Skip to content

CrowdStrike

Integration with CrowdStrike Falcon enables seamless scanning of remote hosts, analysis of filesystem data, and presentation of actionable insights within the AQtive Guard UI. This guide outlines the orchestration process, leveraging the CrowdStrike API and the AQtive Guard Network Analyzer.

AQtive Guard CrowdStrike orchestration flow

  1. When you select the targets to launch a scan in the AQtive Guard UI, the AQtive Guard API (1) connects to the CrowdStrike API (2).
  2. The CrowdStrike API runs the AQG Filesystem Scanner on the targeted remote hosts (3).
  3. The data is sent from CrowdStrike to AQtive Guard storage where it is analyzed by AQtive Guard (4).
  4. The analyzed data is presented in the AQtive Guard UI dashboard (5) and data tables.

CrowdStrike requirements

The minimum requirements for application or product support are:

  • CrowdStrike API client with the following Falcon API scopes:
    • Hosts (read)
    • Real time response (admin) (write)
    • Real time response (read, write)

Falcon module dependencies

Falcon customers require the following subscriptions to use the CrowdStrike integration:

  • Falcon Prevent
  • Falcon Insight XDR

Supported platforms

  • Windows
  • Linux

Configure the CrowdStrike integration

To configure the CrowdStrike integration in AQtive Guard, you’ll need your CrowdStrike Base URL, Client ID, and Client secret. To obtain these:

  1. Log into your Falcon Console as a Falcon Administrator.
  2. Select Support, then API Clients and Keys. You can also search for API keys and select API Clients and Keys from the search results.
  3. Select Create API Client and specify a name and description.
  4. In the Scopes section, you’ll select the necessary scopes:
    • Select Write next to Real time response (admin) and Real time response.
    • Select Read next to Real time response.
  5. Select Create and copy the Base URL, Client ID, and Secret values.

Tip

Make sure to copy the credentials and save them in a secure place. Once you close the window, they can’t be shown again. If you do lose access to the credentials, you can reset an API client’s Secret, edit the scopes that are associated with it, or revoke all access.

Log in to AQtive Guard to complete the following steps.

  1. Select Data sources from the main menu, then select Configure in the CrowdStrike panel.
  2. Paste the information you copied from CrowdStrike into the designated fields:
    • Your Base URL (into the Instance URL field).
    • Your API Client ID.
    • Your API Client secret.
  3. (Optional) Select Test Connection to check the connection to the CrowdStrike API.
  4. Select Submit to update the settings.

Note

Selecting Submit performs the same check as the Test connection button, in addition to verifying the client ID and secret are valid.

Use

Once the integration is configured, you can trigger a CrowdStrike scan.

Note

If the CrowdStrike settings aren’t configured, the scan option will be disabled.

Trigger CrowdStrike scan

Follow these instructions to run a scan and ingest CrowdStrike data for analysis by AQtive Guard.

  1. Select Data sources from the main menu, then select Details in the CrowdStrike panel.
  2. In the Scans section, select Start Scan and configure the following:
    • Scan name - a default date and time stamp is provided. You can change this to any unique name.
    • Scan Settings Profile - the impact that the scan will have on your infrastructure. There are 3 options:
      • High impact - this will use a workload of 100%. There’s also no limit to the number of files that can be scanned per second, and the max file size is 1 GB.
      • Standard impact (default) - this will use a workload of 50%. The number of files that can be scanned per second is 10,000 and the max file size is 1 MB.
      • Low impact - this will use a workload of 5%. The number of files that can be scanned per second is 1,000 and the max file size is 512 KB.
    • Platform - select Linux or Windows.
    • Hostname (optional) - only scan hosts that contain the entered text in their name.
    • Host Activity (optional) - only scan hosts that were pinged within the Last X hours. The Estimated number of affected hosts section updates as you fill in the required fields.
  3. Select Start Scan to scan the selected hosts and ingest the data into AQtive Guard for analysis.

View CrowdStrike scan data

Once you start a scan, you can see the progress in the Scans table. The table displays the following information:

  • Name - the scan name provided when configuring the scan.
  • Status - the status of a scan. The possible values are:
    • Pending - scan is in the scan queue.
    • In Progress - actively scanning.
    • Completed - scan has been successfully ingested into AQtive Guard.
    • Canceled - the scan has been terminated by user action.
  • Progress - the number of hosts scanned / total number of hosts selected.
  • Scan Start - the timestamp for when the scan started (MM/DD/YYYY HH:MM:SS AM/PM), based on the time zone set in your browser, with system time in UTC.
  • Scan End - the timestamp for when the scan is completed or stopped (MM/DD/YYYY HH:MM:SS AM/PM), based on the time zone set in your browser, with system time in UTC.
  • Duration - the length of time the scan was active.

You can view more information for a specific scan by selecting Details in the row of the scan you’re interested in. The Scan Results table appears, which displays the following:

  • IT Asset - the name of the asset.
  • Status - the status of the scan on the asset. The possible values are:
    • Pending
    • Scanning
    • Retrieval
    • Downloading
    • Success
    • Fail
  • Platform - the asset’s platform. This is either Linux or Windows.

Any successful asset scans will be also be shown in IT assets.

Unlink the CrowdStrike integration only if your organization needs to reconfigure or stop data sharing with CrowdStrike.

To unlink the CrowdStrike configuration:

  1. Select Data sources from the main menu, then select Details in the CrowdStrike panel.
  2. Select Unlink.
  3. Select Confirm and unlink CrowdStrike.