If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to add a new SkyFormation's CrowdStrike Cloud App Connector to your SkyFormation Platform.
- Only available for paying customer with the Falcon Insight and Falcon Prevent products
- Open the following services to be approachable from the SkyFormation machine:
The CrowdStrike connector supports 2 methods of obtaining the events, which are in duplicate, so choose which one suites your needs -
Option 1: via Falcon Streaming API - Easier to setup, supports small-medium size deployments. To use this use the endpoint-streaming-api
NOTE: Falcon Streaming API is disabled by default. You must enable it before you continue with configuration of this option.
Option 2: via Falcon Data Replicator (FDR) - Requires some setup on CrowdStrike side, supports high volume of events
Option 1 (Streaming API) setup:
- The connector uses the Falcon Streaming API which are disabled by default.
Starting with release 2.4.204, 2 options are available for authentication for the streaming API:
This method requires API Key and UUID. To obtain an API key and UUID, you must have admin privileges in the Falcon UI.
Sign in to the Falcon UI and navigate to the People App > Customer tab. Note that the People App is only visible to admins.
Click “Reset API Key” (Note that any previous API key will be invalidated).
Copy the API key and UUID for safe keeping.
(Origin: CrowdStrike guide -
Note: These credentials are different than the Query API and Threat Graph API credentials
- When coming to on-board the connector make sure the below information is available for you
This method requires client-id and client secret. To get these please follow the following instructions :
You must have the Falcon Administrator role to view, create, or modify API clients or keys. However, you can only see an API client's secret when you create or reset the secret.
Sign in to the Falcon console
Click Add new API client
Enter a descriptive Client name that identifies your API client in Falcon and in API action logs
(Optional) Enter a Description, such as your API client's intended purpose
Select one or more API scopes . For skyformation cloud connectors you only need READ scopes.
Tip: Record your API client secret somewhere safe. For security purposes, it's only shown when you create or reset the API client. If you lose your secret, you must reset it, which cuts off access for any integrations that still use the previous secret.
For more information, see https://falcon.crowdstrike.com/support/documentation/46/crowdstrike-oauth2-based-apis#api-clients
- When coming to on-board the connector make sure the below information is available for you:
- cloud-endpoint. Starting Mid-May 2020, CrowdStrike has launched a second US based cloud (us -2) where all new CrowdStrike customers will be onboarded. If you are onboarded into the new cloud, your API gateway link is api.us-2.crowdstrike.com. Otherwise you can keep the default which is https://api.crowdstrike.com. There can be other cloud endpoints, e.g gov cloud or eu. Ask crowdstrike support to provide you with your cloud-endpoint string.
When on-boarding (see below), fill on only these credentials, and ignore the bottom section for the FDR section.
Option 2 (Falcon Data Replicator) setup:
- Complete the setup of FDR. You should have credentials to a AWS IAM user (access key and secret) and SQS queue
When on-boarding (see below), fill on only these credentials, and ignore the top section for the streaming-api section.
After starting the connector, click "Status", stop the streaming-api endpoint, and start the FDR endpoint.
On-board SkyFormation for CrowdStrike steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "CrowdStrike"
You will see the below screen for Oauth2:
Or this for Basic Auth:
5. Fill in the following information:
- Tenant (relevant only for the multi-tenant SkyFormation edition)
Choose the tenant the new connector will be attached to.
- Account Name
Give the custom connector a meaningful name for you.
This will become your application connector name displayed in the SkyFormation platform and
added to entire events sent to your SIEM system from this connector as an identifier.
Add any text that describe the specific application and meaning for the business.
"Corp end-point security app"
- UuId (basic auth only)
Unique ID provided to your organization by CrowdStrike support to use the API
- API-Key (basic auth only)
A key provided to your organization by CrowdStrike support to use the API
- Client-Id (oauth2 only)
client ID from prerequisites section
- Client-Secret (oauth2 only)
client secret from prerequisites section
- Cloud-endpoint (oauth2 only)
default is https://api.crowdstrike.com, ask Crowdstike support to provide you with your cloud-endpoint.
6. Test the settings correctness
Press the "TEST CONNECTION" button
If you see a green OK sign appears as above you have completed the onboard successfully.
- Click "SAVE" button
7. Start the new connector
When a new cloud connector is added its default state is STOPPED.
To start it press its START button.
If you're seeing "ERROR 403" from the connector with option1 configured (Streaming API), it may be due to the Streaming API not being enabled. Please contact CrowdStrike Support to enable it.