Crowdstrike Plugin for User Risk Exchange
Crowdstrike Plugin for User Risk Exchange
This document explains how to configure the CrowdStrike v1.3.1 plugin with the User Risk Exchange module of the Netskope Cloud Exchange platform. This integration fetches Host IDs and their risk scores from CrowdStrike’s platform to Cloud Exchange, and performs a Put RTR Script action on the host machine based on the Host scores.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
- Your CrowdStrike instance credentials (Client ID, Client Secret) for API Token.
- A CrowdStrike Real-Time Response Administrator role for Put RTR Script action.
- For each platform (Windows, Mac), there should be a response policy with Real Time Response (High-Risk Commands) enabled.
- Connectivity to the following host: https://api.crowdstrike.com
Compatibility
Netskope CE: v4.2.0, v5.0.1
Performance Matrix
Here is the performance matrix conducted on a Large CE Stack with below-mentioned specifications by pulling 500K hosts and their risky scores.
Stack Size |
|
No. of Records | 500K hosts |
Time taken to ingest records with scores. | ~20 mins |
Plugin Scope
This plugin fetches hosts and their respective ZTA scores from the CrowdStrike tenant, and also supports the Put RTR Script action on hosts.
CrowdStrike Plugin Support
Type of data pulled | Hosts |
Type of Action Supported | Put RTR Script No Action |
Mappings
Pull Mapping
CrowdStrike Fields | Netskope CE Fields |
---|---|
resources | id |
overall | score |
Score Mapping
CrowdStrike Scores | Netskope CE URE Scores |
---|---|
NA | None |
critical | 1-250 |
high | 251-500 |
medium | 501-750 |
low | 751-1000 |
Score Calculation for this plugin is normalized using the following formula:
URE score calculation > CrowdStrike host assessment overall score * 10
Score to File Mapping (for Action Put RTR Script)
Score | File |
---|---|
Less than 260 | crwd_zta_1_25.txt |
260 to 510 | crwd_zta_26_50.txt |
510 to 760 | crwd_zta_51_75.txt |
760 to 1000 | crwd_zta_76_100.txt |
Permissions
API Scopes Permissions
Refer to the Get Client ID and Client Secret section for obtaining and providing API scopes permissions.
Scope | Read | Write |
---|---|---|
Hosts | Yes | No |
Real time response (admin) | – | Yes |
Real time response | Yes | No |
Zero Trust Assessment | Yes | – |
Response Policy Permissions
Refer to Add Permission for Response Policy (RTR script Permission) section for obtaining and providing Response Policy permissions.
Category | Type | Permission | Status |
---|---|---|---|
Real Time Response | Custom scripts | Falcon scripts | Enable |
Real Time Response | High risk commands | put | Enable |
Note: Response policy permissions are only needed when you want to use the Put RTR Script action.
API Details
List of APIs used
API Detail | Method | Endpoint | API Scope |
---|---|---|---|
Get an auth token | POST | /oauth2/token | None |
Fetch records | GET | /devices/queries/devices-scroll/v1 | Hosts (Read) |
Fetch scores | GET | /zero-trust-assessment/entities/assessments/v1 | Zero Trust Assessment (Read) |
Get a session ID | POST | /real-time-response/entities/sessions/v1 | Real time response (Read) |
Check script existence | GET | /real-time-response/queries/scripts/v1 | Real time response (Read) |
Create score files removal script on the RTR cloud | POST | /real-time-response/entities/scripts/v1 | Real time response admin (Write) |
Get a platform name | POST | /devices/entities/devices/v2 | Hosts (Read) |
Change directory | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Remove a file from a device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Get status of a command | GET | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Put a file on a device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Delete the session | DELETE | /real-time-response/entities/sessions/v1 | Real time response (Read) |
Get an Auth Token
API endpoint:
/oauth2/token
Method: POST
Parameter:
Key | Value |
---|---|
grant_type | client_credentials |
client_id | <Client ID> |
client_secret | <Client Secret> |
Sample API Response:
{ "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzphNDdiNTc2MS0zYzk3LTQwMmItOTgzNi0wNmNhODI0NTViOTMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJlZTA5YTc3MjAwNzc0MzYwOTlhYTM5N2M2MTJlYTQzYiIsImV4cCI6MTcwMzI0MDQzOSwiZXh0Ijp7InN1Yl90eXBlIjoiY2xpZW50In0sImlhdCI6MTcwMzIzODYzOSwiaXNzIjoiaHR0cHM6Ly9hcGkuY3Jvd2RzdHJpa2UuY29tLyIsImp0aSI6ImQ5ZTlmZWI4LTM0ODAtNDM2NC1hYzI2LTBhZjgzNDdlOWY2OSIsIm5iZiI6MTcwMzIzODYzOSwic2NwIjpbXSwic3ViIjoiZWUwOWE3NzIwMDc3NDM2MDk5YWEzOTdjNjEyZWE0M2IiLCJzdWJfdHlwZSI6ImNsaWVudCJ9.a8oiNJivyV1AJKoICvr1IH5r4kMsWZ2xds7Qb_JRB6sD1JcbGqAkFq_wgw5-EAB-hHiRB-coF2Yy_PeP-8IvjWQVIjlDJrRmRQ-s-NmAkm8XaG9GojFZvaT-sufiBxKEDmpdntABNkEG1fcbVvd7tVW-vi36PFPoc3p1t4sbaMhf9_Kts8iAHsv6BudVyFsPhPAreGc2OXUFT39ZvuDTN5BxOFiPT_9_gadXt-7N*************************************************************************************", "expires_in": 1799, "token_type": "bearer" }
Fetch Records
API endpoint:
/devices/queries/devices-scroll/v1
Method: GET
Parameters:
Key | Value |
---|---|
limit | 5000 |
offset | “” |
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Sample API Response:
{ "meta": { "query_time": 0.025422559, "pagination": { "offset": 1, "limit": 1, "total": 21 }, "powered_by": "device-api", "trace_id": "5f1a1eeb-9d8b-4412-8523-0fc933a0bf6f" }, "resources": [ "89b9743fcb6b4ccaa09600ac5204bac4" ], "errors": [] }
Fetch Scores
API endpoint:
/zero-trust-assessment/entities/assessments/v1
Method: GET
Parameters:
Key | Value |
---|---|
ids | [<Host Ids>] |
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
{ "meta": { "query_time": 0.003210238, "trace_id": "ba076fd9-7340-49f3-a9a2-41b6f2eb94d9" }, "errors": [], "resources": [ { "aid": "e039334e8b0e4747bdfc7a29406ec8e1", "cid": "c17f3a80ded0418eb107db3d26a27983", "system_serial_number": "FVHX2HEDJ1WK", "event_platform": "Mac", "product_type_desc": "Workstation", "modified_time": "2024-05-01T08:42:07Z", "sensor_file_status": "confirmed", "assessment": { "sensor_config": 66, "os": 72, "overall": 68, "version": "3.8.1" }, "assessment_items": { "os_signals": [ { "signal_id": "mac_os_version", "signal_name": "macOS Version", "group_name": "macOS", "criteria": "macOS version is ≥11.0", "meets_criteria": "yes" } ], "sensor_signals": [ { "signal_id": "ml_cloud_antimalware_detection_mac", "signal_name": "Cloud ML - Cloud Anti-malware - Detection for macOS", "group_name": "Prevention", "criteria": "Cloud ML - Cloud Anti-malware Detection: set to Aggressive or higher", "meets_criteria": "yes" }, ] } } ] }
Put a File on the Cloud
API endpoint:
/real-time-response/entities/put-files/v1
Method: POST
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Data:
{ "description": "file representing a ZTA score of 1_25", "name": "crwd_zta_1_25.txt", "comments_for_audit_log": "uploade file representing a ZTA score of 1_25 for Netskope ZTA-RTR integration" }
Sample API Response:
{ "meta": { "query_time": 0.536670425, "writes": { "resources_affected": 1 }, "powered_by": "empower-api", "trace_id": "d4bddc66-83fd-4875-9016-a17899fd83ba" } }
Get a Session ID
API Endpoint:
real-time-response/entities/sessions/v1
Method: POST
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Content-Type | application/json |
Data:
Key | Value |
---|---|
device_id | <Device ID> |
origin | Netskope |
queue_offline | True |
Sample API Response:
{ "meta": { "query_time": 0.315515137, "powered_by": "empower-api", "trace_id": "0483a37f-896b-4bb3-bf1e-8f8b3618a2e2" }, "resources": [ { "session_id": "a26ad68e-1272-482b-95b5-78ee27344d80", "scripts": [ { "command": "cat", "description": "Read a file from disk and display as ASCII", "examples": "cat foo.txt\r\ncat -n foo.txt\r\ncat -t foo.txt\r\ncat -t -n foo.txt", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 582, "created_at": "2019-07-03T18:52:15Z", "updated_at": "2019-07-03T18:52:15Z", "script_id": 527, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "Path", "description": "path to cat", "default_value": "", "required": true, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" }, { "command": "getsid", "description": "Enumerate local users and Security Identifiers (SID)", "examples": "getsid\r\n List all users and associated SIDs\r\ngetsid foo\r\n List users and associated SIDs matching substring \"foo\"", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 661, "created_at": "2020-04-02T03:31:02Z", "updated_at": "2020-04-02T03:31:02Z", "script_id": 557, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "UserName", "description": "Partial or full username to filter results", "default_value": "", "required": false, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" } ] }, { "command": "ls", "description": "Display the contents of the specified path", "examples": "ls\r\nls -l\r\nls -L\r\nls -t\r\nls -l -@\r\nls -R\r\nls -l -R\r\nls -l -t -R -L", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 576, "created_at": "2019-07-03T18:51:13Z", "updated_at": "2019-07-03T18:51:13Z", "script_id": 526, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "Path", "description": "Path ", "default_value": ".", "required": false, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" } ] }, { "command": "mount", "description": "List or mount filesystem volumes", "examples": "Executable by all RTR roles:\r\nmount\r\nExecutable by privileged RTR users only:\r\nmount -t=nfs \"host:/exports/filesystem\" \"/mnt/filesystem\"\r\n Mount the NFS filesystem located at \"/exports/filesystem\" on \"host\" to the local destination \"/mnt/filesystem\"\r\nmount -t=smbfs \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n Mount the SMB \"/filesystem\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"\r\nmount -t=smbfs -o=nobrowse \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n Mount the SMB \"/filesystem\" with option \"nobrowse\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"", "internal_only": false, "runnable": true, "sub_commands": [], "args": [] }, { "command": "netstat", "description": "Display routing information or network connections", "examples": "netstat\r\nnetstat -nr", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 973, "created_at": "2023-11-20T23:23:37Z", "updated_at": "2023-11-20T23:23:37Z", "script_id": 539, "arg_type": "flag", "data_type": "string", "requires_value": false, "arg_name": "n", "description": "Flag to show network addresses as numbers", "default_value": "", "required": false, "sequence": 2, "options": null, "encoding": "", "command_level": "non-destructive" } ] }, { "command": "users", "description": "Get details about local users", "examples": "users\r\n List details about all local users\r\nusers foo\r\n List details about local user \"foo\"", "internal_only": false, "runnable": true, "sub_commands": [], "args": [ { "id": 679, "created_at": "2020-04-02T03:31:12Z", "updated_at": "2020-04-02T03:31:12Z", "script_id": 565, "arg_type": "arg", "data_type": "string", "requires_value": false, "arg_name": "UserName", "description": "Username to filter results", "default_value": "", "required": false, "sequence": 1, "options": null, "encoding": "", "command_level": "non-destructive" } ] } ], "existing_aid_sessions": 1, "created_at": "2023-12-22T15:47:24.904481922Z", "offline_queued": true } ], "errors": null }
Check Script Existence
API endpoint: /real-time-response/queries/scripts/v1
Method: GET
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Parameters:
Key | Value |
---|---|
filter | name: ‘<Script name>’ |
API Response:
{ "meta": { "query_time": 0.025087906, "pagination": { "offset": 0, "limit": 100, "total": 1 }, "powered_by": "empower-api", "trace_id": "0e9ccedb-58c9-44a9-842c-620977f096b1" }, "resources": [ "bab3f0ff134311efb74642cd23408b64_ee09a7720077436099aa397c612ea43b" ] }
Create Score Files Removal Script on RTR Cloud
API Endpoint: /real-time-response/entities/scripts/v1
Method: POST
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Data:
Key | Value |
---|---|
name | Name of script |
permission_type | public |
description | Description for file. |
Files
Upload the script file.
For python script, add this in the files parameter for requests
[ ( "file", ( "<File>", file, "application/octet-stream", ), ) ]
API Response:
{ "meta": { "query_time": 0.947792627, "writes": { "resources_affected": 1 }, "powered_by": "empower-api", "trace_id": "eed1850a-0c07-488a-b36d-a70d5e904d71" } }
Get a Platform Name
API endpoint:
/devices/entities/devices/v2
Method: GET
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Parameters:
Key | Value |
---|---|
Ids | [<Host ID>] |
Sample API Response:
{ "meta": { "query_time": 0.001626152, "powered_by": "device-api", "trace_id": "8adcbd8a-40cd-4086-8e5d-5d3962fb1073" }, "resources": [ { "device_id": "d2abab7b4c6a4d9998b298b19bbda31f", "cid": "c17f3a80ded0418eb107db3d26a27983", "agent_load_flags": "0", "agent_local_time": "2023-12-22T11:19:53.929Z", "agent_version": "7.05.17603.0", "bios_manufacturer": "Apple Inc.", "bios_version": "515.0.0.0.0", "config_id_base": "65994753", "config_id_build": "17603", "config_id_platform": "4", "cpu_signature": "526057", "external_ip": "117.217.127.213", "mac_address": "dc-a9-04-99-43-aa", "hostname": "ITs-MacBook-Pro.local", "first_seen": "2023-12-18T08:46:57Z", "last_login_timestamp": "2023-12-21T08:00:38Z", "last_login_user": "it", "last_login_uid": "501", "last_login_user_sid": "S-1-5-21-1276927669-3124867281-3856135234-2002", "last_seen": "2023-12-22T11:46:27Z", "local_ip": "172.20.10.87", "major_version": "22", "minor_version": "6", "os_version": "Ventura (13)", "os_build": "22G120", "platform_id": "1", "platform_name": "Mac", "policies": [ { "policy_type": "prevention", "policy_id": "e17fdf411592409794d748e907da9967", "applied": true, "settings_hash": "528b286b", "assigned_date": "2023-12-18T08:48:02.464865254Z", "applied_date": "2023-12-18T08:48:08.608666735Z", "rule_groups": [] } ], "reduced_functionality_mode": "yes", "device_policies": { "prevention": { "policy_type": "prevention", "policy_id": "e17fdf411592409794d748e907da9967", "applied": true, "settings_hash": "528b286b", "assigned_date": "2023-12-18T08:48:02.464865254Z", "applied_date": "2023-12-18T08:48:08.608666735Z", "rule_groups": [] }, "sensor_update": { "policy_type": "sensor-update", "policy_id": "766825ba2e2847f8a9134f7f48f44214", "applied": true, "settings_hash": "tagged|3;101", "assigned_date": "2023-12-18T09:00:47.465877148Z", "applied_date": "2023-12-18T09:03:49.721523878Z", "uninstall_protection": "ENABLED" }, "device_control": { "policy_type": "device-control", "policy_id": "6e4a89125c4343f3ab42cbf2fa482702", "applied": true, "assigned_date": "2023-12-18T08:48:02.464932037Z", "applied_date": "2023-12-18T08:49:48.770860727Z" }, "global_config": { "policy_type": "globalconfig", "policy_id": "e2289d74264744f38e62d1146b13189d", "applied": true, "settings_hash": "1fda691c", "assigned_date": "2023-12-22T11:20:01.358167731Z", "applied_date": "2023-12-22T11:21:05.552056147Z" }, "remote_response": { "policy_type": "remote-response", "policy_id": "70d43a45f67149e8b54c8d80ac00df10", "applied": true, "settings_hash": "797eb425", "assigned_date": "2023-12-18T08:48:02.464926863Z", "applied_date": "2023-12-18T08:48:08.689092082Z" }, "firewall": { "policy_type": "firewall", "policy_id": "b1a5ff10a3c44f66a47c7f08f2e372e5", "applied": true, "assigned_date": "2023-12-18T08:48:02.464940776Z", "applied_date": "2023-12-18T08:48:08.752377285Z", "rule_set_id": "b1a5ff10a3c44f66a47c7f08f2e372e5" } }, "groups": [], "group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "product_type_desc": "Workstation", "provision_status": "Provisioned", "serial_number": "C02V10FEHV2T", "status": "normal", "system_manufacturer": "Apple Inc.", "system_product_name": "MacBookPro14,2", "tags": [], "modified_timestamp": "2023-12-22T11:46:35Z", "meta": { "version": "110", "version_string": "6:10864108136" }, "kernel_version": "22.6.0", "chassis_type": "9", "chassis_type_desc": "Laptop" } ], "errors": null }
Change Directory
API Endpoint:
/real-time-response/entities/admin-command/v1
Method: POST
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Data:
Key | Value |
---|---|
base_command | cd |
command_string | cd “/Library/Application Support/Netskope/STAgent” or cd “C:\Program Files (x86)\Netskope\STAgent” |
persist | True |
session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response:
{ "meta": { "query_time": 0.052249291, "powered_by": "empower-api", "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "queued_command_offline": false } ], "errors": null }
Remove File from a Device
API Endpoint:
/real-time-response/entities/admin-command/v1
Method: POST
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Data:
Key | Value |
---|---|
base_command | rm |
command_string | rm crwd_zta_1_25.txt |
persist | True |
session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response:
{ "meta": { "query_time": 0.052249291, "powered_by": "empower-api", "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "queued_command_offline": false } ], "errors": null }
Put the File on a Device
API Endpoint:
/real-time-response/entities/admin-command/v1
Method: POST
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Data:
Key | Value |
---|---|
base_command | put |
command_string | put crwd_zta_1_25.txt |
persist | True |
session_id | <Session ID> |
Sample API Response:
{ "meta": { "query_time": 0.052249291, "powered_by": "empower-api", "trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "queued_command_offline": false } ], "errors": null }
Get Command Status
API endpoint:
/real-time-response/entities/admin-command/v1
Method: GET
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Parameters:
Key | Value |
---|---|
cloud_request_id | 399d6ed9-e2c5-4e72-8618-97515f69dc72 |
sequence_id | 0 |
Sample API Response:
{ "meta": { "query_time": 0.30452861, "powered_by": "empower-api", "trace_id": "f2fbc47d-a6e5-4ddf-9bb0-778fd7b32017" }, "resources": [ { "session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e", "task_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72", "complete": true, "stdout": "", "stderr": "/Library/Application Support/Netskope/STAgent does not exist\n", "base_command": "cd" } ], "errors": [] }
Delete a Session
API Endpoint:
/real-time-response/entities/sessions/v1
Method: DELETE
Headers:
Key | Value |
---|---|
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.0.1-ure-crowdstrike/1.3.1 |
Content-Type | application/json |
Parameter:
Key | Value |
---|---|
session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response:
Status code: 204
User Agent
The user agent added for this plugin is in the following format: <vendor>-<integration name>/<version>. For example:
netskope-ce-5.0.1-ure-crowdstrike/1.3.1
Workflow
- Get your CrowdStrike Client ID and Client Secret.
- Add permissions for your Response Policy (RTR script permission).
- Configure the CrowdStrike Plugin for User Risk Exchange.
- Configure a Business Rule for the CrowdStrike plugin.
- Configure Actions for the CrowdStrike Plugin.
- Validate the CrowdStrike plugin.
Click play to watch a video.
Get your Crowdstrike Client ID and Client Secret
- Log in to your CrowdStrike platform and go to the menu Icon > Support and resources > API clients and Keys.
- Click Add new API Client.
- Add the following scopes for using CrowdStrike URE plugin:
Scope Read Write Hosts Yes No Real time response (admin) – Yes Real time response Yes No Zero Trust Assessment Yes – - Copy the Client ID and Secret.
Add Permission for your Response Policy (RTR script Permission)
- Log in to the Falcon CrowdStrike UI.
- Click on the menu button in the top left corner. Go to Host Setup and Management > Response Policies.
- For Windows, go to the policy that is to be used and click Edit Policy in the right corner of the policy.
- Enable these permissions:
Response Policy Permissions
Category Type Permission Status Real Time Response High risk commands put Enable Refer to this screenshot.
You can also go directly to your Host from the Host setup and Management > Host management. Click on your hostname and scroll down to Real Time Response Policy from the left pop-up menu.
Configure the CrowdStrike Plugin
- In Cloud Exchange, go to Settings > Plugins. Search for and select the CrowdStrike v1.3.1 (URE) plugin box.
- Add a Configuration Name, Sync Interval, and enable the Use System Proxy if you are using a proxy for configuring the plugin.
- Click Next and enter the Base URL, Client ID, Client Secret, and Maximum Score (Maximum Score is the configuration parameter through which the plugin fetched scores of Hosts less than or equal to a given value).
- Click Next and set the score range from the Select Range page. .
- When finished, click Save
Create a User Risk Exchange Business Rule for CrowdStrike
- Go to Risk Exchange Module > User Risk Exchange > Business Rules and click Create New Rule.
- Enter the Rule Name and configure a query for business rules based on your requirement, and click Save.
Configure Netskope User Risk Exchange Actions for CrowdStrike
This CrowdStrike plugin supports the following two action types:
- No Action: No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the generate alerts toggle button.
- Put RTR Script: Put RTR Script action will put a file on the host depending on their respective score.
Score to File Mapping
Score | File |
---|---|
Less than 260 | crwd_zta_1_25.txt |
260 to 510 | crwd_zta_26_50.txt |
510 to 760 | crwd_zta_51_75.txt |
760 to 1000 | crwd_zta_76_100.txt |
Steps to configure the Action:
- Go to User Risk Exchange > Actions and click Add Action Configuration.
- Select the required Business Rule, Configuration (plugin), and Action from their respective dropdowns.
- Click Save button.
Validate the CrowdStrike Plugin
Validate in Cloud Exchange
- Go to User Risk Exchange > Hosts. You will be able to see all the host and their scores pulled.
- Go to the Logging page to verify the host and their respective scores pulled logs.
- Go to the Logging page to verify the action performed for a Mac host if the action is performed on a Mac machine.
- Go to the Logging page to verify the action performed for a Windows host if the action is performed on a Windows machine.
- When a user matches one of the configured business rules, the configured action would be performed on the user. This can be seen in Risk Exchange > Action Logs.
Validate in CrowdStrike
- Log in to the CrowdStrike platform. Click on the menu option on the top left corner, and then click Host Setup and management > Host Management.
- You’ll see the number of hosts that are pulled from the platform as shown in this image.
If you want to validate the put RTR Script action and check the file added on the Host machine, follow the below steps for Put RTR script action along with its steps for validation:
Step 1: Check Host Existence
When the action is triggered, the plugin first checks whether the Host with the given Host ID exists on the CrowdStrike platform.
Step 2: Evaluate Host Presence
- If the Host does not exist, the plugin does not perform any further action and raises a warning.
- If the Host exists, the plugin proceeds with the following operations.
Step 3: Create Score Files on RTR Cloud
The plugin creates a file for each risk score range on the RTR cloud.
For example, if the score is between 1-25, the file is named crwd_zta_1_25.txt.
If a file with the same name already exists, the API will not create a new one.
Step 4: Establish Host Session
Once the necessary files are created, the plugin initiates a session with the Host using the Host ID.
Step 5: Retrieve Host OS
The plugin fetches the operating system (OS) information for the respective Host.
Step 6: Change Directory Based on OS
- Depending on the Host’s OS, the plugin sends an API call to change the directory to the appropriate location.
- For Mac: cd “/Library/Application Support/Netskope/STAgent”
- For Windows: cd “/Program Files (x86)/Netskope/STAgent”
- The plugin waits up to 5 minutes for the command to execute. If it takes longer, a timeout error is raised. This timeout applies to commands in Steps 6, 7, and 8.
Step 7: Check if the script for removal of file for OS is present on RTR Cloud
- In order to remove the existing files from the host machine, the plugin needs to check if the removal of script already exists on RTR cloud or not.
- As Put RTR Script action supports Windows and macOS, the files Windows Score File Removal Script and Mac Score File Removal Script should be present on RTR cloud.
Step 8: Create script if it does not exist on the RTR cloud
If the Script for the respective OS does not exist on the RTR cloud, create one.
Step 9: Remove existing files from host machine
Execute the script for the respective OS for the host machine to remove the existing files.
Step 10: Upload New Score File
- After removing old score files, the plugin performs a “put” command to upload the new score file.
- If the existing score was 12 (requiring crwd_zta_1_25.txt), and the score changes to 48, the new file (crwd_zta_26_50.txt) is uploaded.
Step 11: Delete Host Session
After completing all the steps, the plugin deletes the session created with the Host to free resources and ensure proper cleanup.
Steps to Validate action on CrowdStrike
- On CrowdStrike, go to Host setup and management > Host management.
- Search for your Host using your Host Name or Host ID. Click on the Hostname.
- From the left popup menu, click on the settings icon > Connect to Host.
To check the file added on the Host, go to the below path after connecting to the Host and check the respective score file created.
- For WINDOWS machine: C:\\Program Files (x86)\\Netskope\\STAgent
- For MAC machine: /Library/Application Support/Netskope/STAgent
Troubleshooting
Unable to pull Host from the CrowdStrike Platform
If no Host IDs are pulled from the CrowdStrike platform, check the logs in CE Loggings. It could be either of the following.
- An error is received while pulling Hosts from the platform.
- No Host is available to pull on the CrowdStrike platform.
What to do: If you have received any error while pulling the IOCs, check the error message and accordingly follow the below steps.
Receiving 500 error: The server might be down, wait for a while and check later.
Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permission for the Client ID and Secret.
If there is no error in the logs, it might be the case that the hosts are not available on the Platform to pull. Check the Host available on CrowdStrike and confirm the same.
Unable to fetch the scores of a pulled Host
If you are not able to pull scores for all or some Hosts from the Platform, it could be due to the Maximum Score value provided in the plugin configuration.
What to do: Check the plugin configuration parameter page. Increase the value of Maximum Score in the plugin configuration. Since the plugin pulls Host scores whose value will be less than or equal to the mentioned value in the Maximum Score field.
Unable to perform Action on Host
If you are not able to perform action put RTR Script, it might be due to one of the following reasons.
- Insufficient permission was provided for the action.
- Receiving error while performing an action.
What to do: Verify the issue and follow the options accordingly.
Insufficient permission was provided for the action. Verify if the RTR script permission is provided.
Receiving error while performing an action.
If the host machine is down or does not exist, the plugin won’t be able to successfully perform the put RTR Script action. Verify that the host is accessible.
If the host is Linux the action won’t be performed since Linux is not a supported OS.
If too many actions are performed on a host, you might run into 425 error, which will add the action to the queue. You should wait for a while before retrying to perform the action.