Description
CrowdStrike Falcon provides endpoint detection and response (EDR) capabilities that enable continuous and comprehensive visibility into what is happening on your endpoints in real time. In addition, Falcon can isolate endpoints through a feature called Network Containment. Network Containment enables organizations to take swift action by isolating potentially compromised hosts from all network activity. Affected endpoints are unable to communicate with outside systems or risk lateral movement. These contained endpoints can still send and receive information from the CrowdStrike cloud, but the endpoint remains contained even if the connection to the cloud is severed or the endpoint is rebooted.
By integrating with the ExtraHop system, users can automatically contain endpoints that meet certain conditions and thresholds found in ExtraHop detections. The details of every network containment are stored within the ExtraHop system for further analysis and auditing. In addition, the integration tracks the list of high risk offender devices where the CrowdStrike sensor was not found, and therefore the device could not be contained.
The following figures show an example of a detection found by the Reveal(x) system that resulted in the offending endpoint being confined through CrowdStrike Falcon.
Figure 1. ExtraHop dashboard for CrowdStrike Network Containment
Figure 2. ExtraHop record entry for a successful CrowdStrike Network Containment event
Figure 3. CrowdStrike host successfully contained in the CrowdStrike Falcon UI
Bundle Contents
(1) Application
- CrowdStrike Containment
(1) Dashboard
- CrowdStrike Containment
(1) Record Format
- CrowdStrike Containment
(1) Trigger
- CrowdStrike Network Containment
Requirements
You must have an ExtraHop Discover or Command appliance with version 8.0 or later and a user account that has Unlimited privileges
You must have the CrowdStrike Falcon module and a user account that has the Falcon Administrator role
Installation Instructions
Configure CrowdStrike
Log into CrowdStrike Falcon and create an API Client with the following API scopes enabled:
Hosts: Read
Hosts: Write
Store your API client secret somewhere safe.
Note: You need your API client ID and secret when configuring the ExtraHop Open Data Stream (ODS) target.
Configure ExtraHop Reveal(x)
Install the bundle
When installing the bundle on a Command appliance, select the option to install the bundle on all of the connected Discover appliances that should participate in this integration.
Download the bundle on this page.
Configure ODS targets
When installing this bundle on a Command appliance, configure the open data stream (ODS) targets on each connected Discover appliance that the bundle was installed on.
Log into the Admin UI on the Discover appliance.
Configure an HTTP target for an open data stream with the following parameters:
In the Name field, type crowdstrike.
In the Host field, type api.crowdstrike.com.
- Note: This host will vary depending on the Falcon cloud environment (US-1, US-2, US-GOV-1, EU-1). Visit the Falcon API Overview for more information.In the Port field, type 443.
From the Type drop-down list, select HTTPS.
From the Authentication drop-down list, select CrowdStrike.
i. Requires ExtraHop version 8.0 or later.
In the Client ID field, enter the value of the CrowdStrike API Client ID that you generated previously.
In the Client Secret field, enter the value of the CrowdStrike API Client Secret that you generated previously.
From the Method drop-down list, select GET.
In the Options field, enter the following:
{
"path": "/devices/queries/devices/v1?limit=1",
"headers": { "Accept": ["application/json"] }
}
The completed form should look similar to the following figure.
Configure the trigger
In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon
, and then click Triggers.
In the list of triggers, click CrowdStrike Network Containment.
In the right pane, click Edit Trigger Script.
In the left pane in the Options section, select the Enable trigger checkbox.
(Optional) Customize the detection risk score threshold by setting
RISK_THRESHOLD
to the desired minimum risk score that results in containment.(Optional) Filter which detections automatically result in containment by adding specific detection types to the
DETECTION_TYPES
array. By default all detections are included, unless at least one detection type is specified.Click Save, then click Done.
Note: The CrowdStrike Network Containment trigger does not accept assignments.