CrowdStrike

CrowdStrike

CrowdStrike is an agent-based sensor that prevents breaches and malware attacks. It provides Endpoint Detection and Response (EDR) services to all endpoints by a single agent, commonly known as the CrowdStrike Falcon Sensor.

This document contains the best practices that ensure smooth interoperability between CrowdStrike and Netskope Client.

Environment

This document was created using the following components:

  • Falcon Sensor Version: 6.36.15005
  • Netskope Client version: 117.0.0
  • OS: Windows 10

Interoperability Configuration Requirements

Specific configurations in Netskope tenant web UI can ensure that the processes or traffic from either of the applications are not blocked and directed to the Netskope Cloud. You must add exceptions to the Netskope Steering Configuration. To learn more, view Exceptions.

Configurations In Netskope Client

Add steering configuration exceptions (Certificate Pinned Application exception type) on the Netskope tenant WebUI to allow CrowdStrike traffic to bypass Netskope and reach its destination.

To add CrowdStrike as a Certificate Pinned Application on the Netskope UI:

  1. Go to Settings > Security Cloud Platform > Steering Configuration.

  2. Click Default tenant config.

  3. On the Default tenant config page, click EXCEPTION > NEW EXCEPTION > Certificate Pinned Applications.

    Certificate_Pinned_App.png

  4. In the New Exception window, do the following:

    1. From Certificate Pinned App, select CrowdStrike Falcon.

    2. From Actions, select Bypass for all operating systems that you want to allow directly to the destination.

    3. Click ADD.

    • The pre-defined cert-pinned app includes the following processes for macOS:
      • falcond
      • com.crowdstrike.falcon.agent
    • The pre-defined cert-pinned app includes the following processes for Windows:
      • CSFalconService.exe
      • system
      • CSFalconContainer.exe

Verifying Interoperability

Netskope Client Functions

Refer to the list of validated use cases that you can use to verify Client operations.

CrowdStrike Validation

To validate CrowdStrike Falcon Sensor, open a Command Prompt(cmd.exe) and run the following command: choice /M crowdstrike_sample_detection.

Win-Sample-Detections-and-Testing-4A.png

This triggers a detection and reviews your recent detection using Activity > Detections to inspect the new alert on the Falcon console.

Detections.png

Troubleshooting Interoperability

CrowdStrike injects the following DLLs into the Netskope Client process memory to monitor activities at the API level:

  • C:\Windows\System32\umppc118110.dll

  • C:\Windows\System32\ScriptControl32_17706.dll

The version numbers in the DLL names are subject to change.

Exclude the following processes in your CrowdStrike console to prohibit the Client Process executables from injection by the DLLs:

  • stAgentSvc.exe
  • stAgentUI.exe
  • nsdiag.exe

Occasionally, the injection of the CrowdStrike’s DLLs leads to instability and unexpected behavior. For troubleshooting purposes,  allowlist Netskope Client’s processes in the CrowdStrike setting to resolve the issue.

Share this Doc

CrowdStrike

Or copy link

In this topic ...