CrowdStrike Integration Cloud Integrated

Updated

CrowdStrike Integration Cloud Integrated 

This guide describes what needs to be done to make use of the Human Risk CrowdStrike Integration within the Email Security Cloud Integrated (CI) Platform. 

Overview

The integration periodically reads endpoint protection alerts and incidents from CrowdStrike via API. These are forwarded to the Human Risk Platform, which associates each event with a user. If we can’t associate an event with a user, the event will be discarded. If we determine the behavior to have been taken by the user, we update the malware behavior score for that user; otherwise, it will count against their Attack Factor.

Malware data from CrowdStrike will be pulled from the point of integration onwards. Historical data will not be included.

Prerequisites 

  • CrowdStrike Falcon EDR subscription.
  • Mimecast Engage subscription.
  • Mimecast Administrator Account. 

Permissions

The following permissions are required for this integration:

  • The following roles must be granted read-write access:

    • csp: super-admin

    • csp:full-admin

    • csp:basic-admin

    • csp:helpdesk-admin

    • csp:mimecastsupport-admin

    • csp:partner-admin

  • The following roles must be granted read-only access (get, list, search only):

    • csp:readonly-admin

    • csp:mimecastreadonly-admin

Configuration

The integration is configured in the Crowdstrike Console, and then the Integration MarketplaceTo do this, follow the steps below:

  1. Log in to CrowdStrike and navigate to Support and resources | API clients.

  1. Select Create API client.
     

 
  1. Store your Client ID and Secret, which will be required at a later stage in the process. Also, note the Base URL.
  1. Verify that the Alerts and Incidents permissions in CrowdStrike are set to Read.
  2. Log in to the Mimecast Email Security Cloud Integrated Dashboard, and navigate to Integrations | Marketplace.
  1. From the available Integrations, select CrowdStrike Falcon Insight EDR.
     
  1. Complete the Details section. Note that the Description is optional.   
  1. Enter the Client ID and Client Secret noted in step 3, and select the Base URL corresponding to your geographical location.
  1. Specify how Incidents should be managed by choosing one of the options below:

This configuration is crucial in determining if an alert is a True Positive. Only alerts labeled True Positive in the CrowdStrike console (or alerts associated with an Incident marked as such) will included in the Human Risk Score.

  1. Select Save to complete the integration process.

See Also...

Related to

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.