Incydr Flow: CrowdStrike USB containment

Updated

Overview

This article explains how to configure the Incydr Flow for CrowdStrike USB containment, which enables you to add devices to a CrowdStrike USB blocking host group from within Incydr. Specifically, the CrowdStrike USB containment flow:

  • Automatically creates a CrowdStrike host group and policy to restrict USB access
  • Automatically creates an Incydr watchlist
  • Adds users to the Incydr watchlist and adds devices the CrowdStrike host group

The steps below cover how to create API clients in both CrowdStrike and Incydr, configure the Flow in the Incydr console, and manually execute the Flow from an Incydr alert.

Considerations

  • You must be licensed for the CrowdStrike USB Flow to complete the steps below. Contact your Customer Success Manager (CSM) if you have questions about licensing.

Step 1: CrowdStrike configuration

Work with your CrowdStrike administrator to complete the following steps:

Create an API client in CrowdStrike

  1. Create an API client in CrowdStrike with the following permissions:
    • Host (Read/Write)
    • Host Groups (Read/Write)
    • User Management (Read)
  2. Save the API client credentials (Token ID and Secret) in a secure location for future reference.
    • These credentials are required to initially enable the Flow in the Incydr console, as well as to update settings after the initial setup.
  3. Note your CrowdStrike Base URL, which will be needed during the Incydr configuration.

For detailed instructions on creating an API client in CrowdStrike, refer to the CrowdStrike OAuth2 API Guide (requires authentication).

Step 2: Incydr configuration

Create an API client in Incydr

Create a new Incydr API client:

  1. Sign in to the Incydr console.
  2. Go to Administration > Integrations > API Clients.
  3. Select Create new API Client.
  4. Enter a name specific to this Flow (for example, "CrowdStrike USB containment").
  5. Add these permissions:
    • Device - Read
    • User - Read
    • Detection Lists - Read and Write
  6. Click Save.
  7. Save the Client ID, Secret, and Base URL in a secure location for future reference.
    The Incydr API client credentials are required to initially enable the Flow in the Incydr console, as well as to update settings after the initial setup.

Incydr Flow setup

  1. In the Incydr console, go to Administration > Integrations > Incydr Flows.
  2. From the list of Flows, select the CrowdStrike USB Flow.
  3. Complete these fields:
    • CrowdStrike API client ID: Enter the CrowdStrike API token ID obtained above in step 1.
    • CrowdStrike API secret: Enter the CrowdStrike API secret obtained above in step 1.
    • CrowdStrike Base URL: Enter the CrowdStrike Base URL obtained above in step 1.
    • Select the Enforcement Mode for the CrowdStrike policy:
      • Monitor only: Records USB device usage without blocking 
      • Monitor and enforce: Actively blocks unauthorized USB devices according to policy
    • Select the End user notification setting for the CrowdStrike policy:
      • Silent: Blocks USB devices without user notification
      • Notify user: Displays a notification when a USB device is blocked
    • Code42 API client ID: Enter the Incydr API Client ID obtained in step 2 above.
    • Code42 API client secret: Enter the Incydr API secret obtained in step 2 above.
    • Code42 base URL: Enter the Incydr Base URL obtained in step 2 above. You can also obtain the Base URL by identifying the URL for your Incydr cloud environment.
  4. Click Submit.

Configuration results

Upon completing the setup in both Incydr and CrowdStrike, the following items are created automatically:

  • A host group in CrowdStrike named “Code42 USB Blocking Group.”
  • A policy in CrowdStrike named “Code42 - USB Device Control Policy.” The policy is configured according to the values selected above during the Incydr Flow setup.
  • A watchlist in Incydr named “CrowdStrike USB Blocking Group.”

Upon executing the flow (see next section), the CrowdStrike USB policy is applied to the user's devices, and the user is added to the Incydr watchlist.

Execute the Flow

To restrict USB access via CrowdStrike from within Incydr:

  1. Sign in to the Incydr console as a user with either the Customer Cloud Admin or Insider Risk Respond role.
  2. Go to Alerts > Review Alerts.
  3. Select an alert. 
    The Alert details appear.
  4. Click the Actions menu. From the Incydr Flows section, select Restrict User's USB Access | CrowdStrike.
    The CrowdStrike USB policy is applied to the user's endpoints, and the user is added to the Incydr watchlist.
  5. To resume USB access for the user's endpoints, you must lift the containment from within Crowdstrike. Access cannot be restored from within Incydr.

Select Crowdstrike USB Flow from Alert details action menu

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.