4" ], "errors": [] }
Fetch Scores
API Endpoint: /zero-trust-assessment/entities/assessments/v1
Method: GET
Parameters
Key | Value |
---|---|
ids | [<Host Ids>] |
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Sample API Response
{ "meta": { "query_time": 0.003210238, "trace_id": "ba076fd9-7340-49f3-a9a2-41b6f2eb94d9" }, "errors": [], "resources": [ { "aid": "e039334e8b0e4747bdfc7a29406ec8e1", "cid": "c17f3a80ded0418eb107db3d26a27983", "system_serial_number": "FVHX2HEDJ1WK", "event_platform": "Mac", "product_type_desc": "Workstation", "modified_time": "2024-05-01T08:42:07Z", "sensor_file_status": "confirmed", "assessment": { "sensor_config": 66, "os": 72, "overall": 68, "version": "3.8.1" }, "assessment_items": { "os_signals": [ { "signal_id": "mac_os_version", "signal_name": "macOS Version", "group_name": "macOS", "criteria": "macOS version is ≥11.0", "meets_criteria": "yes" } ], "sensor_signals": [ { "signal_id": "ml_cloud_antimalware_detection_mac", "signal_name": "Cloud ML - Cloud Anti-malware - Detection for macOS", "group_name": "Prevention", "criteria": "Cloud ML - Cloud Anti-malware Detection: set to Aggressive or higher", "meets_criteria": "yes" }, ] } } ] }
Put a File on the RTR Cloud
API Endpoint: /real-time-response/entities/put-files/v1
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Data
{ "description": "file representing a ZTA score of 1_25", "name": "crwd_zta_1_25.txt", "comments_for_audit_log": "uploade file representing a ZTA score of 1_25 for Netskope ZTA-RTR integration" }
Sample API Response
{ "meta": { "query_time": 0.536670425, "writes": { "resources_affected": 1 }, "powered_by": "empower-api", "trace_id": "d4bddc66-83fd-4875-9016-a17899fd83ba" } }
Check Script Existence
API Endpoint: /real-time-response/queries/scripts/v1
Method: GET
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Parameters
Key | Value |
---|---|
filter | name: ‘<Script name>’ |
API Response
{ "meta": { "query_time": 0.025087906, "pagination": { "offset": 0, "limit": 100, "total": 1 }, "powered_by": "empower-api", "trace_id": "0e9ccedb-58c9-44a9-842c-620977f096b1" }, "resources": [ "bab3f0ff134311efb74642cd23408b64_ee09a7720077436099aa397c612ea43b" ] }
Create Score Files Removal Script on the RTR Cloud
API Endpoint: /real-time-response/entities/scripts/v1
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Data
Key | Value |
---|---|
name | Name of script |
permission_type | public |
description | Description for file. |
Files
Upload the script file.
For python script add below tuple in files parameter for requests
[ ( "file", ( "", file, "application/octet-stream", ), ) ]
API Response
{ "meta": { "query_time": 0.947792627, "writes": { "resources_affected": 1 }, "powered_by": "empower-api", "trace_id": "eed1850a-0c07-488a-b36d-a70d5e904d71" } }
Get a Platform Name
API Endpoint: /devices/entities/devices/v2
Method: GET
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Parameters
Key | Value |
---|---|
Ids | [<Host ID>] |
API Response
{ "meta": { "query_time": 0.001626152, "powered_by": "device-api", "trace_id": "8adcbd8a-40cd-4086-8e5d-5d3962fb1073" }, "resources": [ { "device_id": "d2abab7b4c6a4d9998b298b19bbda31f", "cid": "c17f3a80ded0418eb107db3d26a27983", "agent_load_flags": "0", "agent_local_time": "2023-12-22T11:19:53.929Z", "agent_version": "7.05.17603.0", "bios_manufacturer": "Apple Inc.", "bios_version": "515.0.0.0.0", "config_id_base": "65994753", "config_id_build": "17603", "config_id_platform": "4", "cpu_signature": "526057", "external_ip": "117.217.127.213", "mac_address": "dc-a9-04-99-43-aa", "hostname": "ITs-MacBook-Pro.local", "first_seen": "2023-12-18T08:46:57Z", "last_login_timestamp": "2023-12-21T08:00:38Z", "last_login_user": "it", "last_login_uid": "501", "last_login_user_sid": "S-1-5-21-1276927669-3124867281-3856135234-2002", "last_seen": "2023-12-22T11:46:27Z", "local_ip": "172.20.10.87", "major_version": "22", "minor_version": "6", "os_version": "Ventura (13)", "os_build": "22G120", "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "prevention", "policy_id": "e17fdf411592409794d748e907da9967", "applied": true, "settings_hash": "528b286b", "assigned_date": "2023-12-18T08:48:02.464865254Z", "applied_date": "2023-12-18T08:48:08.608666735Z", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "e17fdf411592409794d748e907da9967", "applied": true, "settings_hash": "528b286b", "assigned_date": "2023-12-18T08:48:02.464865254Z", "applied_date": "2023-12-18T08:48:08.608666735Z", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "766825ba2e2847f8a9134f7f48f44214", "applied": true, "settings_hash": "tagged|3;101", "assigned_date": "2023-12-18T09:00:47.465877148Z", "applied_date": "2023-12-18T09:03:49.721523878Z", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6e4a89125c4343f3ab42cbf2fa482702", "applied": true, "assigned_date": "2023-12-18T08:48:02.464932037Z", "applied_date": "2023-12-18T08:49:48.770860727Z" }, "global_config": { "policy_type": "globalconfig", "policy_id": "e2289d74264744f38e62d1146b13189d", "applied": true, "settings_hash": "1fda691c", "assigned_date": "2023-12-22T11:20:01.358167731Z", "applied_date": "2023-12-22T11:21:05.552056147Z" }, "remote_response": { "policy_type": "remote-response", "policy_id": "70d43a45f67149e8b54c8d80ac00df10", "applied": true, "settings_hash": "797eb425", "assigned_date": "2023-12-18T08:48:02.464926863Z", "applied_date": "2023-12-18T08:48:08.689092082Z" }, "firewall": { "policy_type": "firewall", "policy_id": "b1a5ff10a3c44f66a47c7f08f2e372e5", "applied": true, "assigned_date": "2023-12-18T08:48:02.464940776Z", "applied_date": "2023-12-18T08:48:08.752377285Z", "rule_set_id": "b1a5ff10a3c44f66a47c7f08f2e372e5" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "C02V10FEHV2T", "status": "normal", "system_manufacturer": "Apple Inc.", "system_product_name": "MacBookPro14,2", "tags": [], "modified_timestamp": "2023-12-22T11:46:35Z", "meta": { "version": "110", "version_string": "6:10864108136" }, "kernel_version": "22.6.0", "chassis_type": "9", "chassis_type_desc": "Laptop" } ], "errors": null }
Get a Session ID
API Endpoint: real-time-response/entities/sessions/v1
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Content-Type | application/json |
Data
Key | Value |
---|---|
device_id | <Device ID> |
origin | Netskope |
queue_offline | True |
Sample API Response
{ "meta": { "query_time": 0.315515137, "powered_by": "empower-api", "trace_id": "0483a37f-896b-4bb3-bf1e-8f8b3618a2e2" }, "resources": [ { "session_id": "a26ad68e-1272-482b-95b5-78ee27344d80", "scripts": [ { "command": "cat", "description": "Read a file from disk and display as ASCII", "examples": "cat foo.txt\r\ncat -n foo.txt\r\ncat -t foo.txt\r\ncat -t -n foo.txt", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 582, "created_at": "2019-07-03T18:52:15Z", "updated_at": "2019-07-03T18:52:15Z", "script_id": 527, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "Path", "description": "path to cat", "default_value": "", "required": true, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" }, { "command": "getsid", "description": "Enumerate local users and Security Identifiers (SID)", "examples": "getsid\r\n List all users and associated SIDs\r\ngetsid foo\r\n List users and associated SIDs matching substring \"foo\"", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 661, "created_at": "2020-04-02T03:31:02Z", "updated_at": "2020-04-02T03:31:02Z", "script_id": 557, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "UserName", "description": "Partial or full username to filter results", "default_value": "", "required": false, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" } ] }, { "command": "ls", "description": "Display the contents of the specified path", "examples": "ls\r\nls -l\r\nls -L\r\nls -t\r\nls -l -@\r\nls -R\r\nls -l -R\r\nls -l -t -R -L", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 576, "created_at": "2019-07-03T18:51:13Z", "updated_at": "2019-07-03T18:51:13Z", "script_id": 526, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "Path", "description": "Path ", "default_value": ".", "required": false, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" } ] }, { "command": "mount", "description": "List or mount filesystem volumes", "examples": "Executable by all RTR roles:\r\nmount\r\nExecutable by privileged RTR users only:\r\nmount -t=nfs \"host:/exports/filesystem\" \"/mnt/filesystem\"\r\n Mount the NFS filesystem located at \"/exports/filesystem\" on \"host\" to the local destination \"/mnt/filesystem\"\r\nmount -t=smbfs \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n Mount the SMB \"/filesystem\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"\r\nmount -t=smbfs -o=nobrowse \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n Mount the SMB \"/filesystem\" with option \"nobrowse\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"", "internal_only": false, "runnable": true, "sub_commands": [], "args": [] }, { "command": "netstat", "description": "Display routing information or network connections", "examples": "netstat\r\nnetstat -nr", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 973, "created_at": "2023-11-20T23:23:37Z", "updated_at": "2023-11-20T23:23:37Z", "script_id": 539, "arg_type": "flag", "data_type": "string", "requires_value": false, "arg_name": "n", "description": "Flag to show network addresses as numbers", "default_value": "", "required": false, "sequence": 2, "options": null, "encoding": "", "command_level": "non-destructive" } ] }, { "command": "users", "description": "Get details about local users", "examples": "users\r\n List details about all local users\r\nusers foo\r\n List details about local user \"foo\"", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 679, "created_at": "2020-04-02T03:31:12Z", "updated_at": "2020-04-02T03:31:12Z", "script_id": 565, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "UserName", "description": "Username to filter results", "default_value": "", "required": false, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" } ] } ], "existing_aid_sessions": 1, "created_at": "2023-12-22T15:47:24.904481922Z", "offline_queued": true } ], "errors": null }
Change a Directory
API Endpoint: /real-time-response/entities/admin-command/v1
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Data
Key | Value |
---|---|
base_command | cd |
command_string | cd “/Library/Application Support/Netskope/STAgent” or cd “C:\Program Files (x86)\Netskope\STAgent” |
persist | True |
session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response
{ "meta": { "query_time": 0.052249291, "powered_by": "empower-api", "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "queued_command_offline": false } ], "errors": null }
Put a File on a Device
API Endpoint: /real-time-response/entities/admin-command/v1
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Data
Key | Value |
---|---|
base_command | put |
command_string | put crwd_zta_1_25.txt |
persist | True |
session_id | <Session ID> |
Sample API Response
{ "meta": { "query_time": 0.052249291, "powered_by": "empower-api", "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "queued_command_offline": false } ], "errors": null }
Remove a File from a Device
API Endpoint: /real-time-response/entities/admin-command/v1
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Data
Key | Value |
---|---|
base_command | rm |
command_string | rm crwd_zta_1_25.txt |
persist | True |
session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response
{ "meta": { "query_time": 0.052249291, "powered_by": "empower-api", "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "queued_command_offline": false } ], "errors": null }
Get a Command Status
API Endpoint: /real-time-response/entities/admin-command/v1
Method: GET
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Parameters
Key | Value |
---|---|
cloud_request_id | 399d6ed9-e2c5-4e72-8618-97515f69dc72 |
sequence_id | 0 |
Sample API Response
{ "meta": { "query_time": 0.30452861, "powered_by": "empower-api", "trace_id": "f2fbc47d-a6e5-4ddf-9bb0-778fd7b32017" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "task_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "complete": true, "stdout": "", "stderr": "/Library/Application Support/Netskope/STAgent does not exist\n", "base_command": "cd" } ], "errors": [] }
Delete a Session
API Endpoint: /real-time-response/entities/sessions/v1
Method: DELETE
Headers
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-crowdstrike/1.0.0 |
Content-Type | application/json |
Parameter
Key | Value |
---|---|
session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response
Status code: 204 No Content
Performance Matrix
Here is the performance matrix conducted on a Large CE Stack with these specifications by pulling 500K applications.
Stack Size | Large RAM: 32 GB Core: 16 |
Time taken to store the pulled and updated host records | ~20 mins |
User Agent
netskope-ce-5.1.0-cre-crowdstrike/1.0.0
Workflow
- Get your Client ID and Client Secret.
- Add Permission for the RTR Script.
- Configure the CrowdStrike plugin.
- Add a Business Rule.
- Add Actions.
- Validate the plugin.
Click play to watch a video.
Get your Client ID and Client Secret
- Log in to CrowdStrike and go to the menu Icon > Support and resources > API clients and keys.
- Click Create API client.
- Add the following scopes for using the CrowdStrike CRE plugin, and then click Save.
API Scope Permissions
Scope Read Write Hosts Yes No Real time response (admin) – Yes Real time response Yes No Zero Trust Assessment Yes – - Make a Note of the Client ID and Secret. These are needed to configure the plugin.
Add a Permission for a Response Policy (RTR script Permission)
- Log in to Falcon CrowdStrike UI.
- Click on the menu button in the top left corner, and go to Host setup and management > Response policies.
- For Windows, go to the policy that is to be used, and click on the policy Name.
- Enable these permissions.
Response Policy Permissions
Category | Type | Permission | Status |
Real Time Response | Custom Scripts | Falcon Scripts | Enable |
Real Time Response | High risk commands | put | Enable |
Also, refer to the below screenshot.
Or you can directly go to your Host from Host setup and management > Host management. Click on your hostname and scroll down to Response Policy info, and then click on the policy name from the left pop-up menu.
Configure the CrowdStrike Plugin
- Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the CrowdStrike v1.0.0 (CRE) plugin box.
- For Basic Information, add a plugin configuration name, and change the sync interval if needed.
- Click Next. For Configuration Parameters, enter the Base URL, Client ID, Client Secret, and Maximum Score (Maximum Score is the configuration parameter through which the plugin fetches scores of Hosts less than or equal to a given value).
- Click Next. Select the Entity from the Entity dropdown, and then provide the field mappings as per your need.
Note that the Host ID field will be required to pull the hosts and to perform action on the Hosts. - Click Save.
Add a Risk Exchange Business Rule for CrowdStrike
- In Risk Exchange go to Business Rules.
- Click Create New Rule in the top right corner.
- Enter a Rule Name. Select the Entity for the Fields that were configured for the CrowdStrike plugin, and then configure the query based on your requirements. The this example fetches all the Hosts fetched from the CrowdStrike plugin.
- Click Save.
Add Risk Exchange Actions for CrowdStrike
This CrowdStrike plugin supports the following two action types:
- Put RTR Script: The Put RTR Script action will put a file on the host depending on their respective score.
- No Action: No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the generate alerts toggle button.
Note that you can perform the actions on the hosts pulled from CrowdStrike on the Netskope Tenant.
Put RTR Script Action
- In Cloud Exchange, go to Actions and click Add Action Configuration.
- Select a Business Rule and Configuration (your plugin).
- For Action, select Put RTR Script and chose the Action Parameters from their respective dropdowns.
- Enable the Require Approval toggle if approval is needed before performing action on the Hosts.
Notes:- If Static is selected in the Score dropdown, and a value is provided, then the provided value will be considered as score while performing the Put RTR Script action.
- Fields mapped with the Host ID while configuring the plugin will be required to perform action on the Hosts.
- Click Save.
No Action
- Go to Actions and click Add Action Configuration.
- Select a Business Rule and Configuration (your plugin).
- For Actions, select No actions from the dropdown, and if you want, enable the Generate Alert toggle button to generate alerts in the CTO module.
- Enable the Require Approval toggle if approval is needed before performing action on the Users.
- Click Save.
Validate the CrowdStrike Plugin
Validation in Cloud Exchange
To validate the pulling in Cloud Exchange:
- In Risk Exchange, go to Records and select the Entity that was selected while configuring the field mappings for Hosts to view the pulled Hosts.
- Go to Logging and search for the logs of the plugin.
- In Logging, verify the action performed for a host if the action is performed on a Mac/Windows machine.
- When a user matches one of the configured business rules, the configured action will be performed on the user. This can be seen at Risk Exchange > Action Logs.
Validate in CrowdStrike
The Hosts are pulled from the Host setup and management > Host management page from the CrowdStrike platform.
If you want to validate the Put RTR Script action, and check the file added on the Host machine, here is the workflow.
Workflow
Step 1: Check Host Existence
When the action is triggered, the plugin first checks whether the Host with the given Host ID exists on the CrowdStrike platform.
Step 2: Evaluate the Host Presence
- If the Host does not exist, the plugin does not perform any further action and raises a warning.
- If the Host exists, the plugin proceeds with the following operations.
Step 3: Create Score Files on the RTR Cloud
The plugin creates a file for each risk score range on the RTR cloud.
For example, if the score is between 1-25, the file is named crwd_zta_1_25.txt
.
Note that if a file with the same name already exists, the API will not create a new one.
Step 4: Establish a Host Session
After the necessary files are created, the plugin initiates a session with the Host using the Host ID.
Step 5: Retrieve a Host OS
The plugin fetches the operating system (OS) information for the respective Host.
Step 6: Change the Directory Based on OS
- Depending on the Host’s OS, the plugin sends an API call to change the directory to the appropriate location.
- For Mac:
cd “/Library/Application Support/Netskope/STAgent"
- For Windows:
cd “/Program Files (x86)/Netskope/STAgent”
- For Mac:
- The plugin waits up to 5 minutes for the command to execute. If it takes longer, a timeout error is raised. This timeout applies to commands in steps 6, 7, and 8.
Step 7: Check if the script for removal of file for OS is present on the RTR Cloud
- In order to remove the existing files from the host machine, the plugin needs to check if the removal of script already exists on RTR cloud or not.
- As Put RTR Script action supports Windows and macOS, the files Windows Score File Removal Script and Mac Score File Removal Script should be present on RTR cloud.
Step 8: Create a script if it does not exist on RTR cloud
If the Script for the respective OS does not exist on RTR cloud, create one.
Step 9: Remove existing files from host machine
Execute the script for the respective OS for the host machine to remove the existing files.
Step 10: Upload New Score File
- After removing old score files, the plugin performs a
PUT
command to upload the new score file. - If the existing score was 12 (requiring
crwd_zta_1_25.txt
), and the score changes to 48, the new file (crwd_zta_26_50.txt
) is uploaded.
Step 11: Delete Host Session
After completing all the steps, the plugin deletes the session created with the Host to free resources and ensure proper cleanup.
Steps to Validate an Action on CrowdStrike
- In CrowdStrike, go to Host setup and management > Host management.
- Search for your Host using your Host Name or Host ID. Click on the Hostname.
- From the left popup menu, click on the Settings icon > Connect to Host.
To check the file added on the Host, go to the below path after connecting to the Host and check the respective score file created.
- For Windows:
C:\\Program Files (x86)\\Netskope\\STAgent
- For MAC:
/Library/Application Support/Netskope/STAgent
Troubleshoot the CrowdStrike Plugin
Unable to configure the CrowdStrike plugin
If you are unable to configure the CrowdStrike plugin, it could be due to one of these reasons:
- Provided Incorrect Client ID, Client Secret.
- Provided Credentials don’t have sufficient permissions.
To resolve these issues, follow these steps:
- To get the Client ID, Client Secret, follow the steps in Get your Client ID and Client Secret.
- To provide proper permissions to the configuration parameter, follow the steps in Add a Permissions for a Response Policy.
Unable to pull Hosts
If you are unable to pull Hosts from the CrowdStrike plugin, it could be due to one of these reasons:
- No Hosts are present on the CrowdStrike platform.
- An error is received while pulling Hosts from the platform.
- Mapping is not added while configuring the plugin in the entity source page.
To resolve these issues, follow these steps:
- Check on the CrowdStrike platform if Hosts exists or not.
- Receiving 500 error: The server might be down. Wait for a while and check later.
- Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permissions for the Client ID and Secret.
- If there is no error in the logs, it might be the case that the hosts are not available on the Platform to pull. Check the Host available on CrowdStrike and confirm the same.
- Make sure that the mapping is added and the Host ID field is mapped while configuring the plugin.
Unable to fetch the scores of pulled Host
If you are not able to pull scores for all or some Hosts from the Platform, it could be due to one of these reasons:
- Maximum Score value provided in the plugin configuration.
- The score field is not mapped while configuring the plugin.
To resolve these issues, follow these steps:
- Check the plugin configuration parameter page. Increase the value of Maximum Score in the plugin configuration. Since the plugin pulls Host scores whose value will be less than or equal to the mentioned value in the Maximum Score field.
- Make sure to map the overallAssessmentScore field to get scores pulled.
Unable to View Hosts details on the Record
If you are unable to view Hosts details on the record table, it could be due to one of these reasons:
- Mapping for all the CrowdStrike fields is not provided while configuring the CRE CrowdStrike plugin.
- Pulled Hosts are displayed in a row with comma separated values.
To resolve these issues, follow these steps:
- Make sure to provide the needed mapping while configuring the plugin.
- Make sure that the fields created in an entity are according to the mappings.
Unable to perform action on the Hosts
If you are unable to perform action on the Host, it could be due to one of these reasons:
- Insufficient permission was provided for the action.
- Receiving error while performing an action.
- Host is not present on the CrowdStrike Platform.
- “Require Approval” toggle button is enabled while configuring the Action, and request is not approved.
To resolve these issues, follow these steps:
- Insufficient permission was provided for the action. Verify if the RTR script permission is provided.
- If the host machine is down or does not exist, the plugin won’t be able to successfully perform the put RTR Script action. Verify that the host is accessible.
- If the host is Linux, the action won’t be performed, since Linux is NOT a supported OS.
- If too many actions are performed on a host, you might run into a 425 error, which will add the action to the queue. You should wait for a while before retrying to perform the action.
- Go to the CrowdStrike Platform, verify if the host on which action needs to be performed is present or not.
- Go to Action Logs, select the logs that you want to approve the requests for and click on the approve icon, or disable the Require Approval toggle from the configured action, and then perform the action again.