Crowdstrike data source
Integration with CrowdStrike as a Data Source will allow detection and incident signal from CrowdStrike EDR to be ingested into the Vectra AI Platform.
Applicability
Vectra has two different integrations with CrowdStrike.
This new integration (the article you are reading) that brings detection and incident signal from CrowdStrike into the Vectra AI platform.
This must be configured separately from the existing integration.
This requires a Respond UX (RUX) deployment.
An existing integration that enables Lockdown and ingests data that helps Vectra's automated HostID to more accurately name hosts.
Please see the CrowdStrike EDR Integration FAQ for details about the existing integration.
This integration work with both Respond UX (RUX) and Quadrant UX (QUX) deployments. If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant) .
For maximum benefit, it is recommended to enable both integrations when possible.
Preparing for CrowdStrike Integration?
Network Communications Requirements (Firewall Rules):
Traffic from the Brain FQDN or IP should be permitted over HTTPS 443 to the CrowdStrike Base URL used for API access. You will find the Base URL displayed when you are creating the OAuth2 API credentials in the next section. Vectra integrates with the CrowdStrike Query and Streaming APIs.
Obtain Crowdstrike Falcon OAuth2 Credentials:
Log into your CrowdStrike Falcon instance and click the Menu icon at the top left corner, the select Support and resources, and then select API clients and keys.
On the API clients and keys screen, ensure you are on the OAuth2 API clients tab, and click Create API client at the top right.
In the Create API client dialog box, give your client Client name and optionally a Description.
You will need to select the following **READ **permissions from the scrollable window of permissions that can be applied for the Scope of this client.
Alerts - Read
Detections - Read
Incidents - Read
Event streams - Read
When done, click Create at the bottom of the dialog box.
After clicking Create, your client will be created. Please record the Client ID and Secret and make note of the Base URL for your CrowdStrike deployment.
You will later input these values into the Vectra GUI as part of your CrowdStrike Data Source configuration.
!!Please Note: This is the only time you will be able to view this secret in the CrowdStrike UI. You must start over and create a new API client if you do not record the secret at this time.
Configuring the Integration
Navigate in your Vectra UI to Data Sources > CrowdStrike and click the + Create CrowdStrike Connector at the top right.
Select the CrowdStrike URL that matches the _Base URL _you found during the API credential creation earlier.
Paste in the Client ID and Client Secret you collected earlier and click Finish Setup.
Once your configuration has been saved, the new connector will be displayed along with status.
Last updated
Was this helpful?