API & Integrations - CrowdStrike Falcon Threat Share Integration v2

The CrowdStrike Falcon Threat Share integration v2 enables the sharing of malicious file hashes and domains between your Mimecast and CrowdStrike account. Essentially, CrowdStrike Falcon provides an additional layer of security against malicious activity initiated by the front-line layer of the web. This guide describes how to integrate Mimecast with CrowdStrike Falcon.

Overview 

When Mimecast’s Targeted Threat Protection inspects an email, threats identified as Malicious attachments, phishing sending domains, and Malicious URLs will result in action being taken on the email (depending on the transmission direction). This integration also allows Mimecast to send this telemetry to CrowdStrike’s Falcon platform to help identify the threat if it arrives on an endpoint from another attack vector.

In addition to sending telemetry to CrowdStrike’s Falcon platform, Mimecast can receive telemetry from Falcon alerts and the IOC Management list. This telemetry can be used to block threats and remediate associated emails.

CrowdStrike Falcon has the following benefits:

• Providing an additional layer of security that protects your organization’s devices from threats detected via Email.
• Providing enhanced email threat detection efficacy with shared intelligence across Mimecast Secure Email Gateway and CrowdStrike Endpoint Protection platforms.
• Exposes the threats and risks that your organization is facing today.

Details

Using with Attachment Protection

If an attachment has been analyzed by Attachment Protection and deemed malicious, the SHA256 hash of the file will be loaded to CrowdStrike’s IOC Management list with a detect or prevent action, depending on configuration.

Using with Impersonation Protection

If a phishing domain has been analyzed by Impersonation Protection, and the associated message action is to prevent delivery, the domain will be shared to CrowdStrike’s IOC Management list with a detect action.

Using with URL Protection

If a malicious URL is clicked on an inbound email, or an internal or outbound email has a malicious URL in transit, it will be shared to CrowdStrike’s IOC Management list with a Detect action.

Blocking Indicators in Mimecast

Different indicators require different methods to block in Mimecast based on the indicator type.

File Hashes

To block file hashes in Mimecast, they are added to Bring Your Own Threat Intel with a block action. Every customer has a 100,000 quota license by default, which should be enough for this integration to function.

Domains

To block domains in Mimecast, a Blocked Sender Policy is created for each domain, using the domain as the Applies From scope.

CrowdStrike Falcon Actions and Severity 

When sharing indicators with CrowdStrike, the action and severity levels can be set for each indicator type separately. This enables you to rate different types of indicators shared with CrowdStrike differently. For example, file hashes can be set for execution prevention at a high severity level, while phishing domains and URLs can be set for detection only with a medium severity. These settings will be unique to each organization and its security best practices.

Mimecast recommends testing with lower severity and lighter-touch actions for initial testing, and working up to a desired level for each. These settings can be changed at any time when editing the integration.

Considerations

Enabling the following settings:

• Send from Mimecast | Malicious Domains from Impersonation Protection.
• Send from Mimecast | Malicious URLs from URL Protection.

In combination with the below:

• Send to Mimecast | Domains from IOC Management List to Blocked Senders.
• Send to Mimecast | Domains from Alerts to Blocked Senders.

Will result in any domain that is flagged by either Impersonation Protection or URL Protection being automatically sent to your Blocked Senders list in Mimecast. Please be advised that due to the way these policies work, this can frequently affect legitimate domains, such as gmail.com or yahoo.com. Because of this, it is recommended to avoid using these settings simultaneously.

Prerequisites

Before you attempt to integrate CrowdStrike Falcon, ensure that your Mimecast account has Targeted Threat Protection with:

• Attachment Protection pre-emptive sandbox or sandbox on demand options selected. See the Configuring Attachment Protection Definitions page for more information.
• Impersonation Protection domain similarity checks selected. See the Configuring Impersonation Protection Definitions page for more information.
• URL Protection Definitions configured. See Configuring URL Protection Definitions page for more information.

Configuring the Integration 

To start sharing threats between Mimecast and CrowdStrike’s Falcon platform:

1. Log in to the Mimecast Administration Console.
2. Navigate to Integrations / Integration Hub.
3. On the CrowdStrike Threat Share tile, select ‘Configure New’
4. Provide an Application Name to uniquely identify this instance of the integration.

5. Provide a Description to describe this instance of the integration.
6. Obtain CrowdStrike Falcon API Keys. Follow the steps below to complete this step:

• In a new window, navigate to the Falcon Console.
• Navigate to Support and Resources / API Clients and keys.
• Select Create API client.
• Provide a Client name and Description to uniquely identify this set of API keys.
• Select the following scopes:
  • IOC Management Read
  • IOC Management Write
  • Alerts Read
• Select Create.
• Store the provided Base URL, Client ID, and Client Secret.

7. Navigate to the integration configuration page in Mimecast.
8. Under the Activate section, provide the Base URL, Client ID, and Client Secret obtained from Falcon.
9. Select a fetch duration for the initial run.

10. Under the Send from Mimecast section, select the indicators that you wish to share with Mimecast:

• Malicious hashes from Attachment Protection, with the action and severity options that Mimecast will provide with each hash shared to CrowdStrike.
• Malicious URLs from URL Protection with the action and severity options that Mimecast will provide with each URL shared to CrowdStrike.
• Malicious Domains from Impersonation Protection with the action and severity options that Mimecast will provide with each domain shared to CrowdStrike.

11. Under the Send to Mimecast section, select the types of indicators to receive from CrowdStrike and their associated remediation actions in Mimecast:

• File Hashes from IOC Management List to BYOTI: Source file hashes added to the IOC Management list manually or from another integration. These are added to Bring Your Own Threat Intel, and include the Cloud Gateway offering.
• Domains from IOC Management List to Blocked Senders: Source domains added to the IOC Management list manually, or, from another integration. Add those entries to an integration-specific Blocked Sender Profile Group with associated Blocked Senders Policy. The Group and policy will be created by the integration.
• Domains from Alerts to Blocked Senders: Source domains from Falcon alerts. A new Blocked Sender policy will be created for each domain.
• Set Remediation options: Each of the following will be used to create a Remediation incident if evidence of the indicator is present in your Mimecast account:
  • File Hash Indicators.
  • Domain Indicators.

12. In the Notification Configuration section, add email addresses of recipients to receive a notification if the integration enters a permanent error state.