Crowdstrike Plugin for User Risk Exchange
Crowdstrike Plugin for User Risk Exchange
This document explains how to configure the CrowdStrike v1.2.0 plugin integration with the User Risk Exchange module of the Netskope Cloud Exchange platform. This integration collects Host IDs and their scores from CrowdStrike’s platform to Netskope and performs actions based on the Host scores.
Prerequisites
- Netskope Tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
- Your CrowdStrike instance credentials (Client ID, Client Secret) for API Token.
- A CrowdStrike Real-Time Response Administrator role for Put RTR Script action.
- For each platform (Windows, Mac), there should be a response policy with Real Time Response (High-Risk Commands) enabled.
- Connectivity to the following host: https://api.crowdstrike.com
Compatibility
Netskope CE: v4.1.0, v4.2.0
Performance Matrix
Below is the performance matrix calculated based on the stack size. With a Large Stack of CE, you can pull and store host scores for 500K records in ~40 minutes
Stack Size | Large RAM: 32 GB Core: 16 |
No. of Records | 500K hosts |
Time taken to ingest records with scores | ~40 mins |
Fetched record types | Hosts |
Permissions
API Scopes Permissions
Refer to the Get Client ID and Client Secret section for obtaining and providing API scopes permissions.
Scope | Read | Write |
Hosts | Yes | No |
Real time response (admin) | – | Yes |
Real time response | Yes | No |
Zero Trust Assessment | Yes | – |
Response Policy Permissions
Refer to Add Permission for Response Policy (RTR script Permission) sections for obtaining and providing Response Policy permissions.
Category | Type | Permission | Status |
Real Time Response | High risk commands | put | Enable |
Note: Response policy permissions are only needed when you want to use the Put RTR Script action.
API Details
API Detail | Method | Endpoint | API Scope |
Get auth token | GET | /oauth2/token | None |
Fetch Records | GET | /devices/queries/devices-scroll/v1 | Hosts (Read) |
Fetch Scores | GET | /zero-trust-assessment/entities/assessments/v1 | Zero Trust Assessment (Read) |
Get session ID | POST | /real-time-response/entities/sessions/v1 | Readl time response (Read) |
Get platform name | POST | /devices/entities/devices/v2 | Hosts (Read) |
Remove file from device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Get status of command | GET | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Put file on device | POST | /real-time-response/entities/admin-command/v1 | Real time response admin (Write) |
Delete the session | DELETE | /real-time-response/entities/sessions/v1 | Real time response (Read) |
User Agent
The user agent added for this plugin is in the following format:
Workflow
- Get your CrowdStrike credentials.
- Configure the Crowdstrike Plugin for User Risk Exchange.
- Add Permissions for your Response Policy.
- Configure a Business Rull for the CrowdStrike plugin.
- Configure Actions for the CrowdStrike Plugin.
- Validate the CrowdStrike plugin.
Click play to watch a video.
Get your Crowdstrike Client ID and Client Secret
- Log in into your Crowdstrike platform. Go to the menu Icon >> Support and resources >> API clients and Keys.
- Click Add new API Client.
- Add the following scopes for using Crowdstrike URE plugin:
Scope
Read
Write
Hosts
Yes
No
Real time response (admin)
–
Yes
Real time response
Yes
No
Zero Trust Assessment
Yes
–
- Copy the Client ID and Secret.
Add Permission for your Response Policy (RTR script Permission)
- Log in to the Falcon Crowdstrike UI.
- Click on the menu button in the top left corner. Go to Host Setup and management > Response Policies.
- For Windows, go to the policy that is to be used and click on the edit policy button on the right corner of the policy.
- Enable the below-mentioned permissions:
Response Policy Permissions
Category
Type
Permission
Status
Real Time Response
High risk commands
put
Enable
Also, refer to the below screenshot.
Configure the Crowdstrike Plugin
- In Cloud Exchange, go to Settings > Plugins. Search for and click on the Crowdstrike v1.2.0 (URE) plugin box.
- Add Configuration Name, Sync Interval, and enable the Use System Proxy if you are using a proxy for configuring the plugin.
- Click Next and enter the Base URL, Client ID, Client Secret, and Maximum Score (Maximum Score is the configuration parameter through which the plugin fetched scores of Hosts less than or equal to a given value).
- Click Next and set the score range from the Select Range page. When finished, click Save.
Create a User Risk Exchange Business Rule for CrowdStrike
- Go to Risk Exchange Module > User Risk Exchange > Business Rules and click Create New Rule.
- Enter the Rule Name and configure a query for business rules based on your requirement, and click Save.
Configure Netskope User Risk Exchange Actions for CrowdStrike
URE Crowdstrike supports the following two action types:
- No Action
- No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the generate alerts toggle button.
Put RTR Script
Put RTR Script action will put a file on the host depending on their respective score. Below is score-file mapping(for putting files on the host machine based on their score) and steps on how to configure this action.
Score to file mapping
Score | File |
Less than 260 | crwd_zta_1_25.txt |
260 to 510 | crwd_zta_26_50.txt |
510 to 760 | crwd_zta_51_75.txt |
760 to 100 | crwd_zta_76_100.txt |
Steps to configure the Action:
- Go to User Risk Exchange > Actions and click Add Action Configuration.
- Select the required Business Rule, Configuration, and Action from their respective dropdown.
- Click Save button.
Validate the CrowdStrike Plugin
Validate in Cloud Exchange
- Go to User Risk Exchange > Hosts. You will be able to see all the host and their scores pulled.
- When a user matches one of the configured business rules, the configured action would be performed on the user. This can be seen in the Risk Exchange > Action Logs.
Validate in Crowdstrike
- Log in to the Crowdstrike platform. Click on the menu option on the top left corner > Host Setup and management.
- You’ll see the number of hosts that are pulled from the platform as shown in the below snapshot.
