API & Integrations - Crowdstrike Falcon Integration

The CrowdStrike Falcon integration enables sharing of malicious file hashes between your Mimecast and CrowdStrike account. Essentially CrowdStrike Falcon provides an additional layer of security against malicious activity initiated by the front line layer of the web. This guide describes how to integrate Mimecast with CrowdStrike Falcon.

Overview

Inbound emails are received by Mimecast and are subject to analysis by the Mimecast inspection funnel, where a series of advanced security scanning techniques are applied ensuring emails are safe before they are delivered to the recipient. If the email has been scanned and there are threats detected by Mimecast Targeted Threat Protection, the key threat identifiers are shared with the CrowdStrike Falcon platform. This means the flagged email will not be delivered to the intended recipient.

Benefits

CrowdStrike Falcon has the following benefits:

• The additional layer of security protects your organization’s devices from threats detected via Email.
• Provides enhanced email threat detection efficacy with shared intelligence across Mimecast Secure Email Gateway and CrowdStrike Endpoint Protection platforms.
• Exposes the threats and risks that your organization is facing today.

Prerequisites

Before you attempt to integrate CrowdStrike Falcon, ensure the following prerequisite tasks are completed:

• A Mimecast account must have Attachment Protection with the pre-emptive sandbox or sandbox on demand options selected. See the Configuring Attachment Protection Definitions page for more information.
• If an attachment has been analyzed by Attachment Protection, and deemed malicious, the SHA256 hash of the file will be loaded to CrowdStrike’s Custom IOC list with a ‘detect’ or 'prevent' policy action depending on configuration. Indicator sync will occur within 10 minutes, and will reference Mimecast as the source.

Integration

To integrate Mimecast with CrowdStrike Falcon:

1. Log in to the Mimecast Administration Console.
2. Navigate to Integrations | API and Platform Integrations.

3. Select the Integrations tab.
4. Select Create an Integration.
5. Select the CrowdStrike Falcon Threat Exchange menu item.
6. Click on the Next button.
7. Click on the CrowdStrike Falcon external link. This allows you to authenticate Mimecast with CrowdStrike, by obtaining keys from the Falcon platform.
8. Log into the CrowdStrike Falcon platform.

• • Go to Support | API Clients and Keys.
  • Select Add new API client.

• • Enter in a new client name and description.
  • Select Read and Write for IOC Manager APIs.
  • Select the Add button.
  • Copy and paste the API Client Secret credentials.

9. Navigate back to the Administration Console and paste your API Client Secret credentials.

10. Click on the Verify button.
11. Click on the Next button.
12. Select the tick box to submit Malicious hashes.
13. Select an action to be sent over with these malicious hashes

• • No action – Tell CrowdStrike not to act based on the indicator being submitted.
  • Prevent without Detection – Tell CrowdStrike to prevent execution based on the hash, but without generating a Falcon detection.
  • Prevent – Tell CrowdStrike to prevent execution based on the file hash, which will also generate a Falcon detection.
  • Generate Detection – Tell CrowdStrike to generate a Falcon detection based on the hash execution, but do not specify an action to be taken. 

14. Click on the Next button.

15. Enable Inbound file hash options.

• • Import file hashes from CrowdStrike IOC Management List into Mimecast – Indicators of compromise with an action of either prevent_no_ui, prevent or detect will be imported into Mimecast's Bring Your Own Threat Intel list as a block, which will prevent message delivery by Mimecast:
     
  • Remediate Messages -  Mimecast will remove any messages that contain the hash received by CrowdStrike, using Threat Remediation

16. Select Groups and Users to configure where event notifications are sent.
    
    
17. Click on the Next button.
18. Review the Summary page to ensure all details are correct and the integration will be enabled.
19. Click on the Finish button. The entry is displayed in the Integrations list.

Activity Logs

The activity logs for the integration can be accessed via the View Activity Logs option in the three-dot context menu on the right-hand side of the API application.
To view the activity logs:

1. Navigate to Integrations | API and Platform Integrations.
2. Click on the Your Platform Integrations tab.
3. Click the Three dots icon for an enabled integration.
4. Select View Activity Logs.

Activity log data will populate over time as the integration only shares data for file hashes that have been processed after the integration is configured.