Crowdstrike
Why Integrate With Crowdstrike? (Benefits)
Integration with Crowdstrike Falcon is considered a best practice if your organization has endpoints running it. It provides a number of benefits such as:
It helps by contributing artifacts to Host ID that enhance the accuracy and speed of Host identification.
Vectra's Host ID technology automatically identifies hosts in your environment which makes analyst workload easier by allowing them to track Detections to specific hosts rather than just the IP address a Host may be using at any given moment.
The host details are pulled via API calls made from your Vectra Brain to the various Crowdstrike endpoints.
For additional information regarding Host ID, please see Understanding Vectra Detect Host Naming.
Analysts can easily see details such as the below provided by Crowdstrike Falcon when examining Host details for a specific Host in the Vectra UI:
Analysts can easily jump into their Crowdstrike Falcon console via the links provided (see above example) to further dig into the specific Host.
The top link provides a link that drills into the specific "Host Management" view for the Host of interest in your Crowdstrike Falcon console.
The bottom link provides a link that drills into the specific "Investigate Host" view for the Host of interest in your Crowdstrike Falcon console.
It enables the "Host Lockdown" feature of Vectra for Hosts running Crowdstrike Falcon.
Host Lockdown is a feature of Detect that gives users the ability to temporarily disable network Hosts during a security investigation. Host Lockdown is enforced through the use of Crowdstrike Falcon's Host isolation capabilities.
Host Lockdown can run in an automated or manual mode.
In automated mode, action is taken once privilege, threat and certainty score thresholds have been passed.
In manual mode, a security analyst can isolate a Host directly from a Detect Host page.
Vectra will release AI Stitching with CrowdStrike EDR in 2H 2025.
Configuring NGSIEM Read/Write now as part of your Crowdstrike API client permissions will ensure the integration is future-ready without needing to revisit API client settings later.
This capability automatically stitches EDR process data to Vectra detections, exposing root cause instantly.
Please see the Permissions section for more detail.
If you have previously configured Crowdstrike integration:
Existing API clients can simply be edited in your Falcon console to add the NGSIEM Read/Write permissions to your existing client.
No changes will be required in your Vectra deployment.
Requirements
Selecting your Crowdstrike Falcon URL:
If you log into CrowdStrike Falcon via...
You are using the...
Select this URL when setting up your CrowdStrike External Connector
https://falcon.crowdstrike.com
US Commercial Cloud
api.crowdstrike.com
https://falcon.us-2.crowdstrike.com
US Commercial Cloud 2
api.us-2.crowdstrike.com
https://falcon.laggar.gcw.crowdstrike.com
AWS GovCloud
api.laggar.gcw.crowdstrike.com
https://falcon.eu-1.crowdstrike.com
EU Cloud
api.eu-1.crowdstrike.com
Later in the Configuration section of this article, you will need to choose the proper URL in the Vectra UI.
Network Communications Requirements (Firewall Rules)
Traffic from the Brain FQDN or IPs should be permitted over HTTPS 443 to the selected target external connector.
Vectra integrates with the CrowdStrike Query API.
See below for additional information from Crowdstrike.
Obtain Crowdstrike Falcon OAuth2 Credentials:
Navigate in your Falcon console to Support and resources > Resources and tools > API clients and keys:
From the API Clients and Keys screen, click on "Create API client".
Give the client a name, description (optional), and grant it the following permissions:
Host Read - Required for CrowdStrike device context that links to CrowdStrike and improves device identification.
Host Write - Required for manual or automated response actions (Host Lockdown).
NGSIEM Read / NGSIEM Write - Required for EDR process integration functionality (targeted for 2H 2025).
See the Permissions section for more details on the above requirements.
Ensure that both Host and NGSIEM permissions are set as shown here before clicking "Create"
Click "Create".
Please record the Client ID and Secret. You will later input these values into the Vectra External Connector setup dialog.
!!Please Note
This is the only time you will be able to view this secret in the Falcon UI.
You must start over and create a new API client if you do not record the secret at this time.
What permissions are required in CrowdStrike?
Editing API Client Permissions
Existing API clients can be edited in your Falcon console to change the permissions if desired.
You do not need to delete or recreate the API client if you still have the secret for input into the Vectra UI.
CrowdStrike API Client Permissions
Hosts Read — Required for CrowdStrike device context that links to CrowdStrike and improves device identification.
Host Write — Required for manual or automated response actions.
NGSIEM Read / NGSIEM Write — Required for EDR process integration functionality (targeted for 2H 2025).
NGSIEM Permissions
This is to support the automatic stitching of EDR process data to Vectra detections, exposing root cause processes.
Write permissions are required to POST queries to CrowdStrike NGSIEM. No data is written to NGSIEM.
Read permissions are required to GET the results from NGSIEM.
Benefits of this expanded integration include:
Stronger NDR through enhanced EDR integration.
Answers to what process caused an NDR detection.
Automated investigation and correlation of relevant context.
How Do I Configure The Integration?
To enable the integration, simply navigate to Settings > EDR Connections and edit the CrowdStrike settings area:
Toggle the integration to "On".
Select the proper CrowdStrike ULR per the earlier guidance provided in Requirements.
Paste the Client ID and Client Secret that you gathered earlier per the guidance provided in Requirements.
Choose whether you wish to require verification of the SSL certificate (recommended).
Proxy support
If you have a proxy configured in Data Sources > Network > Brain Setup > Proxy, then the "Use the configured proxy in Services" option will be displayed.
If you would like API communication from the Vectra Brain to your Crowdstrike URL to use the same proxy settings that Vectra uses for communication to the Vectra Cloud, then check this box.
If you do not check this box, the Brain will attempt to communicate to Crowdstrike directly and will NOT use the configured proxy.
"Save" your configuration.
How Do I Enable / Configure Lockdown?
Enabling the Host Lockdown feature
Host Lockdown can be enabled via Settings > EDR Integrations > Host Lockdown for automatic lockdown based on a set of criteria.
Once configured, lockdown can also be done manually on a Host by navigating to the Host page and selecting the "Lock Host" button in the CrowdStrike widget if you choose to not enable automatic lockdown.
If the Host Write permission is not enabled for the Crowdstrike API client, then Host Lockdown will not work.
For more details about Host Lockdown, please see EDR Host Lockdown Information.
Appendix - Additional Related Information
Some additional KBs that mention Crowdstrike and provide additional detail:
Landing page for Crowdstrike on Vectra's public website:
EDR Extended ID and Reporting
This feature came out in Vectra Detect 6.4
Vectra Detect can now identify hosts running security agents based on network traffic behaviors associated with popular endpoint detection and response (EDR) security agents.
The Host details page will now display EDR agent information, whenever available, even if the EDR has not been configured as an External Connector.
The “What’s on my network?” section of the Executive report has also been expanded to display hosts observed running EDR agents.
This ID and Reporting is driven by analyzing network traffic for signs of communication with the various EDR systems that Vectra integrates with.
If you see Crowdstrike in Host Details, it could be a result of this feature and NOT the CrowdStrike API level integration that is the main subject of this article.
You should make sure the full integration is configured to enjoy all the #Benefits.
A video demo of this feature is available here:
Last updated
Was this helpful?