Adding CrowdStrike Falcon Connector to Skyformation Platform

Prerequisites

• This service is only available for paying customers with the Falcon Insight and Falcon Prevent products.

• Admin privileges in the Falcon UI

• The following URL group must be accessible from the instance running Skyformation: https://*.crowdstrike.com

Crowdstrike provides 2 methods to retrieve events: Streaming API and FDR. Streaming API provides detections and audit events while the FDR provides raw event data. For more information please visit   https://www.crowdstrike.com/wp-content/uploads/2020/03/CS_Falcon_APIs_Datasheet.pdf.

You should choose the method that better suits your needs. Option 1 is to use the Falcon Streaming API, this method is easier to setup. Option 2 is to use the Falcon Data Replicator (FDR), it will require more configuration on Crowdstrike’s side but will support larger volume of events.

Option 1 - Streaming API

This option is disabled on Crowdstrike’s side by default, you need to contact Crowdstrike support to enable it.

Starting Oct 30, 2020 Crowdstrike are decommissioning of key-based APIs. The only method to authenticate will be the Oauth2. If you are an existing customer who is using the Basic (Key based) authentication, please edit your Crowdstrike Falcon connector settings to use the Oauth2 method by following Option 1 in the onboarding steps below.

Oauth2 authentication

This method requires to obtain Client ID, Client Secret and a Cloud endpoint (a.k.a API Gateway):

1. Sign in to the Crowdstrike Falcon we UI and go to Support and then API Clients and Keys.

2. At the top, click Add new API client:
   

3. Choose a meaningful name, like “exabeamccaccess” for example, and grant Read access to the API scopes.

4. Click Save

5. You will now be presented with the Client ID and Client Secret. Copy these values some place safe, we will need them for the onboarding process. Once you exit this screen you will not be able to recover them.

6. Click Done

7. Crowdstrike assigns each API client a Cloud endpoint (sometimes referred to as an API gateway). Prior to May 2020 all clients were assigned the default gateway which is https://api.crowdstrike.com. After this point clients were assigned the new gateway which is https://api.us-2.crowdstrike.com. It might also happen that the client you created was assigned a different gateway not mentioned above. Please contact Crowdstrike’s support to verify what is the API Gateway assigned to your API client and save that. We refer to this URL as the Cloud endpoint and it will be needed for the onboarding process.

8. After completing all these steps you should have:

   1. Client ID

   2. Client Secret

   3. Cloud endpoint

Option 2 - Falcon Data Replicator (FDR)

Contact Crowdstrike support and ask for a managed AWS S3 bucket for short term storage as well as an SQS for new file notifications.

You should receive Access Key, Access Secret, SQS region and SQS URL.

Onboarding the Crowdstrike Falcon connector in Exabeam Cloud Connectors

1. Login to Cloud Connectors UI

2. Go to Settings

3. Go to Accounts

4. Click “Add Account”

5. Click “Select Service to Add”

   

6. Select “Crowdstrike”

7. Tenant: Select the tenant which the crowdstrike connector will be associated with.

8. Account Name: this name will be displayed in the CC UI to help you identify the connector

9. Description: Optional

Option 1 - Streaming API

1. Authentication Method: Select “oauth2”.

2. Client-Id: Enter the Client ID received from Crowdstrike when configuring the API Client.

3. Client-Secret: Enter the Client Secret received from Crowdstrike when configuring the API Client.

4. Cloud-Endpoint: Enter the Cloud endpoint (API Gateway) received from Crowdstrike support.

5. Ignore all other fields

6. Click Test Connection

7. Click Save

8. Start the connector

Option 2 - Falcon Data Replicator

1. Fill in the following credentials provided by Crowdstrike:

   1. Access Key

   2. Secret Key

   3. SQS Region

   4. SQS URL

2. Ignore all other fields

3. Click Test Connection

4. Click Save

5. Start the connector

Troubleshooting

Problem: FDR Item explorer endpoint give the following error:

Solution: The credentials provided (secret and access key) in the CC UI are most likely wrong.

We can verify that by trying to read a message from the SQS queue:

1. docker run --rm -it -v ~/.aws:/root/.aws amazon/aws-cli configure

2. Enter access and secret key when prompted, ignore other credentials.

3. docker run --rm -it -v ~/.aws:/root/.aws amazon/aws-cli sqs receive-message -queue-url <url> --region <region> (replace <url> and <region> with real values)

If we are not able to read a message we have the wrong credentials. If we are able to receive a message using this method please make sure the credentials in the UI are entered properly, i.e no leading/trailing whitespace.

Problem: Not receiving events using FDR endpoint

Solution: The FDR endpoint is dependent upon the FDR Item Explorer endpoint and they must work in pairs, make sure the item explorer endpoint is active.

Problem: Seeing "ERROR 403" from the connector with option1 configured (Streaming API)

Solution: This may be due to the Streaming API not being enabled. Please contact CrowdStrike Support to enable it.