Start Demo

The Platform

For Security

For Cloud

For IT Ops

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

ExtraHop Reveal(x)

Cloud-native visibility, detection, and
response for the hybrid enterprise.

Reveal(x) 360

SaaS-based network detection
and response.

Learn More

How It Workscaret-right

Reveal(x) Enterprise

Self-managed network detection
and response.

Learn More

How It Workscaret-right
caret-left Back

For Security

Protect and scale your business with complete visibility, real-time threat detections, and intelligent response.

Learn More

Threat Detection and Response

Secure Decryption

Enterprise IoT Security

Secure Remote Access & Availability

Hygiene and Compliance

SecOps and NetOps Integration
caret-left Back

For Cloud

Secure rapid cloud adoption and maintain control of applications, workloads, and data in cloud or multi-cloud environments.

Learn More

Security for AWS

Security for Azure

Security for Google Cloud

Hybrid Security

Secure Remote Access & Availability

Shared Responsibility Assurance
caret-left Back

For IT Ops

Boost NOC/SOC collaboration and ensure availability and performance across your hybrid enterprise.

Learn More

Secure Remote Access & Availability

SecOps and NetOps Integration

Triage and Troubleshooting

Customer Experience Monitoring

Commercial Application Visibility

Monitoring Virtualization and SDN
caret-left Back

Customers

Partners

Resources

About Us

Blogcaret-right
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Visit Customer Portal

Support

Professional Services

Training

Solution Bundles Gallery

Community Forums

caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Visit Partner Portal

Channel Partner Program

Find a Technology Partner

Become a Partner

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories

Protocol Library

Documentation

Firmware

Training Videos

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

The ExtraHop Difference

What Is Cloud-Native?

Careers

Newsroom

Upcoming Webinars and Events

Back Arrow Bundle Library

CrowdStrike Network Containment Integration

Supported Bundle

Description

CrowdStrike Falcon provides endpoint detection and response (EDR) capabilities that enable continuous and comprehensive visibility into what is happening on your endpoints in real time. In addition, Falcon can isolate endpoints through a feature called Network Containment. Network Containment enables organizations to take swift action by isolating potentially compromised hosts from all network activity. Affected endpoints are unable to communicate with outside systems or risk lateral movement. These contained endpoints can still send and receive information from the CrowdStrike cloud, but the endpoint remains contained even if the connection to the cloud is severed or the endpoint is rebooted.

By integrating with the ExtraHop system, users can automatically contain endpoints that meet certain conditions and thresholds found in ExtraHop detections. The details of every network containment are stored within the ExtraHop system for further analysis and auditing. In addition, the integration tracks the list of high risk offender devices where the CrowdStrike sensor was not found, and therefore the device could not be contained.

The following figures show an example of a detection found by the Reveal(x) system that resulted in the offending endpoint being confined through CrowdStrike Falcon.

ExtraHop dashboard for CrowdStrike Network Containment

Figure 1. ExtraHop dashboard for CrowdStrike Network Containment

ExtraHop record entry for a successful CrowdStrike Network Containment event

Figure 2. ExtraHop record entry for a successful CrowdStrike Network Containment event

CrowdStrike host successfully contained in the CrowdStrike Falcon UI

Figure 3. CrowdStrike host successfully contained in the CrowdStrike Falcon UI

Bundle Contents

  • (1) Application

    • CrowdStrike Containment

  • (1) Dashboard

    • CrowdStrike Containment

  • (1) Record Format

    • CrowdStrike Containment

  • (1) Trigger

    • CrowdStrike Network Containment

Requirements

  • You must have an ExtraHop Discover or Command appliance with version 8.0 or later and a user account that has Unlimited privileges

  • You must have the CrowdStrike Falcon module and a user account that has the Falcon Administrator role

Installation Instructions

Configure CrowdStrike

  1. Log into CrowdStrike Falcon and create an API Client with the following API scopes enabled:

    • Hosts: Read

    • Hosts: Write CrowdStrike completed API scope configuration

  2. Store your API client secret somewhere safe.

Note: You need your API client ID and secret when configuring the ExtraHop Open Data Stream (ODS) target.

Configure ExtraHop Reveal(x)

Install the bundle

When installing the bundle on a Command appliance, select the option to install the bundle on all of the connected Discover appliances that should participate in this integration.

  1. Download the bundle on this page.

  2. Upload and apply the bundle.

Configure ODS targets

When installing this bundle on a Command appliance, configure the open data stream (ODS) targets on each connected Discover appliance that the bundle was installed on.

  1. Log into the Admin UI on the Discover appliance.

  2. Configure an HTTP target for an open data stream with the following parameters:

    • In the Name field, type crowdstrike.

    • In the Host field, type api.crowdstrike.com.
      - Note: This host will vary depending on the Falcon cloud environment (US-1, US-2, US-GOV-1, EU-1). Visit the Falcon API Overview for more information.

    • In the Port field, type 443.

    • From the Type drop-down list, select HTTPS.

    • From the Authentication drop-down list, select CrowdStrike.

      i. Requires ExtraHop version 8.0 or later.

    • In the Client ID field, enter the value of the CrowdStrike API Client ID that you generated previously.

    • In the Client Secret field, enter the value of the CrowdStrike API Client Secret that you generated previously.

    • From the Method drop-down list, select GET.

    • In the Options field, enter the following:

{
    "path": "/devices/queries/devices/v1?limit=1",
    "headers": { "Accept": ["application/json"] }
}

The completed form should look similar to the following figure.

ExtraHop completed ODS target configuration

Configure the trigger

  1. In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon Settings icon, and then click Triggers.

  2. In the list of triggers, click CrowdStrike Network Containment.

  3. In the right pane, click Edit Trigger Script.

  4. In the left pane in the Options section, select the Enable trigger checkbox.

  5. (Optional) Customize the detection risk score threshold by setting RISK_THRESHOLD to the desired minimum risk score that results in containment.

  6. (Optional) Filter which detections automatically result in containment by adding specific detection types to the DETECTION_TYPES array. By default all detections are included, unless at least one detection type is specified.

  7. Click Save, then click Done.

ExtraHop trigger configuration

Note: The CrowdStrike Network Containment trigger does not accept assignments.

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More