Crowdstrike Plugin for User Risk Exchange
Crowdstrike Plugin for User Risk Exchange
This document explains how to configure the CrowdStrike v1.3.0 plugin integration with the User Risk Exchange module of the Netskope Cloud Exchange platform. This integration collects Host IDs and their scores from CrowdStrike’s platform to Netskope and performs actions based on the Host scores.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
- Your CrowdStrike instance credentials (Client ID, Client Secret) for API Token.
- A CrowdStrike Real-Time Response Administrator role for Put RTR Script action.
- For each platform (Windows, Mac), there should be a response policy with Real Time Response (High-Risk Commands) enabled.
- Connectivity to the following host: https://api.crowdstrike.com
Compatibility
Netskope CE: v4.2.0, v5.0.0
Performance Matrix
Below is the performance matrix calculated based on the stack size. With a Large Stack of CE, you can pull and store host scores for 500K records in ~40 minutes
Stack Size | LargeRAM: 32 GBCore: 16 |
No. of Records | 500K hosts |
Time taken to ingest records with scores | ~60 mins |
Plugin Scope
This plugin fetches hosts and their respective ZTA scores from the CrowdStrike tenant. It also supports the Put RTR Script action on hosts.
CrowdStrike Plugin Support
| Type of data pulled | Hosts |
| Type of Action Supported | Put RTR Script No Action |
| Score Calculation | URE score calculation > CrowdStrike host assessment overall score * 10. |
Mappings
Score to file mapping (for action put RTR Script)
| Score | File |
| Less than 260 | crwd_zta_1_25.txt |
| 260 to 510 | crwd_zta_26_50.txt |
| 510 to 760 | crwd_zta_51_75.txt |
| 760 to 100 | crwd_zta_76_100.txt |
Permissions
API Scopes Permissions
Refer to the Get Client ID and Client Secret section for obtaining and providing API scopes permissions.
Scope | Read | Write |
Hosts | Yes | No |
Real time response (admin) | – | Yes |
Real time response | Yes | No |
Zero Trust Assessment | Yes | – |
Response Policy Permissions
Refer to Add Permission for Response Policy (RTR script Permission) section for obtaining and providing Response Policy permissions.
Category | Type | Permission | Status |
Real Time Response | High risk commands | put | Enable |
Note: Response policy permissions are only needed when you want to use the Put RTR Script action.
API Details
List of APIs used
| API Detail | Method | Endpoint | API Scope |
| Get an auth token | POST | /oauth2/token | None |
| Fetch records | GET | /devices/queries/devices-scroll/v1 | Hosts (Read) |
| Fetch scores | GET | /zero-trust-assessment/entities/assessments/v1 | Zero Trust Assessment (Read) |
| Get a session ID | POST | /real-time-response/entities/sessions/v1 | Readl time response (Read) |
| Get a platform name | POST | /devices/entities/devices/v2 | Hosts (Read) |
| Change directory | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
| Remove file from a device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
| Get status of a command | GET | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
| Put the file on a device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
| Delete the session | DELETE | /real-time-response/entities/sessions/v1 | Real time response (Read) |
Get an Auth Token
API endpoint:
/oauth2/token
Method: POST
Parameter:
| Key | Value |
| grant_type | client_credentials |
| client_id | <Client ID> |
| client_secret | <Client Secret> |
Sample API Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzphNDdiNTc2MS0zYzk3LTQwMmItOTgzNi0wNmNhODI0NTViOTMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJlZTA5YTc3MjAwNzc0MzYwOTlhYTM5N2M2MTJlYTQzYiIsImV4cCI6MTcwMzI0MDQzOSwiZXh0Ijp7InN1Yl90eXBlIjoiY2xpZW50In0sImlhdCI6MTcwMzIzODYzOSwiaXNzIjoiaHR0cHM6Ly9hcGkuY3Jvd2RzdHJpa2UuY29tLyIsImp0aSI6ImQ5ZTlmZWI4LTM0ODAtNDM2NC1hYzI2LTBhZjgzNDdlOWY2OSIsIm5iZiI6MTcwMzIzODYzOSwic2NwIjpbXSwic3ViIjoiZWUwOWE3NzIwMDc3NDM2MDk5YWEzOTdjNjEyZWE0M2IiLCJzdWJfdHlwZSI6ImNsaWVudCJ9.a8oiNJivyV1AJKoICvr1IH5r4kMsWZ2xds7Qb_JRB6sD1JcbGqAkFq_wgw5-EAB-hHiRB-coF2Yy_PeP-8IvjWQVIjlDJrRmRQ-s-NmAkm8XaG9GojFZvaT-sufiBxKEDmpdntABNkEG1fcbVvd7tVW-vi36PFPoc3p1t4sbaMhf9_Kts8iAHsv6BudVyFsPhPAreGc2OXUFT39ZvuDTN5BxOFiPT_9_gadXt-7N*************************************************************************************",
"expires_in": 1799,
"token_type": "bearer"
}
Fetch Records
API endpoint:
/devices/queries/devices-scroll/v1
Method: GET
Parameters:
| Key | Value |
| limit | 5000 |
| offset | “” |
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Sample API Response:
{
"meta": {
"query_time": 0.025422559,
"pagination": {
"offset": 1,
"limit": 1,
"total": 21
},
"powered_by": "device-api",
"trace_id": "5f1a1eeb-9d8b-4412-8523-0fc933a0bf6f"
},
"resources": [
"89b9743fcb6b4ccaa09600ac5204bac4"
],
"errors": []
}
Fetch Scores
API endpoint:
/zero-trust-assessment/entities/assessments/v1
Method: GET
Parameters:
| Key | Value |
| ids | [<Host Ids>] |
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Put a File on the Cloud
API endpoint:
/real-time-response/entities/put-files/v1
Method: POST
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Data:
{
"description": "file representing a ZTA score of 1_25",
"name": "crwd_zta_1_25.txt",
"comments_for_audit_log": "uploade file representing a ZTA score of 1_25 for Netskope ZTA-RTR integration"
}
Sample API Response:
{
"meta": {
"query_time": 0.536670425,
"writes": {
"resources_affected": 1
},
"powered_by": "empower-api",
"trace_id": "d4bddc66-83fd-4875-9016-a17899fd83ba"
}
}
Get a Session ID
API Endpoint:
real-time-response/entities/sessions/v1
Method: POST
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
| Content-Type | application/json |
Data:
| Key | Value |
| device_id | <Device ID> |
| origin | Netskope |
| queue_offline | True |
Sample API Response:
{
"meta": {
"query_time": 0.315515137,
"powered_by": "empower-api",
"trace_id": "0483a37f-896b-4bb3-bf1e-8f8b3618a2e2"
},
"resources": [
{
"session_id": "a26ad68e-1272-482b-95b5-78ee27344d80",
"scripts": [
{
"command": "cat",
"description": "Read a file from disk and display as ASCII",
"examples": "cat foo.txt\r\ncat -n foo.txt\r\ncat -t foo.txt\r\ncat -t -n foo.txt",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 582,
"created_at": "2019-07-03T18:52:15Z",
"updated_at": "2019-07-03T18:52:15Z",
"script_id": 527,
"arg_type": "arg",
"data_type": "string",
"requires_value": false,
"arg_name": "Path",
"description": "path to cat",
"default_value": "",
"required": true,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 583,
"created_at": "2019-07-03T18:52:15Z",
"updated_at": "2019-07-03T18:52:15Z",
"script_id": 527,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "n",
"description": "Number the output lines starting from 1",
"default_value": "",
"required": false,
"sequence": 2,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 584,
"created_at": "2019-07-03T18:52:15Z",
"updated_at": "2019-07-03T18:52:15Z",
"script_id": 527,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "t",
"description": "Display non-printing characters, and display tab characters as `^I'.",
"default_value": "",
"required": false,
"sequence": 3,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
},
{
"command": "cd",
"description": "Change the current working directory",
"examples": "cd foo",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 689,
"created_at": "2020-08-04T22:37:30Z",
"updated_at": "2020-08-04T22:37:30Z",
"script_id": 528,
"arg_type": "arg",
"data_type": "string",
"requires_value": false,
"arg_name": "Path",
"description": "path",
"default_value": "",
"required": true,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
},
{
"command": "csrutil",
"description": "Get System Integrity Protection status",
"examples": "csrutil",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": []
},
{
"command": "env",
"description": "Print out the environment",
"examples": "env",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": []
},
{
"command": "filehash",
"description": "Generate the MD5, SHA1, and SHA256 hashes of a file",
"examples": "filehash /tmp/test",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 660,
"created_at": "2020-04-02T03:30:53Z",
"updated_at": "2020-04-02T03:30:53Z",
"script_id": 556,
"arg_type": "arg",
"data_type": "string",
"requires_value": false,
"arg_name": "Path",
"description": "File to hash",
"default_value": "",
"required": true,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
},
{
"command": "getsid",
"description": "Enumerate local users and Security Identifiers (SID)",
"examples": "getsid\r\n List all users and associated SIDs\r\ngetsid foo\r\n List users and associated SIDs matching substring \"foo\"",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 661,
"created_at": "2020-04-02T03:31:02Z",
"updated_at": "2020-04-02T03:31:02Z",
"script_id": 557,
"arg_type": "arg",
"data_type": "string",
"requires_value": false,
"arg_name": "UserName",
"description": "Partial or full username to filter results",
"default_value": "",
"required": false,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
},
{
"command": "ifconfig",
"description": "Show network configuration information",
"examples": "ifconfig",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": []
},
{
"command": "ls",
"description": "Display the contents of the specified path",
"examples": "ls\r\nls -l\r\nls -L\r\nls -t\r\nls -l -@\r\nls -R\r\nls -l -R\r\nls -l -t -R -L",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 576,
"created_at": "2019-07-03T18:51:13Z",
"updated_at": "2019-07-03T18:51:13Z",
"script_id": 526,
"arg_type": "arg",
"data_type": "string",
"requires_value": false,
"arg_name": "Path",
"description": "Path ",
"default_value": ".",
"required": false,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 577,
"created_at": "2019-07-03T18:51:13Z",
"updated_at": "2019-07-03T18:51:13Z",
"script_id": 526,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "l",
"description": "List in long format.",
"default_value": "",
"required": false,
"sequence": 2,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 578,
"created_at": "2019-07-03T18:51:13Z",
"updated_at": "2019-07-03T18:51:13Z",
"script_id": 526,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "L",
"description": "Follow all symbolic links to final target and list the file or directory the link references rather than the link itself.",
"default_value": "",
"required": false,
"sequence": 3,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 579,
"created_at": "2019-07-03T18:51:13Z",
"updated_at": "2019-07-03T18:51:13Z",
"script_id": 526,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "R",
"description": "Recursively list subdirectories encountered.",
"default_value": "",
"required": false,
"sequence": 4,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 580,
"created_at": "2019-07-03T18:51:13Z",
"updated_at": "2019-07-03T18:51:13Z",
"script_id": 526,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "t",
"description": "Sort by time modified (most recently modified first) before sorting the operands by lexicographical order.",
"default_value": "",
"required": false,
"sequence": 5,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 581,
"created_at": "2019-07-03T18:51:13Z",
"updated_at": "2019-07-03T18:51:13Z",
"script_id": 526,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "@",
"description": "Display extended attribute keys and sizes in long (-l) output.",
"default_value": "",
"required": false,
"sequence": 6,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
},
{
"command": "mount",
"description": "List or mount filesystem volumes",
"examples": "Executable by all RTR roles:\r\nmount\r\nExecutable by privileged RTR users only:\r\nmount -t=nfs \"host:/exports/filesystem\" \"/mnt/filesystem\"\r\n Mount the NFS filesystem located at \"/exports/filesystem\" on \"host\" to the local destination \"/mnt/filesystem\"\r\nmount -t=smbfs \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n Mount the SMB \"/filesystem\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"\r\nmount -t=smbfs -o=nobrowse \"//user:password@host/filesystem\" \"/mnt/mountpoint\"\r\n Mount the SMB \"/filesystem\" with option \"nobrowse\" on \"host\" as \"user\" with \"password\" to \"/mnt/mountpoint\"",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": []
},
{
"command": "netstat",
"description": "Display routing information or network connections",
"examples": "netstat\r\nnetstat -nr",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 602,
"created_at": "2023-11-20T23:23:37Z",
"updated_at": "2023-11-20T23:23:37Z",
"script_id": 539,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "nr",
"description": "Flag to show routing information",
"default_value": "",
"required": false,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
},
{
"id": 973,
"created_at": "2023-11-20T23:23:37Z",
"updated_at": "2023-11-20T23:23:37Z",
"script_id": 539,
"arg_type": "flag",
"data_type": "string",
"requires_value": false,
"arg_name": "n",
"description": "Flag to show network addresses as numbers",
"default_value": "",
"required": false,
"sequence": 2,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
},
{
"command": "ps",
"description": "Display process information",
"examples": "ps",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": []
},
{
"command": "pwd",
"description": "Prints present working directory",
"examples": "pwd",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": []
},
{
"command": "users",
"description": "Get details about local users",
"examples": "users\r\n List details about all local users\r\nusers foo\r\n List details about local user \"foo\"",
"internal_only": false,
"runnable": true,
"sub_commands": [],
"args": [
{
"id": 679,
"created_at": "2020-04-02T03:31:12Z",
"updated_at": "2020-04-02T03:31:12Z",
"script_id": 565,
"arg_type": "arg",
"data_type": "string",
"requires_value": false,
"arg_name": "UserName",
"description": "Username to filter results",
"default_value": "",
"required": false,
"sequence": 1,
"options": null,
"encoding": "",
"command_level": "non-destructive"
}
]
}
],
"existing_aid_sessions": 1,
"created_at": "2023-12-22T15:47:24.904481922Z",
"offline_queued": true
}
],
"errors": null
}
Get a Platform Name
API endpoint:
/devices/entities/devices/v2
Method: GET
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Parameters:
| Key | Value |
| Ids | [<Host ID>] |
Sample API Response:
{
"meta": {
"query_time": 0.001626152,
"powered_by": "device-api",
"trace_id": "8adcbd8a-40cd-4086-8e5d-5d3962fb1073"
},
"resources": [
{
"device_id": "d2abab7b4c6a4d9998b298b19bbda31f",
"cid": "c17f3a80ded0418eb107db3d26a27983",
"agent_load_flags": "0",
"agent_local_time": "2023-12-22T11:19:53.929Z",
"agent_version": "7.05.17603.0",
"bios_manufacturer": "Apple Inc.",
"bios_version": "515.0.0.0.0",
"config_id_base": "65994753",
"config_id_build": "17603",
"config_id_platform": "4",
"cpu_signature": "526057",
"external_ip": "117.217.127.213",
"mac_address": "dc-a9-04-99-43-aa",
"hostname": "ITs-MacBook-Pro.local",
"first_seen": "2023-12-18T08:46:57Z",
"last_login_timestamp": "2023-12-21T08:00:38Z",
"last_login_user": "it",
"last_login_uid": "501",
"last_login_user_sid": "S-1-5-21-1276927669-3124867281-3856135234-2002",
"last_seen": "2023-12-22T11:46:27Z",
"local_ip": "172.20.10.87",
"major_version": "22",
"minor_version": "6",
"os_version": "Ventura (13)",
"os_build": "22G120",
"platform_id": "1",
"platform_name": "Mac",
"policies": [
{
"policy_type": "prevention",
"policy_id": "e17fdf411592409794d748e907da9967",
"applied": true,
"settings_hash": "528b286b",
"assigned_date": "2023-12-18T08:48:02.464865254Z",
"applied_date": "2023-12-18T08:48:08.608666735Z",
"rule_groups": []
}
],
"reduced_functionality_mode": "yes",
"device_policies": {
"prevention": {
"policy_type": "prevention",
"policy_id": "e17fdf411592409794d748e907da9967",
"applied": true,
"settings_hash": "528b286b",
"assigned_date": "2023-12-18T08:48:02.464865254Z",
"applied_date": "2023-12-18T08:48:08.608666735Z",
"rule_groups": []
},
"sensor_update": {
"policy_type": "sensor-update",
"policy_id": "766825ba2e2847f8a9134f7f48f44214",
"applied": true,
"settings_hash": "tagged|3;101",
"assigned_date": "2023-12-18T09:00:47.465877148Z",
"applied_date": "2023-12-18T09:03:49.721523878Z",
"uninstall_protection": "ENABLED"
},
"device_control": {
"policy_type": "device-control",
"policy_id": "6e4a89125c4343f3ab42cbf2fa482702",
"applied": true,
"assigned_date": "2023-12-18T08:48:02.464932037Z",
"applied_date": "2023-12-18T08:49:48.770860727Z"
},
"global_config": {
"policy_type": "globalconfig",
"policy_id": "e2289d74264744f38e62d1146b13189d",
"applied": true,
"settings_hash": "1fda691c",
"assigned_date": "2023-12-22T11:20:01.358167731Z",
"applied_date": "2023-12-22T11:21:05.552056147Z"
},
"remote_response": {
"policy_type": "remote-response",
"policy_id": "70d43a45f67149e8b54c8d80ac00df10",
"applied": true,
"settings_hash": "797eb425",
"assigned_date": "2023-12-18T08:48:02.464926863Z",
"applied_date": "2023-12-18T08:48:08.689092082Z"
},
"firewall": {
"policy_type": "firewall",
"policy_id": "b1a5ff10a3c44f66a47c7f08f2e372e5",
"applied": true,
"assigned_date": "2023-12-18T08:48:02.464940776Z",
"applied_date": "2023-12-18T08:48:08.752377285Z",
"rule_set_id": "b1a5ff10a3c44f66a47c7f08f2e372e5"
}
},
"groups": [],
"group_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"product_type_desc": "Workstation",
"provision_status": "Provisioned",
"serial_number": "C02V10FEHV2T",
"status": "normal",
"system_manufacturer": "Apple Inc.",
"system_product_name": "MacBookPro14,2",
"tags": [],
"modified_timestamp": "2023-12-22T11:46:35Z",
"meta": {
"version": "110",
"version_string": "6:10864108136"
},
"kernel_version": "22.6.0",
"chassis_type": "9",
"chassis_type_desc": "Laptop"
}
],
"errors": null
}
Change Directory
API Endpoint:
/real-time-response/entities/admin-command/v1
Method: POST
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Data:
| Key | Value |
| base_command | cd |
| command_string | cd “/Library/Application Support/Netskope/STAgent” or cd “C:\Program Files (x86)\Netskope\STAgent” |
| persist | True |
| session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response:
{
"meta": {
"query_time": 0.052249291,
"powered_by": "empower-api",
"trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
},
"resources": [
{
"session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
"cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
"queued_command_offline": false
}
],
"errors": null
}
Remove File from a Device
API Endpoint:
/real-time-response/entities/admin-command/v1
Method: POST
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Data:
| Key | Value |
| base_command | rm |
| command_string | rm crwd_zta_1_25.txt |
| persist | True |
| session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response:
{
"meta": {
"query_time": 0.052249291,
"powered_by": "empower-api",
"trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
},
"resources": [
{
"session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
"cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
"queued_command_offline": false
}
],
"errors": null
}
Put the File on a Device
API Endpoint:
/real-time-response/entities/admin-command/v1
Method: POST
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Data:
| Key | Value |
| base_command | put |
| command_string | put crwd_zta_1_25.txt |
| persist | True |
| session_id | <Session ID> |
Sample API Response:
{
"meta": {
"query_time": 0.052249291,
"powered_by": "empower-api",
"trace_id": "ebb0457c-1000-4607-99c5-85fd2c2aae91"
},
"resources": [
{
"session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
"cloud_request_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
"queued_command_offline": false
}
],
"errors": null
}
Get Command Status
API endpoint:
/real-time-response/entities/admin-command/v1
Method: GET
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
Parameters:
| Key | Value |
| cloud_request_id | 399d6ed9-e2c5-4e72-8618-97515f69dc72 |
| sequence_id | 0 |
Sample API Response:
{
"meta": {
"query_time": 0.30452861,
"powered_by": "empower-api",
"trace_id": "f2fbc47d-a6e5-4ddf-9bb0-778fd7b32017"
},
"resources": [
{
"session_id": "30b171e9-26ca-4856-b00e-10d5c4be765e",
"task_id": "399d6ed9-e2c5-4e72-8618-97515f69dc72",
"complete": true,
"stdout": "",
"stderr": "/Library/Application Support/Netskope/STAgent does not exist\n",
"base_command": "cd"
}
],
"errors": []
}
Delete a Session
API Endpoint:
/real-time-response/entities/sessions/v1
Method: DELETE
Headers:
| Key | Value |
| Authorization | Bearer <Bearer Token> |
| User-Agent | netskope-ce-5.0.0-ure-crowdstrike/1.3.0 |
| Content-Type | application/json |
Parameter:
| Key | Value |
| session_id | 30b171e9-26ca-4856-b00e-10d5c4be765e |
Sample API Response:
Status code: 204
User Agent
The user agent added for this plugin is in the following format: <vendor>-<integration name>/<version>. For example:
netskope-ce-5.0.0-ure-crowdstrike/1.3.0
Workflow
- Get your CrowdStrike credentials.
- Configure the CrowdStrike Plugin for User Risk Exchange.
- Add Permissions for your Response Policy.
- Configure a Business Rule for the CrowdStrike plugin.
- Configure Actions for the CrowdStrike Plugin.
- Validate the CrowdStrike plugin.
Click play to watch a video.
Get your Crowdstrike Client ID and Client Secret
- Log in into your Crowdstrike platform. Go to the menu Icon > Support and resources > API clients and Keys.
- Click Add new API Client.
- Add the following scopes for using Crowdstrike URE plugin:
Scope
Read
Write
Hosts
Yes
No
Real time response (admin)
–
Yes
Real time response
Yes
No
Zero Trust Assessment
Yes
–
- Copy the Client ID and Secret.
Add Permission for your Response Policy (RTR script Permission)
- Log in to the Falcon Crowdstrike UI.
- Click on the menu button in the top left corner. Go to Host Setup and management > Response Policies.
- For Windows, go to the policy that is to be used and click on the edit policy button on the right corner of the policy.
- Enable the below-mentioned permissions:
Response Policy Permissions
Category
Type
Permission
Status
Real Time Response
High risk commands
put
Enable
Also, refer to the below screenshot.
Or you can directly go to your Host from the Host setup and management > Host management. Click on your hostname and scroll down to Real Time Response Policy from the left pop-up menu.
Configure the Crowdstrike Plugin
- In Cloud Exchange, go to Settings > Plugins. Search for and click on the Crowdstrike v1.3.0 (URE) plugin box.
- Add Configuration Name, Sync Interval, and enable the Use System Proxy if you are using a proxy for configuring the plugin.
- Click Next and enter the Base URL, Client ID, Client Secret, and Maximum Score (Maximum Score is the configuration parameter through which the plugin fetched scores of Hosts less than or equal to a given value).
- Click Next and set the score range from the Select Range page. .
- When finished, click Save
Create a User Risk Exchange Business Rule for CrowdStrike
- Go to Risk Exchange Module > User Risk Exchange > Business Rules and click Create New Rule.
- Enter the Rule Name and configure a query for business rules based on your requirement, and click Save.
Configure Netskope User Risk Exchange Actions for CrowdStrike
URE Crowdstrike supports the following two action types:
- No Action
- No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the generate alerts toggle button.
- Put RTR Script
- Put RTR Script action will put a file on the host depending on their respective score.
Score to file mapping
Score | File |
Less than 260 | crwd_zta_1_25.txt |
260 to 510 | crwd_zta_26_50.txt |
510 to 760 | crwd_zta_51_75.txt |
760 to 100 | crwd_zta_76_100.txt |
Steps to configure the Action:
- Go to User Risk Exchange > Actions and click Add Action Configuration.
- Select the required Business Rule, Configuration, and Action from their respective dropdown.
- Click Save button.
Validate the CrowdStrike Plugin
Validate in Cloud Exchange
- Go to User Risk Exchange > Hosts. You will be able to see all the host and their scores pulled.
- When a user matches one of the configured business rules, the configured action would be performed on the user. This can be seen in the Risk Exchange > Action Logs.
Validate in Crowdstrike
- Log in to the Crowdstrike platform. Click on the menu option on the top left corner > Host Setup and management.
- You’ll see the number of hosts that are pulled from the platform as shown in the below snapshot.
If you want to validate the put RTR Script action and check the file added on the Host machine follow the below steps:
- On CrowdStrike, go to Host setup and management > Host management.
- Search for your Host using your Host Name or Host ID. Click on the Hostname.
- From the left popup menu click on the settings icon > Connect to Host.
To check the file added on the Host go to the below path after connecting to the Host:
- For WINDOWS machine:
- C:\\Program Files (x86)\\Netskope\\STAgent
- For MAC machine:
- /Library/Application Support/Netskope/STAgent
Troubleshooting
Unable to pull Host from the CrowdStrike Platform
If no Host IDs are pulled from the CrowdStrike platform, check the logs on CE Loggings. It could be either of the following.
- An error is received while pulling Hosts from the platform.
- No Host is available to pull on the CrowdStrike platform.
What to do: If you have received any error while pulling the IOCs, check the error message and accordingly follow the below steps.
Receiving 500 error: The server might be down, wait for a while and check later.
Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permission for the Client ID and Secret.
If there is no error in the logs, it might be the case that the hosts are not available on the Platform to pull. Check the Host available on CrowdStrike and confirm the same.
Unable to fetch the scores of pulled Host
If you are not able to pull scores for all or some Hosts from the Platform, it could be due to the Maximum Score value provided in the plugin configuration.
What to do: Check the plugin configuration parameter page. Increase the value of Maximum Score in the plugin configuration. Since the plugin pulls Host scores whose value will be less than or equal to the mentioned value in the Maximum Score field.
Unable to perform Action on Host
If you are not able to perform action put RTR Script, it might be due to one of the following reasons.
Insufficient permission was provided for the action.
Receiving error while performing an action.
What to do: Verify the issue and follow the options accordingly.
Insufficient permission was provided for the action. Verify if the RTR script permission is provided.
Receiving error while performing an action.
If the host machine is down or does not exist, the plugin won’t be able to successfully perform the put RTR Script action. Verify that the host is accessible.
If the host is Linux the action won’t be performed since Linux is not a supported OS.
If too many actions are performed on a host, you might run into 425 error, which will add the action to the queue. You should wait for a while before retrying to perform the action.
