CrowdStrike Plugin for Threat Exchange

CrowdStrike Plugin for Threat Exchange

This document explains how to configure the CrowdStrike integration with the Cloud Threat Exchange module of the Netskope CE platform. This CrowdStrike v2.0.0 plugin integration allows you to pull indicators of type SHA256, MD5, IPv4, IPv6, and Domain from CrowdStrike’s Endpoint Detection and IoC Management pages. This plugin also supports sharing of the indicators to CrowdStrike’s Custom IoC.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing.
  • A Threat Protection subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A CrowdStrike instance.
  • Connectivity to any one of the following hosts:
    • Commercial cloud (api.crowdstrike.com)
    • US 2 (api.us-2.crowdstrike.com)
    • Falcon on GovCloud (api.laggar.gcw.crowdstrike.com)
    • EU cloud (api.eu-1.crowdstrike.com)
CrowdStrike Plugin Support

Fetched indicator types

SHA256, MD5, Domain, IPv4, IPv6

Shared indicator types

SHA256, MD5, Domain, IPv4, IPv6

Permissions

API Scopes permissions

Scope

Read

Write

Detections

Yes

No

IoC Management

Yes

Yes

Hosts

Yes

Yes

IoCs (Indicators of Compromise)

Yes

No

Performance Matrix

Below is the performance reading conducted by pulling and sharing 100K indicators from/to CrowdStrike on a Large CE Stack with the below specifications

Stack details

Size: Large

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from CrowdStrike

~14K per minute

Indicators shared with CrowdStrike

~3K per minute

API Details

List of APIs used

Use Case

Method

Endpoint

API Scope

Get auth token

POST

/oauth2/token

None

Pull detection ids from Endpoint Detections

GET

/detects/queries/detects/v1

Detections (Read)

Pull detection details

POST

/detects/entities/summaries/GET/v1

Detections (Read)

Pull indicators from Custom IOC Management and check the existence of indicators on IOC Management

GET

/iocs/combined/indicator/v1

IOC Management (Read)

Push indicators to Custom IOC Management

POST

/iocs/entities/indicators/v1

IOC Management (Write)

Pull the host IDs from the indicator value for the Isolate/Remediate action

GET

indicators/queries/devices/v1

IOCs (Indicators of Compromise) (Read)

Perform Isolate/Remediate action

POST

/devices/entities/devices-actions/v2

Hosts (Write)

User Agent

The user-agent added in this plugin is in the following format:

 <vendor>-<integration name>/<version>

For example:

netskope-ce-4.2.0-cte-crowdstrike/2.0.0
Field Mappings for Pull

Here is the list of fields that are pulled from CrowdStrike and mapped in Netskope CE.

Endpoint Detection Page Mapping

Netskope CE Fields

CrowdStrike API Response Fields

value

ioc_value

type

ioc_type

comments

ioc_description

firstSeen

first_behavior / (timestamp)

lastSeen

last_behavior / (timestamp)

severity

severity

reputation

confidence/10

IOC Management Page Mapping

Netskope CE Fields

CrowdStrike API Response Fields

value

value

type

type

severity

severity

firstSeen

created_on

lastSeen

modified_on

comment

Format: Comment format: Source: , action: , platforms: , metadata fields:

Combination of Source, action, platforms, metadata fields

tags

tags + [“non-CrowdStrike-discovered”]

Workflow

  1. Create a custom File Profile.
  2. Create a Malware Detection Profile.
  3. Create a Real-time Protection Policy.
  4. Get your CrowdStrike API credentials.
  5. Configure the CrowdStrike Plugin.
  6. Configure sharing between Netskope and CrowdStrike.
  7. Validate the CrowdStrike Plugin.

Click play to watch a video.

 

Create a Secure Web Gateway Custom File Profile for CrowdStrike

  1. In the Netskope UI, go to Policies , select File , and click New File Profile.
  2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
  3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
  4. Click Next.
  5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
  6. Click Save.
  7. To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile for CrowdStrike

  1. In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
  2. Click Next
  3. Click Next again.
  4. Select the File Profile you created in the previous section and click Next.
  5. Enter a Malware Detection Profile name and click Save Malware Detection Profile.
  6. To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-time Threat Protection Policy for CrowdStrike

These instructions apply to the new Real-time Protection policy workflow.

  1. In the Netskope UI, go to Policies > Real-time Protection. 
  2. Click New Policy and select Threat Protection.
  3. For Source, leave the default (User = All Users)
  4. For Destination: select Category
  5. The Category section expands and allows you to search and select categories. Click Select All. When finished, click outside of the Category section.
  6. When the Activities & Constraints section opens, click Edit.
  7. Select Upload and Download, and then click Save.
  8. For Profile & Action, click in the text field.
  9. Select the Malware Detection profile you created in the previous section.
  10. For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
  11. Select a template to choose which block message is sent to the user.
  12. For Set Policy, enter a descriptive Policy Name.
  13. Click Save in the top right to save the policy.
  14. Choose the To the top option when it appear. (Or appropriate location in your security policy)
  15. To publish this policy into the tenant, select Apply Changes in the top right.

Get your CrowdStrike Client ID and Client Secret

  1. Log in to your CrowdStrike platform and go to Support and Resources > API Client and Keys.
  2. Click Create API Client. Add the Client name and provide these scopes.

    API Scopes permissions

    Scope

    Read

    Write

    Detections

    Yes

    No

    IOC Management

    Yes

    Yes

    Hosts

    Yes

    Yes

    IOCs(Indicators of Compromise)

    Yes

    No

  3. Copy the Client ID and Secret, and then click Create.

Configure the Crowdstrike Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins.
  2. Search for and select the CrowdStrike v2.0.0 (CTE) plugin box to open the plugin creation pages.
  3. For Basic Information, enter and select these values:
    • Configuration Name: Unique name for the configuration
    • Sync Interval: Leave default or change based on your requirement.
    • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication
  4. Click Next.
  5. For Configuration Parameters, enter and select these values:
    • Base URL: Base URL for Crowdstrike API Endpoints.
    • Client ID: Crowdstrike API Client ID.
    • Client Secret: Crowdstrike API Client Secret.
    • Enable Polling: Enable/Disable polling data from CrowdStrike.
    • Indicator Source Page: The page from which you want to pull data from. The data pulled from the IoC Management page will be tagged as “non-CrowdStrike-discovered”
    • Type of Threat data to pull: Type of Threat data to pull. Supported types are SHA256, MD5, Domain, IPv4 and, IPv6.
    • Initial Range: Number of days to pull the data for the initial run.
    • Indicator Batch Size: Number of Indicators to push in one API call. (Applicable only while sharing IoCs)
    • IoC Source: The source where this indicator originated. This can be used for tracking where this indicator was defined.
  6. Click Save.

    Note

    Before CrowdStrike v2.0.0 the indicators were only pulled from the CrowdStrike > EndPoint detection page > Behaviours. In this update, we have added support to pull data from the CrowdStrike > IOC Management page. So all the MD5, SHA256, Domains, IPv4, and, IPv6 available on both the Endpoint Detection and IOC Management page will be pulled from the CrowdStrike platform to Netskope CE.

    Earlier the plugin configuration had Malware, Malsite, and Both as options for the “Type of ThreatData to pull” field, it has now been updated to the following:

    CrowdStrike v1.0.3

    CrowdStrike v2.0.0

    Malware

    MD5 and SHA256

    Malsite

    Domains

    In order to pull malware-type indicators from CrowdStrike select MD5 and SHA256 in the Type of ThreatData to pull the field from the plugin configuration. In order to pull the Malsite type of data select Domains, IPv4, and IPv6.

  7. Configure a Threat Exchange Business Rule for CrowdStrike

    A Business Rule is used to filter out the indicators that are to be shared. In order to share IoCs with CrowdStrike, create a business rule using the following steps:

    1. Go to Threat Exchange > Business Rules click Create New Rule.
    2. Add the Rule name and select the fields through which you want to filter the IoCs.
    3. Click Save.

    Add a Threat Exchange Sharing Configuration

    CrowdStrike v2.0.0 supports performing Remediate and Isolate actions on the Hosts. This plugin also updates the already shared Indicators on CrowdStrike when reshared.

    CrowdStrike Actions

    Perform Action

    • No Action: Save the indicator for future use, but take no action. No severity is required.
    • Allow: This applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided.
    • Block, Hide Detection: This applies to hashes only. Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections. Has a default severity value.
    • Block: This applies to hashes only. Add the indicator to the Block list using which the prevention policy will block the processes on the host from which this indicator is generated.
    • Detect Only: Show it as detection and take no action on it.

    Isolate/Remediate Hosts

    • Contain: Contains the host and stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
    • Lift Containment: Lifts containment on the host and returns its network communications to normal.
    • Hide Host: Deletes a host. After the host is deleted, no new detections for the host will be reported via the UI or API. A maximum of 100 hosts can be hidden at a time.
    • Unhide Host: Restores a host. Detection reporting resumes after the host is restored.

    To configure sharing:

    1. Go to Threat Exchange > Sharing and click Add Sharing Configuration.
    2. Select Source configuration (Source from which you want to share data to CrowdStrike), select Business Rule, and Destination.
    3. Select the Target value and Action type.
    4. Click Save.

      Note

      In CrowdStrike v2.0.0, the labels for the “Action” field of “Perform Action” Target have been updated and are now in sync with the CrowdStrike platform. Updated labels for the Action parameter are as follows:

      CrowdStrike v1.0.3

      CrowdStrike v2.0.0

      No Action

      No Action (Applies to all indicator types)

      Allow

      Allow (Applies to hashes only)

      Prevent_no_ui

      Block, hide detection (Applies to hashes only)

      Prevent

      Block (Applies to hashes only)

      Detect

      Detect only (Applies to all indicator types)

    Validate the CrowdStrike Plugin

    Validate Pull

    1. Indicators from CrowdStrike are pulled from Endpoint security > Endpoint Detection > Detections and Endpoint security > IOC Management.
    2. Indicators stored in CE can be verified from Threat Exchange > Threat IoCs.
    3. Search the CrowdStrike IoCs by filtering indicators from CrowdStrike.

      For example, add a query on the Threat IoCs page like sources.source Is equal

    4. You can also verify the indicators pulled in CE from the Logs available on the Logging page.

    Validate Push

    1. Shared IoCs in Netskope CE can be verified from logs available on the Logging page of Threat Exchange.
    2. IoCs shared on CrowdStrike can be verified from Endpoint security > IOC Management.

    Troubleshooting

    Receiving an error while updating the plugin using the plugin repository

    If you are facing an issue updating the configured CrowdStrike plugin, follow these steps:

    1. Close the plugin repo page once you pull and download the plugin updates.
    2. Go to Threat Exchange > Plugins.
    3. To edit the plugin, go to the Configuration Parameter page and remove the selected value from the Type of Threat Data to pull field, and then select the IoC type that you want to pull.
    4. Select the source page from the Indicator Source Page dropdown.
    5. Save the plugin.
    6. Click on the enable plugin icon and enable the plugin. The plugin will be updated with the latest changes and start working as expected.
    Receiving error 500 Server error while updating/sharing the IoCs to CrowdStrike

    If you are receiving the below error message in logs while sharing the IoCs to CrowdStrike, it might be because of the batch size provided in the plugin configuration for sharing being large.

    Change the batch size for the sharing from the plugin configuration by following the below steps:

    1. Edit the CrowdStrike plugin from Threat Exchange > Plugins.
    2. Reduce the Indicator Batch size parameter and save the plugin.
Share this Doc

CrowdStrike Plugin for Threat Exchange

Or copy link

In this topic ...