CrowdStrike Integration Cloud Gateway

Updated

CrowdStrike Integration Cloud Gateway  

This guide describes what needs to be done to make use of the Human Risk CrowdStrike Integration for the Email Security Cloud Gateway (CG) Platform. 

Overview

The integration with Mimecast's Human Risk platform and CrowdStrike data assists in enhancing security insights and refining human risk scores. The integration periodically reads endpoint protection alerts and incidents from CrowdStrike via API. These are forwarded to the Human Risk Platform, which associates each event with a user. If we can’t associate an event with a user, the event will be discarded. If we determine the behavior to have been taken by the user, we update the malware behavior score for that user; otherwise, it will count against their Attack Factor.

Malware data from CrowdStrike will be pulled from the point of integration onwards. Historical data will not be included.

Prerequisites 

  • CrowdStrike Falcon EDR subscription.
  • Mimecast Human Risk Command Center.
  • Mimecast Administrator Account. 

Permissions

The following permissions are required for this integration:

  • You will need to grant the following users Read and Write permissions:
  • Global Sys Admin        
  • Sys Admin - SD Full       
  • Super Administrator  
  • Full Administrator                  
  • Basic Administrator                 
  • Partner Administrator                              
  • Custom Role with Integrations Marketplace (Read/Write permissions must be enabled.)

Configuration

The integration is configured in the Crowdstrike Console, and then the Integrations Hub. To do this follow the steps below:

  1. Log in to CrowdStrike and navigate to Support and resources | API clients.

  1. Select Create API client.
  1. Grant Read permissions for Alerts and Incidents.
     
CrowdStrikeconfig2A.png
 
  1. Store your Client ID and Secret, which will be required at a later stage in the process. Also note the Base URL.
 
  1. Verify that the Alerts and Incidents permissions in CrowdStrike are set to Read.
  2. Log in to the Mimecast Administration Console, and navigate to the Integrations Hub.
Integrations Hub Navigation CG-s.jpg
  1. From the available Integrations, select CrowdStrike Falcon Insight EDR.
  1. Complete the Details section. Note that the Description is optional.   
  1. Enter the Client ID and Client Secret noted in step 3, and select the Base URL corresponding to your geographical location.
  1. Specify how Incidents should be managed by choosing one of the options below:

This configuration is crucial in determining if an alert is a True Positive. Only alerts labeled True Positive in the CrowdStrike console (or alerts associated with an Incident marked as such) will be included in the Human Risk Score.

  1. Select Save to complete the integration process.


 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.