Articles in this section

See more

Configure the CrowdStrike Falcon Cloud Connector for SkyFormation

Avatar
Nadav Lavy (Greenberg)
  • Updated
Follow

SkyFormation Helpdesk: support@skyformation.com

Overview

CrowdStrike provides cloud delivered services that include endpoint protection, antivirus, endpoint detection and response (EDR), and managed threat hunting for constant breach prevention, and threat prevention via machine learning and behavioral-based analytics. The CrowdStrike Falcon platform stops breaches by preventing and responding to all types of malware attacks. Using the CrowdStrike Threat Graph, CrowdStrike Falcon analyzes and correlates billions of events in real time to provide complete protection and visibility across all endpoints. For more information see the product information.

The following table displays the audit source API and security events supported by the connector.

Audit source API and security events supported by the connector

Audit Source: API

Service or Module Covered

Events Types

Notes

Falcon Streaming API

Full audit events and alerts

Administrative actions and alerts

All

CrowdStrike Falcon Data Replicator (FDR)

CrowdStrike FDR

The raw Threat Graph event also called Falcon platform

CrowdStrike forwards events to AWS S3 bucket and  SkyFormation collects the events from AWS S3 bucket.

Prerequisites

CrowdStrike supports two APIs to retrieve events: Falcon Streaming API and Falcon Data Replicator (FDR).

  • Falcon Streaming API: Streaming API provides detections and audit events. Contact CrowdStrike support to enable this option because by default the Streaming API option is disabled.
  • Falcon Data Replicator (FDR): FDR provides raw event data. Contact CrowdStrike support to obtain managed AWS S3 bucket for storage for a short duration and Simple Queue Service (SQS) for notifications about newly created files. CrowdStrike support provides you with Access Key, Access Secret, SQS region and SQS URL.

Select the API that suits your requirements. Falcon Data Replicator supports larger volume of events; however, it is a little complex to set up and requires relevant CrowdStrike configurations.

Before you configure the CrowdStrike Falcon connector you must complete the following prerequisites:

  • Ensure that the https://*.crowdstrike.com service is open for communication with the SkyFormation Cloud Connector platform.
  • Make sure that you have the Admin privileges for Falcon platform and paid membership for Falcon Insight and Falcon Prevent products.
  • Obtain cloud endpoint API gateway by contacting CrowdStrike support.
    Note: CrowdStrike assigns a cloud endpoint also called API gateway to each API client. For example: https://api.crowdstrike.com or https://api.us-2.crowdstrike.com. Contact CrowdStrike support to obtain the API gateway assigned to your API client. 
  • Obtain client ID and client secret for the OAuth2 authentication method if you want to use streaming API.
  • Obtain Access Key, Access Secret, SQS region and SQS URL if you want to use FDR.

Obtaining the Client ID and Client Secret for Streaming API

CrowdStrike APIs are authenticated via application keys. You must obtain the client ID and client secret to use while configuring the CrowdStrike connector.

To obtain an application key:

  1. Log in to the CrowdStrike console as an administrator.
  2. In the left pane, navigate to Support > API Clients and Keys.
  3. In the upper right corner of the page that displays existing clients, click Add new API clients.
  4. In the Add new API client dialog box, specify a name and enter description for the new client that will need access to the detection API in read-only mode.
  5. In the API Scopes section, select Read access to Detection to define the required API capabilities.
  6. Click Save.
    A table displays the values for Client ID and Client Secret.

    Record these values represented by a string of letters and numbers, to use while configuring the CrowdStrike cloud connector.

  7. Click Done.

Obtain Access Key, Access Secret, SQS region, and SQS URL for FDR

Contact CrowdStrike support to request for a managed AWS S3 bucket for short term storage and an SQS for new file notifications. Obtain Access Key, Access Secret, SQS region, and SQS URL by contacting the CrowdStrike support team.

Configuring the CrowdStrike Cloud Connector

To configure the CrowdStrike connector to import data into the  SkyFormation Cloud Connector platform:

  1. Log in to the SkyFormation Cloud Connector platform with your registered credentials.
  2. Navigate to Settings > Accounts > Add Account.
  3. Click Select Service to Add, then select CrowdStrike from the list.
    Crowdstrike_connector.png
  4. In the Accounts section, enter the required information.
    Note: Required fields are indicated with a red bar.
      • Tenant – Select a tenant to attach to the connector if you are using a multi-tenant edition of Otherwise, select default.
      • Account Name – Specify a name for the CrowdStrike connector. For example, CrowdStrike corporate endpoint protection solution.
      • Description – Describe the CrowdStrike connector (optional). For example, CrowdStrike for endpoint protection, endpoint detection and response (EDR), and threat prevention.
      • Authentication Method – Use the default option oauth2.
      • Client-ID – Enter the client ID that you obtained while completing prerequisites.
      • Client-Secret – Enter the client secret that you obtained while completing prerequisites.
      • Cloud Endpoint – Enter the API gateway URL that you obtained while completing prerequisites. For example: https://api.crowdstrike.com or https://api.us-2.crowdstrike.com.
        Note: If you want to use FDR, enter the values in the Endpoint Endpoint-FDR section for Access Key, Access Secret, SQS region, and SQS URL that you obtained while completing prerequisites.
  1. Click Test Connection to confirm that SkyFormation Cloud Connector platform can communicate with CrowdStrike.
  2. Click DONE.
  3. The CrowdStrike connector is now set up and connected to the  SkyFormation Cloud Connector platform to collect data.

Troubleshooting

Problem: The FDR item explorer endpoint gave the following error.

ERROR

AmazonSQSException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method.

Solution: Receiving the error message indicates that the credentials you entered are incorrect. To verify if the credentials containing the secret and access key in the cloud connector UI are correct, read the message from the SQS queue using the AWS CLI docker container.

  1. Run the command: docker run --rm -it -v ~/.aws:/root/.aws amazon/aws-cli configure
  2. Enter the access key and the secret key when prompted.
  3. Run the command: docker run --rm -it -v ~/.aws:/root/.aws amazon/aws-cli sqs receive-message -queue-url <url> --region <region> (Replace <url> and <region> with real values.)

After running this command, the SQS message appears. Receiving the SQS message indicates that the credentials you entered are correct. If you receive an error message, check the credentials that you entered.

If you have received the SQS message via AWS CLI container, and you still see the error message on the cloud connector UI, check the credentials you entered. Ensure that you enter the correct credentials without typos and white spaces while configuring the cloud connector.

Problem: Events are not pulled using FDR after configuring the connector.

Solution: Ensure that the FDR explorer endpoint is active because the FDR endpoint depends on the FDR item explorer endpoint.

Problem: You receive an HTTP error 403 from the connector for streaming API.

Solution: The HTTP error occurs if the streaming API is not enabled. Contact CrowdStrike support to enable the streaming API.

Related articles

Comments

0 comments

Please sign in to leave a comment.