Crowdstrike Plugin for User Risk Exchange

Crowdstrike Plugin for User Risk Exchange

This document explains how to configure the CrowdStrike v1.3.1 plugin with the User Risk Exchange module of the Netskope Cloud Exchange platform. This integration fetches Host IDs and their risk scores from CrowdStrike’s platform to Cloud Exchange, and performs a Put RTR Script action on the host machine based on the Host scores.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
  • Your CrowdStrike instance credentials (Client ID, Client Secret) for API Token.
  • A CrowdStrike Real-Time Response Administrator role for Put RTR Script action.
  • For each platform (Windows, Mac), there should be a response policy with Real Time Response (High-Risk Commands) enabled.
  • Connectivity to the following host: https://api.crowdstrike.com
Compatibility

Netskope CE: v4.2.0, v5.0.1

Performance Matrix

Here is the performance matrix conducted on a Large CE Stack with below-mentioned specifications by pulling 500K hosts and their risky scores.

Stack Size
  • Large
  • RAM: 32 GB
  • Core: 16
No. of Records 500K hosts
Time taken to ingest records with scores. ~20 mins
Plugin Scope

This plugin fetches hosts and their respective ZTA scores from the CrowdStrike tenant, and also supports the Put RTR Script action on hosts.

CrowdStrike Plugin Support
Type of data pulled Hosts
Type of Action Supported Put RTR Script
No Action
Mappings
Pull Mapping
CrowdStrike Fields Netskope CE Fields
resources id
overall score
Score Mapping
CrowdStrike Scores Netskope CE URE Scores
NA None
critical 1-250
high 251-500
medium 501-750
low 751-1000

Score Calculation for this plugin is normalized using the following formula:

URE score calculation > CrowdStrike host assessment overall score * 10

Score to File Mapping (for Action Put RTR Script)
Score File
Less than 260 crwd_zta_1_25.txt
260 to 510 crwd_zta_26_50.txt
510 to 760 crwd_zta_51_75.txt
760 to 1000 crwd_zta_76_100.txt
Permissions
API Scopes Permissions

Refer to the Get Client ID and Client Secret section for obtaining and providing API scopes permissions.

Scope Read Write
Hosts Yes No
Real time response (admin) Yes
Real time response Yes No
Zero Trust Assessment Yes
Response Policy Permissions

Refer to Add Permission for Response Policy (RTR script Permission) section for obtaining and providing Response Policy permissions.

Category Type Permission Status
Real Time Response Custom scripts Falcon scripts Enable
Real Time Response High risk commands put Enable

Note: Response policy permissions are only needed when you want to use the Put RTR Script action.

API Details
List of APIs used
API Detail Method Endpoint API Scope
Get an auth token POST /oauth2/token None
Fetch records GET /devices​/queries​/devices-scroll​/v1 Hosts (Read)
Fetch scores GET /zero-trust-assessment​/entities​/assessments​/v1 Zero Trust Assessment (Read)
Get a session ID POST /real-time-response/entities/sessions/v1 Real time response (Read)
Check script existence GET /real-time-response/queries/scripts/v1 Real time response (Read)
Create score files removal script on the RTR cloud POST /real-time-response/entities/scripts/v1 Real time response admin (Write)
Get a platform name POST /devices/entities/devices/v2 Hosts (Read)
Change directory POST /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Remove a file from a device POST /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Get status of a command GET /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Put a file on a device POST /real-time-response/entities/admin-command/v1 Real time response admin (Write)
Delete the session DELETE /real-time-response/entities/sessions/v1 Real time response (Read)
Get an Auth Token

API endpoint:

/oauth2/token

Method: POST

Parameter:

Key Value
grant_type client_credentials
client_id <Client ID>
client_secret <Client Secret>

Sample API Response:

{
 "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzphNDdiNTc2MS0zYzk3LTQwMmItOTgzNi0wNmNhODI0NTViOTMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJlZTA5YTc3MjAwNzc0MzYwOTlhYTM5N2M2MTJlYTQzYiIsImV4cCI6MTcwMzI0MDQzOSwiZXh0Ijp7InN1Yl90eXBlIjoiY2xpZW50In0sImlhdCI6MTcwMzIzODYzOSwiaXNzIjoiaHR0cHM6Ly9hcGkuY3Jvd2RzdHJpa2UuY29tLyIsImp0aSI6ImQ5ZTlmZWI4LTM0ODAtNDM2NC1hYzI2LTBhZjgzNDdlOWY2OSIsIm5iZiI6MTcwMzIzODYzOSwic2NwIjpbXSwic3ViIjoiZWUwOWE3NzIwMDc3NDM2MDk5YWEzOTdjNjEyZWE0M2IiLCJzdWJfdHlwZSI6ImNsaWVudCJ9.a8oiNJivyV1AJKoICvr1IH5r4kMsWZ2xds7Qb_JRB6sD1JcbGqAkFq_wgw5-EAB-hHiRB-coF2Yy_PeP-8IvjWQVIjlDJrRmRQ-s-NmAkm8XaG9GojFZvaT-sufiBxKEDmpdntABNkEG1fcbVvd7tVW-vi36PFPoc3p1t4sbaMhf9_Kts8iAHsv6BudVyFsPhPAreGc2OXUFT39ZvuDTN5BxOFiPT_9_gadXt-7N*************************************************************************************",
 "expires_in": 1799,
 "token_type": "bearer"
}
Fetch Records

API endpoint:

/devices/queries/devices-scroll/v1

Method: GET
Parameters:

Key Value
limit 5000
offset “”

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Sample API Response:

{
    "meta": {
        "query_time": 0.025422559,
        "pagination": {
            "offset": 1,
            "limit": 1,
            "total": 21
        },
        "powered_by": "device-api",
        "trace_id": "5f1a1eeb-9d8b-4412-8523-0fc933a0bf6f"
    },
    "resources": [
        "89b9743fcb6b4ccaa09600ac5204bac4"
    ],
    "errors": []
}
Fetch Scores

API endpoint:

/zero-trust-assessment​/entities​/assessments​/v1

Method: GET

Parameters:

Key Value
ids [<Host Ids>]

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1
{
    "meta": {
        "query_time": 0.003210238,
        "trace_id": "ba076fd9-7340-49f3-a9a2-41b6f2eb94d9"
    },
    "errors": [],
    "resources": [
        {
            "aid": "e039334e8b0e4747bdfc7a29406ec8e1",
            "cid": "c17f3a80ded0418eb107db3d26a27983",
            "system_serial_number": "FVHX2HEDJ1WK",
            "event_platform": "Mac",
            "product_type_desc": "Workstation",
            "modified_time": "2024-05-01T08:42:07Z",
            "sensor_file_status": "confirmed",
            "assessment": {
                "sensor_config": 66,
                "os": 72,
                "overall": 68,
                "version": "3.8.1"
            },
            "assessment_items": {
                "os_signals": [
                    {
                        "signal_id": "mac_os_version",
                        "signal_name": "macOS Version",
                        "group_name": "macOS",
                        "criteria": "macOS version is ≥11.0",
                        "meets_criteria": "yes"
                    }
                ],
                "sensor_signals": [
                    {
                        "signal_id": "ml_cloud_antimalware_detection_mac",
                        "signal_name": "Cloud ML - Cloud Anti-malware - Detection for macOS",
                        "group_name": "Prevention",
                        "criteria": "Cloud ML - Cloud Anti-malware Detection: set to Aggressive or higher",
                        "meets_criteria": "yes"
                    },
                                   ]
            }
        }
    ]
}
Put a File on the Cloud

API endpoint:

/real-time-response/entities/put-files/v1

Method: POST

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Data:

{
  "description": "file representing a ZTA score of 1_25",
  "name": "crwd_zta_1_25.txt",
  "comments_for_audit_log": "uploade file representing a ZTA score of 1_25 for Netskope ZTA-RTR integration"
}

Sample API Response:

{
  "meta": {
    "query_time": 0.536670425,
    "writes": {
      "resources_affected": 1
    },
    "powered_by": "empower-api",
    "trace_id": "d4bddc66-83fd-4875-9016-a17899fd83ba"
  }
}
Get a Session ID

API Endpoint:

real-time-response/entities/sessions/v1

Method: POST

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1
Content-Type application/json

Data:

Key Value
device_id <Device ID>
origin Netskope
queue_offline True

Sample API Response:

{
    "meta": {
        "query_time": 0.315515137,
        "powered_by": "empower-api",
        "trace_id": "0483a37f-896b-4bb3-bf1e-8f8b3618a2e2"
    },
    "resources": [
        {
            "session_id": "a26ad68e-1272-482b-95b5-78ee27344d80",
            "scripts": [
                {
                    "command": "cat",
                    "description": "Read a file from disk and display as ASCII",
                    "examples": "cat foo.txt\r\ncat -n foo.txt\r\ncat -t foo.txt\r\ncat -t -n foo.txt",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 582,
                            "created_at": "2019-07-03T18:52:15Z",
                            "updated_at": "2019-07-03T18:52:15Z",
                            "script_id": 527,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "Path",
                            "description": "path to cat",
                            "default_value": "",
                            "required": true,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        },
                        {
                    "command": "getsid",
                    "description": "Enumerate local users and Security Identifiers (SID)",
                    "examples": "getsid\r\n    List all users and associated SIDs\r\ngetsid foo\r\n    List users and associated SIDs matching substring \"foo\"",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 661,
                            "created_at": "2020-04-02T03:31:02Z",
                            "updated_at": "2020-04-02T03:31:02Z",
                            "script_id": 557,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "UserName",
                            "description": "Partial or full username to filter results",
                            "default_value": "",
                            "required": false,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }
                    ]
                },
                {
                    "command": "ls",
                    "description": "Display the contents of the specified path",
                    "examples": "ls\r\nls -l\r\nls -L\r\nls -t\r\nls -l -@\r\nls -R\r\nls -l -R\r\nls -l -t -R -L",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 576,
                            "created_at": "2019-07-03T18:51:13Z",
                            "updated_at": "2019-07-03T18:51:13Z",
                            "script_id": 526,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "Path",
                            "description": "Path ",
                            "default_value": ".",
                            "required": false,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }                    ]
                },
                {
                    "command": "mount",
                    "description": "List or mount filesystem volumes",
                    "examples": "Executable by all RTR roles:\r\nmount\r\nExecutable by privileged RTR users only:\r\nmount -t=nfs \"host:/exports/filesystem\" \"/mnt/filesystem\"\r\n    Mount the NFS filesystem located at \"/exports/filesystem\" on \"host\" to the local destination \"/mnt/filesystem\"\r\nmount -t=smbfs \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n    Mount the SMB \"/filesystem\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"\r\nmount -t=smbfs -o=nobrowse \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n    Mount the SMB \"/filesystem\" with option \"nobrowse\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": []
                },
                {
                    "command": "netstat",
                    "description": "Display routing information or network connections",
                    "examples": "netstat\r\nnetstat -nr",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                            {
                            "id": 973,
                            "created_at": "2023-11-20T23:23:37Z",
                            "updated_at": "2023-11-20T23:23:37Z",
                            "script_id": 539,
                            "arg_type": "flag",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "n",
                            "description": "Flag to show network addresses as numbers",
                            "default_value": "",
                            "required": false,
                            "sequence": 2,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }
                    ]
                },
                {
                    "command": "users",
                    "description": "Get details about local users",
                    "examples": "users\r\n    List details about all local users\r\nusers foo\r\n    List details about local user \"foo\"",
                    "internal_only": false,
                    "runnable": true,
                    "sub_commands": [],
                    "args": [
                        {
                            "id": 679,
                            "created_at": "2020-04-02T03:31:12Z",
                            "updated_at": "2020-04-02T03:31:12Z",
                            "script_id": 565,
                            "arg_type": "arg",
                            "data_type": "string",
                            "requires_value": false,
                            "arg_name": "UserName",
                            "description": "Username to filter results",
                            "default_value": "",
                            "required": false,
                            "sequence": 1,
                            "options": null,
                            "encoding": "",
                            "command_level": "non-destructive"
                        }
                    ]
                }
            ],
            "existing_aid_sessions": 1,
            "created_at": "2023-12-22T15:47:24.904481922Z",
            "offline_queued": true
        }
    ],
    "errors": null
}
Check Script Existence

API endpoint: /real-time-response/queries/scripts/v1
Method: GET
Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Parameters:

Key Value
filter name: ‘<Script name>’

API Response:

{
    "meta": {
        "query_time": 0.025087906,
        "pagination": {
            "offset": 0,
            "limit": 100,
            "total": 1
        },
        "powered_by": "empower-api",
        "trace_id": "0e9ccedb-58c9-44a9-842c-620977f096b1"
    },
    "resources": [
        "bab3f0ff134311efb74642cd23408b64_ee09a7720077436099aa397c612ea43b"
    ]
}
Create Score Files Removal Script on RTR Cloud

API Endpoint: /real-time-response/entities/scripts/v1
Method: POST
Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Data:

Key Value
name Name of script
permission_type public
description Description for file.

Files
Upload the script file.
For python script, add this in the files parameter for requests

[
                (
                    "file",
                    (
                        "<File>",
                        file,
                        "application/octet-stream",
                    ),
                )
            ]

API Response:

{
    "meta": {
        "query_time": 0.947792627,
        "writes": {
            "resources_affected": 1
        },
        "powered_by": "empower-api",
        "trace_id": "eed1850a-0c07-488a-b36d-a70d5e904d71"
    }
}
Get a Platform Name

API endpoint:

/devices/entities/devices/v2

Method: GET

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Parameters:

Key Value
Ids [<Host ID>]

Sample API Response:

{
    "meta": {
        "query_time": 0.001626152,
        "powered_by": "device-api",
        "trace_id": "8adcbd8a-40cd-4086-8e5d-5d3962fb1073"
    },
    "resources": [
        {
            "device_id": "d2abab7b4c6a4d9998b298b19bbda31f",
            "cid": "c17f3a80ded0418eb107db3d26a27983",
            "agent_load_flags": "0",
            "agent_local_time": "2023-12-22T11:19:53.929Z",
            "agent_version": "7.05.17603.0",
            "bios_manufacturer": "Apple Inc.",
            "bios_version": "515.0.0.0.0",
            "config_id_base": "65994753",
            "config_id_build": "17603",
            "config_id_platform": "4",
            "cpu_signature": "526057",
            "external_ip": "117.217.127.213",
            "mac_address": "dc-a9-04-99-43-aa",
            "hostname": "ITs-MacBook-Pro.local",
            "first_seen": "2023-12-18T08:46:57Z",
            "last_login_timestamp": "2023-12-21T08:00:38Z",
            "last_login_user": "it",
            "last_login_uid": "501",
            "last_login_user_sid": "S-1-5-21-1276927669-3124867281-3856135234-2002",
            "last_seen": "2023-12-22T11:46:27Z",
            "local_ip": "172.20.10.87",
            "major_version": "22",
            "minor_version": "6",
            "os_version": "Ventura (13)",
            "os_build": "22G120",
            "platform_id": "1",
            "platform_name": "Mac",
            "policies": [
                {
                    "policy_type": "prevention",
                    "policy_id": "e17fdf411592409794d748e907da9967",
                    "applied": true,
                    "settings_hash": "528b286b",
                    "assigned_date": "2023-12-18T08:48:02.464865254Z",
                    "applied_date": "2023-12-18T08:48:08.608666735Z",
                    "rule_groups": []
                }
            ],
            "reduced_functionality_mode": "yes",
            "device_policies": {
                "prevention": {
                    "policy_type": "prevention",
                    "policy_id": "e17fdf411592409794d748e907da9967",
                    "applied": true,
                    "settings_hash": "528b286b",
                    "assigned_date": "2023-12-18T08:48:02.464865254Z",
                    "applied_date": "2023-12-18T08:48:08.608666735Z",
                    "rule_groups": []
                },
                "sensor_update": {
                    "policy_type": "sensor-update",
                    "policy_id": "766825ba2e2847f8a9134f7f48f44214",
                    "applied": true,
                    "settings_hash": "tagged|3;101",
                    "assigned_date": "2023-12-18T09:00:47.465877148Z",
                    "applied_date": "2023-12-18T09:03:49.721523878Z",
                    "uninstall_protection": "ENABLED"
                },
                "device_control": {
                    "policy_type": "device-control",
                    "policy_id": "6e4a89125c4343f3ab42cbf2fa482702",
                    "applied": true,
                    "assigned_date": "2023-12-18T08:48:02.464932037Z",
                    "applied_date": "2023-12-18T08:49:48.770860727Z"
                },
                "global_config": {
                    "policy_type": "globalconfig",
                    "policy_id": "e2289d74264744f38e62d1146b13189d",
                    "applied": true,
                    "settings_hash": "1fda691c",
                    "assigned_date": "2023-12-22T11:20:01.358167731Z",
                    "applied_date": "2023-12-22T11:21:05.552056147Z"
                },
                "remote_response": {
                    "policy_type": "remote-response",
                    "policy_id": "70d43a45f67149e8b54c8d80ac00df10",
                    "applied": true,
                    "settings_hash": "797eb425",
                    "assigned_date": "2023-12-18T08:48:02.464926863Z",
                    "applied_date": "2023-12-18T08:48:08.689092082Z"
                },
                "firewall": {
                    "policy_type": "firewall",
                    "policy_id": "b1a5ff10a3c44f66a47c7f08f2e372e5",
                    "applied": true,
                    "assigned_date": "2023-12-18T08:48:02.464940776Z",
                    "applied_date": "2023-12-18T08:48:08.752377285Z",
                    "rule_set_id": "b1a5ff10a3c44f66a47c7f08f2e372e5"
                }
            },
            "groups": [],
            "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "product_type_desc": "Workstation",
            "provision_status": "Provisioned",
            "serial_number": "C02V10FEHV2T",
            "status": "normal",
            "system_manufacturer": "Apple Inc.",
            "system_product_name": "MacBookPro14,2",
            "tags": [],
            "modified_timestamp": "2023-12-22T11:46:35Z",
            "meta": {
                "version": "110",
                "version_string": "6:10864108136"
            },
            "kernel_version": "22.6.0",
            "chassis_type": "9",
            "chassis_type_desc": "Laptop"
        }
    ],
    "errors": null
}
Change Directory

API Endpoint:

/real-time-response/entities/admin-command/v1

Method: POST

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Data:

Key Value
base_command cd
command_string cd “/Library/Application Support/Netskope/STAgent” or   cd “C:\Program Files (x86)\Netskope\STAgent”
persist True
session_id 30b171e9-26ca-4856-b00e-10d5c4be765e

Sample API Response:

{
    "meta": {
        "query_time": 0.052249291,
        "powered_by": "empower-api",
        "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "queued_command_offline": false
        }
    ],
    "errors": null
}
Remove File from a Device

API Endpoint:

/real-time-response/entities/admin-command/v1

Method: POST

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Data:

Key Value
base_command rm
command_string rm crwd_zta_1_25.txt
persist True
session_id 30b171e9-26ca-4856-b00e-10d5c4be765e

Sample API Response:

{
    "meta": {
        "query_time": 0.052249291,
        "powered_by": "empower-api",
        "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "queued_command_offline": false
        }
    ],
    "errors": null
}
Put the File on a Device

API Endpoint:

/real-time-response/entities/admin-command/v1

Method: POST

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Data:

Key Value
base_command put
command_string put crwd_zta_1_25.txt
persist True
session_id <Session ID>

Sample API Response:

{
    "meta": {
        "query_time": 0.052249291,
        "powered_by": "empower-api",
        "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "queued_command_offline": false
        }
    ],
    "errors": null
}
Get Command Status

API endpoint:

/real-time-response/entities/admin-command/v1

Method: GET

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Parameters:

Key Value
cloud_request_id 399d6ed9-e2c5-4e72-8618-97515f69dc72
sequence_id 0

Sample API Response:

{
    "meta": {
        "query_time": 0.30452861,
        "powered_by": "empower-api",
        "trace_id": "f2fbc47d-a6e5-4ddf-9bb0-778fd7b32017"
    },
    "resources": [
        {
            "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
            "task_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
            "complete": true,
            "stdout": "",
            "stderr": "/Library/Application Support/Netskope/STAgent does not exist\n",
            "base_command": "cd"
        }
    ],
    "errors": []
}
Delete a Session

API Endpoint:

/real-time-response/entities/sessions/v1

Method: DELETE

Headers:

Key Value
Authorization Bearer <Bearer Token>
User-Agent netskope-ce-5.0.1-ure-crowdstrike/1.3.1
Content-Type application/json

Parameter:

Key Value
session_id 30b171e9-26ca-4856-b00e-10d5c4be765e

Sample API Response:

Status code: 204
User Agent

The user agent added for this plugin is in the following format: <vendor>-<integration name>/<version>. For example:

netskope-ce-5.0.1-ure-crowdstrike/1.3.1

Workflow

  1. Get your CrowdStrike Client ID and Client Secret.
  2. Add permissions for your Response Policy (RTR script permission).
  3. Configure the CrowdStrike Plugin for User Risk Exchange.
  4. Configure a Business Rule for the CrowdStrike plugin.
  5. Configure Actions for the CrowdStrike Plugin.
  6. Validate the CrowdStrike plugin.

Click play to watch a video.

 

Get your Crowdstrike Client ID and Client Secret

  1. Log in to your CrowdStrike platform and go to the menu Icon > Support and resources > API clients and Keys.
  2. Click Add new API Client.
  3. Add the following scopes for using CrowdStrike URE plugin:
    Scope Read Write
    Hosts Yes No
    Real time response (admin) Yes
    Real time response Yes No
    Zero Trust Assessment Yes
  4. Copy the Client ID and Secret.

Add Permission for your Response Policy (RTR script Permission)

  1. Log in to the Falcon CrowdStrike UI.
  2. Click on the menu button in the top left corner. Go to Host Setup and Management > Response Policies.
  3. For Windows, go to the policy that is to be used and click Edit Policy in the right corner of the policy.
  4. Enable these permissions:

    Response Policy Permissions

    Category Type Permission Status
    Real Time Response High risk commands put Enable

    Refer to this screenshot.

    You can also go directly to your Host from the Host setup and Management > Host management. Click on your hostname and scroll down to Real Time Response Policy from the left pop-up menu.

Configure the CrowdStrike Plugin

  1. In Cloud Exchange, go to Settings > Plugins. Search for and select the CrowdStrike v1.3.1 (URE) plugin box.
  2. Add a Configuration Name, Sync Interval, and enable the Use System Proxy if you are using a proxy for configuring the plugin.
  3. Click Next and enter the Base URL, Client ID, Client Secret, and Maximum Score (Maximum Score is the configuration parameter through which the plugin fetched scores of Hosts less than or equal to a given value).
  4. Click Next and set the score range from the Select Range page. .
  5. When finished, click Save

Create a User Risk Exchange Business Rule for CrowdStrike

  1. Go to Risk Exchange Module > User Risk Exchange > Business Rules and click Create New Rule.
  2. Enter the Rule Name and configure a query for business rules based on your requirement, and click Save.

Configure Netskope User Risk Exchange Actions for CrowdStrike

This CrowdStrike plugin supports the following two action types:

  • No Action: No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the generate alerts toggle button.
  • Put RTR Script: Put RTR Script action will put a file on the host depending on their respective score.

Score to File Mapping

Score File
Less than 260 crwd_zta_1_25.txt
260 to 510 crwd_zta_26_50.txt
510 to 760 crwd_zta_51_75.txt
760 to 1000 crwd_zta_76_100.txt

Steps to configure the Action:

  1. Go to User Risk Exchange > Actions and click Add Action Configuration.
  2. Select the required Business Rule, Configuration (plugin), and Action from their respective dropdowns.
  3. Click Save button.

Validate the CrowdStrike Plugin

Validate in Cloud Exchange

  1. Go to User Risk Exchange > Hosts. You will be able to see all the host and their scores pulled.
  2. Go to the Logging page to verify the host and their respective scores pulled logs.
  3. Go to the Logging page to verify the action performed for a Mac host if the action is performed on a Mac machine.
  4. Go to the Logging page to verify the action performed for a Windows host if the action is performed on a Windows machine.
  5. When a user matches one of the configured business rules, the configured action would be performed on the user. This can be seen in Risk Exchange > Action Logs.

Validate in CrowdStrike

  1. Log in to the CrowdStrike platform. Click on the menu option on the top left corner, and then click Host Setup and management > Host Management.
  2. You’ll see the number of hosts that are pulled from the platform as shown in this image.

If you want to validate the put RTR Script action and check the file added on the Host machine, follow the below steps for Put RTR script action along with its steps for validation:

Step 1: Check Host Existence
When the action is triggered, the plugin first checks whether the Host with the given Host ID exists on the CrowdStrike platform.
Step 2: Evaluate Host Presence

  • If the Host does not exist, the plugin does not perform any further action and raises a warning.
  • If the Host exists, the plugin proceeds with the following operations.

Step 3: Create Score Files on RTR Cloud
The plugin creates a file for each risk score range on the RTR cloud.
For example, if the score is between 1-25, the file is named crwd_zta_1_25.txt.
If a file with the same name already exists, the API will not create a new one.
Step 4: Establish Host Session
Once the necessary files are created, the plugin initiates a session with the Host using the Host ID.
Step 5: Retrieve Host OS
The plugin fetches the operating system (OS) information for the respective Host.
Step 6: Change Directory Based on OS

  • Depending on the Host’s OS, the plugin sends an API call to change the directory to the appropriate location.
    • For Mac: cd “/Library/Application Support/Netskope/STAgent”
    • For Windows: cd “/Program Files (x86)/Netskope/STAgent”
  • The plugin waits up to 5 minutes for the command to execute. If it takes longer, a timeout error is raised. This timeout applies to commands in Steps 6, 7, and 8.

Step 7: Check if the script for removal of file for OS is present on RTR Cloud

  • In order to remove the existing files from the host machine, the plugin needs to check if the removal of script already exists on RTR cloud or not.
  • As Put RTR Script action supports Windows and macOS, the files Windows Score File Removal Script and Mac Score File Removal Script should be present on RTR cloud.

Step 8: Create script if it does not exist on the RTR cloud
If the Script for the respective OS does not exist on the RTR cloud, create one.
Step 9: Remove existing files from host machine
Execute the script for the respective OS for the host machine to remove the existing files.
Step 10: Upload New Score File

  • After removing old score files, the plugin performs a “put” command to upload the new score file.
  • If the existing score was 12 (requiring crwd_zta_1_25.txt), and the score changes to 48, the new file (crwd_zta_26_50.txt) is uploaded.

Step 11: Delete Host Session
After completing all the steps, the plugin deletes the session created with the Host to free resources and ensure proper cleanup.
Steps to Validate action on CrowdStrike

  1. On CrowdStrike, go to Host setup and management > Host management.
  2. Search for your Host using your Host Name or Host ID. Click on the Hostname.
  3. From the left popup menu, click on the settings icon > Connect to Host.

To check the file added on the Host, go to the below path after connecting to the Host and check the respective score file created.

  • For WINDOWS machine: C:\\Program Files (x86)\\Netskope\\STAgent
  • For MAC machine: /Library/Application Support/Netskope/STAgent

Troubleshooting

Unable to pull Host from the CrowdStrike Platform

If no Host IDs are pulled from the CrowdStrike platform, check the logs in CE Loggings. It could be either of the following.

  • An error is received while pulling Hosts from the platform.
  • No Host is available to pull on the CrowdStrike platform.

What to do: If you have received any error while pulling the IOCs, check the error message and accordingly follow the below steps.

Receiving 500 error: The server might be down, wait for a while and check later.

Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permission for the Client ID and Secret.

If there is no error in the logs, it might be the case that the hosts are not available on the Platform to pull. Check the Host available on CrowdStrike and confirm the same.

Unable to fetch the scores of a pulled Host

If you are not able to pull scores for all or some Hosts from the Platform, it could be due to the Maximum Score value provided in the plugin configuration.

What to do: Check the plugin configuration parameter page. Increase the value of Maximum Score in the plugin configuration. Since the plugin pulls Host scores whose value will be less than or equal to the mentioned value in the Maximum Score field.

Unable to perform Action on Host

If you are not able to perform action put RTR Script, it might be due to one of the following reasons.

  • Insufficient permission was provided for the action.
  • Receiving error while performing an action.

What to do: Verify the issue and follow the options accordingly.

Insufficient permission was provided for the action. Verify if the RTR script permission is provided.

Receiving error while performing an action.

If the host machine is down or does not exist, the plugin won’t be able to successfully perform the put RTR Script action. Verify that the host is accessible.

If the host is Linux the action won’t be performed since Linux is not a supported OS.

If too many actions are performed on a host, you might run into 425 error, which will add the action to the queue. You should wait for a while before retrying to perform the action.

Share this Doc

Crowdstrike Plugin for User Risk Exchange

Or copy link

In this topic ...