This guide describes what needs to be done to make use of the Human Risk CrowdStrike Integration for the Email Security - MX Platform.
Overview
The integration with Mimecast's Human Risk platform and CrowdStrike data assists in enhancing security insights and refining human risk scores. The integration periodically reads endpoint protection alerts and Cases from CrowdStrike, via API.
These are forwarded to the Human Risk Platform, which associates each event with a user. If we can't associate an event with a user, the event will be discarded. If we determine the behavior to have been taken by the user, we update the malware behavior score for that user; otherwise, it will count against their Attack Factor.
Malware data from CrowdStrike will be pulled from the point of integration onwards. Historical data will not be included.
Action Required
As part of CrowdStrike's ongoing platform updates, the CrowdScore incidents endpoint and XDR incidents have been deprecated and are no longer available. If your CrowdStrike integration in the Mimecast Human Risk Command Center (HRCC) was previously configured for anything other than “We don’t use CrowdStrike incidents”, your integration is currently inactive and risk scoring for CrowdStrike activity has been interrupted.
What you need to do
Navigate to your CrowdStrike integration in the HRCC marketplace and update your configuration by selecting "We utilize Cases" or "We do not utilize Cases". This will switch your integration to use CrowdStrike Alerts and Cases, restoring risk signal ingestion and ensuring your users' risk scores continue to reflect CrowdStrike activity.
Prerequisites
- CrowdStrike Falcon EDR subscription.
- Mimecast Human Risk Command Center.
- Mimecast Administrator Account.
Permissions
The following permissions are required for this integration:
- You will need to grant the following users Read and Write permissions:
- Global Sys Admin.
- Sys Admin - SD Full.
- Super Administrator.
- Full Administrator.
- Basic Administrator.
- Partner Administrator.
- Custom Role with Integrations Marketplace (Read/Write permissions must be enabled)
- You must grant Read access to Cases in your CrowdStrike API client.
Configuration
The integration is configured in the CrowdStrike Console, and then the Integrations Hub. To do this, follow the steps below:
- Log in to CrowdStrike and navigate to Support and resources | API clients.
- Select Create API client.
- Grant Read permissions for Alerts and Cases.
- Store your Client ID and Secret, which will be required at a later stage in the process. Also note the Base URL.
- Configure your API Client settings:
- Verify that the Alerts and Cases permissions in CrowdStrike are set to Read.
- If you are updating your API Client settings, add Cases permission to your existing API client:
- Navigate to https://falcon.crowdstrike.com/api-clients-and-keys/.
- Click the ellipsis "..." next to the API client used with Mimecast and select Edit API Client.
- Search for Cases and grant Read access.
- Log in to the Mimecast Administration Console, and navigate to the Integrations Hub.
- From the available Integrations, select CrowdStrike Falcon Insight EDR.
- Complete the Details section. Note that the Description is optional.
- Enter the Client ID and Client Secret noted in step 3, and select the Base URL corresponding to your geographical location.
- In Incident Management, specify how Alerts and Cases should be managed by choosing one of the options below:
- We utilize Cases.
- We do not utilize Cases
- Cases can be created from unified detections, threat events, or manually; they don't require a detection or threat event to exist.
- This configuration is crucial in determining if an alert is a True Positive. Only alerts labeled True Positive in the CrowdStrike console (or alerts associated with an Incident marked as such) will be included in the Human Risk Score.
To ensure accurate risk scoring, we recommend tagging closed Cases with
true_positiveorfalse_positivebefore closing.
- Select Save to complete the integration process.
Comments
Please sign in to leave a comment.