If you're having trouble at any stage please contact us at support@skyformation.com. 

Preface

The goal of this guide is to add a new SkyFormation's CrowdStrike Cloud App Connector to your SkyFormation Platform.

Prerequisites

- Only available for paying customer with the Falcon Insight and Falcon Prevent products 

- Open the following services to be approachable from the SkyFormation machine:

   https://*.crowdstrike.com

The CrowdStrike connector supports 2 methods of obtaining the events, which are in duplicate, so choose which one suites your needs - 

Option 1: via Falcon Streaming API - Easier to setup, supports small-medium size deployments. To use this use the endpoint-streaming-api

Option 2: via Falcon Data Replicator (FDR) - Requires some setup on CrowdStrike side, supports high volume of events

Option 1 setup:

- The connector uses the Falcon Streaming API which are disabled by default.

To obtain an API key and UUID, you must have admin privileges in the Falcon UI.

Sign in to the Falcon UI and navigate to the People App > Customer tab. Note that the People App is only visible to admins.
Click “Reset API Key” (Note that any previous API key will be invalidated).
Copy the API key and UUID for safe keeping.

(Origin: CrowdStrike guide - 

https://www.crowdstrike.com/blog/tech-center/get-access-crowdstrike-apis/)

 Note: These credentials are different than the Query API and Threat Graph API credentials

- When coming to on-board the connector make sure the below information is available for you

1. UUID 
2. API-Key

When on-boarding (see below), fill on only these credentials, and ignore the FDR section.

Option 2 setup:

- Complete the setup of FDR. You should have credentials to a AWS IAM user (access key and secret) and SQS queue

When on-boarding (see below), fill on only these credentials, and ignore the top section for the streaming-api section.

After starting the connector, click "Status", stop the streaming-api endpoint, and start the FDR endpoint.

On-board SkyFormation for CrowdStrike steps

1. Logon to your SkyFormation Platform:

2. Navigate via left navigation panel to "Settings" section

3. Navigate via New Settings left navigation panel to "Accounts" section

4. Click the "Add Account" bottom

5. At the "SELECT SERVICE TO ADD" choose "CrowdStrike" 

You will see the below screen:

5. Fill in the following information:

 - Tenant (relevant only for the multi-tenant SkyFormation edition)
       Choose the tenant the new connector will be attached to.     

  - Account Name
       Give the custom connector a meaningful name for you.
      This will become your application connector name displayed in the SkyFormation platform and
      added to entire events sent to your SIEM system from this connector as an identifier. 

      Example: 
      "CrowdStrike-corp-endpoint-security"     

    - Description
      Add any text that describe the specific application and meaning for the business.

      Example:
      "Corp end-point security app"

    - UuId

      Unique ID provided to your organization by CrowdStrike support to use the API

      Example:
      da6e3d72-2f37-6241-9504-2307b710241g

  - API-Key

     A key provided to your organization by CrowdStrike support to use the API

     Example:
     FjhhMTAxY2EtNjY2Ni00AGQwLKhjMjQtNTYxYTdkMmJlYzU6 

6. Test the settings correctness 

    Press the "TEST CONNECTION" button

    If you see a green OK sign appears as above you have completed the onboard successfully.

- Click "SAVE" button

7. Start the new connector

    When a new cloud connector is added its default state is STOPPED.

    To start it press its START button. 

DONE !