From the CrowdStrike subtab of your PhishER Settings, you can configure the CrowdStrike Falcon Sandbox integration for your PhishER platform. CrowdStrike Falcon Intelligence is a threat intelligence service that combines with the Falcon Sandbox to analyze files and URLs for malicious content in a protected, sandbox environment. This integration uses the Falcon Sandbox API to allow PhishER to submit files and URLs for analysis, pull report data, and perform advanced search queries.

After CrowdStrike scans an attachment or URL, a malware analysis report will be available under the Attachments or Domains & URLs subtab on the Message Details page of your PhishER platform. For more information, see our How to Use Your PhishER Inbox article.

Creating an OAuth Client

Before you can set up this integration in your PhishER platform, you will need to create an OAuth client and assign it the appropriate credentials. PhishER will use these credentials to send files to the CrowdStrike system to be scanned.

To create an OAuth client, follow the steps below:

1. Log in to your CrowdStrike Falcon console and navigate to Support and resources > Resources and tools > API clients and keys..
2. In the API client and Secrets window under the OAuth2API clients tab, click Create API client.
3. In the Create API client pop-up window, enter a name for your new client in the Client name field.
4. Configure your new client by selecting the Read and Write check boxes, where available, next to the following API Scopes:
   • Actors
   • Indicators 
   • Reports
   • Sandbox
   • Quick Scan
   • Sample uploads
5. Click Create to create your new client.
6. Locate the Client ID and Secret. Make sure to copy both of these items and save them somewhere that you can easily access later. You will need both of these items to set up the integration in your PhishER platform.

Setting Up CrowdStrike in Your PhishER Platform

Once you have created your CrowdStrike OAuth client, you can set up the integration in your PhishER platform. To configure the integration, follow the steps below:

1. Log in to your PhishER platform and navigate to Settings > CrowdStrike.
2. Click Update Authorization Settings to open the CrowdStrike Authentication Keys pop-up window.
3. In the pop-up window fields, enter the Client ID and Secret that you copied in the Creating an OAuth Client section of this article.
4. Click Update CrowdStrike Keys to save the authorization settings.
5. Click the CrowdStrike Disabled toggle to enable the integration.
6. Fill out the remaining fields in the CrowdStrike Settings section. Then, click Update CrowdStrike Settings to update the integration settings.
7. (Optional) The Shared Integrations Settings section displays the settings that affect all integrations that use the Timeout value and Ignored Domains list. If you would like to update these settings, click Update Shared Settings.

For more information about your CrowdStrike integration settings, view the screenshot and list below:

1. CrowdStrike Disabled or CrowdStrike Enabled: Use this toggle to disable or enable the integration.
2. (Optional) CrowdStrike Automatic Scanning: In this section, you can configure settings that allow CrowdStrike to automatically scan parts of a message. To learn about these options, view the list below:
   • Automatically Scan All Attachments (Hashes Only): If you select this check box, CrowdStrike will automatically be sent a hash of all attachments in your PhishER Inbox.
   • Automatically Scan All URLs: If you select this check box, CrowdStrike will automatically be sent all URLs in your PhishER Inbox.
3. Default Operating System: From this drop-down menu, select the operating system that you would like to use as the default operating system for scans. For more information, view the list below:
   • macOS
   • Linux Ubuntu
   • Android
   • Windows 10, 64-bit
     Note: This is the default setting.
   • Windows 7, 64-bit
   • Windows 7, 32-bit
4.  Default Network Configuration From this drop-down menu, select the network configuration that you would like to use as the default network configuration for scans. For more information, view the list below:
   • Fully Operating Network 
     Note: This is the default setting.
   • Network Traffic Routed Through TOR
   • Simulated Network Traffic
   • No Network Traffic
5. Update CrowdStrike Settings: Click this button if you would like to save changes made to the integration settings in this section. 
6. Your API Client ID: In this field, enter the Client ID that you created in the Creating an OAuth Client section of this article.
7. Your API Client Secret: In this field, enter the Secret that you created in the Creating an OAuth Client section of this article.
8. Update Authorization Settings: Click this button open the CrowdStrike Authentication Keys pop-up window. In the pop-up window, you can update your API Client ID and API Client Secret. 
9. (Optional) Automatic Scanning Timeout: The Timeout if no response (seconds) field displays the custom timeout period for your CrowdStrike scan results. If CrowdStrike does not return scan results in this timeout period, a CS_BYPASSED tag will be applied to the corresponding message. By default, the timeout period is 120 seconds. To learn more about the tags that can be applied to the message, read the CrowdStrike Tags section of this article. 
10. (Optional) Ignored Domains: This section displays the domains that you would like CrowdStrike to ignore when running a scan.
11. Update Shared Settings: If you would like to update the custom timeout period or ignored domains for your integrations, click this button to open the Shared Integrations Settings pop-up window. In the pop-up window, you can enter a number of seconds in the Timeout if no response (seconds) field to set a custom timeout period for your CrowdStrike scan results. In the Ignored Domains field, you can enter the domains that you would like CrowdStrike to ignore when running a scan. Enter each domain as a new line in the text box. If you add a domain to this list, any subdomains of that domain will be excluded as well. However, if you add a subdomain to the list, the domain will not be excluded. Wildcards (*) and Uniform Resource Identifiers (URIs) are not supported. 
    Important: For more information about KnowBe4 domains that should not be sent as links or attachments to CrowdStrike, read the Excluding KnowBe4 Domains from Scans section of this article.

Scanning with CrowdStrike

Once you integrate your CrowdStrike account with your PhishER platform, you can run a CrowdStrike scan on message attachments and URLs. To run a CrowdStrike scan on a specific attachment or URL, click Detonate on the Message Details page.

When you run a CrowdStrike scan on an attachment or URL, CrowdStrike detonates and analyzes the submitted file sample in a sandbox environment. The scan may take up to fifteen minutes to complete. When the scan is complete, the malware analysis report will be shared in a private sandbox environment on your CrowdStrike Falcon platform and on the Message Details page of your PhishER platform. For more information, read the Viewing Message Details section of our How to Use Your PhishER Inbox article.

Excluding KnowBe4 Domains from Scans

KnowBe4 uses multiple domains that should not be sent as links or attachments to CrowdStrike. You can enter these ignored domains in the Shared Integrations Settings section on the CrowdStrike subtab of your PhishER settings. To find and exclude the domains, follow the steps below:

1. Log in to your KSAT console.
2. Navigate to the Phishing tab, then select the Domains subtab. This subtab displays a list of our root phish link domains. For more information, read our How to Manage Phish Link Domains article.
   Note:If you don't have access to this subtab, you can contact our support team for a list of phish link domains.
3. In a separate browser or tab, log in to your PhishER platform.
4. Navigate to Settings > CrowdStrike.
5. In the Shared Integrations Settings section, click Update Shared Settings.
6. In the Ignored Domains field, enter the root domains from your KSAT console.
7. Click Update Shared Settings.
8. If you use more than one instance of the KSAT console, repeat steps 1-7 to exclude the root domains from all of your instances. For more information about KSAT instances, read our KnowBe4's Training Instances article.

CrowdStrike Tags

Based on the scan results, CrowdStrike will apply one or more tags to your messages. To learn about the CrowdStrike tags, view the list below:

1. CS_BYPASSED: This tag is attached to your message when a CrowdStrike scan times out. This tag is commonly attached with additional CrowdStrike tags. You can set a custom timeout period under your CrowdStrike Shared Integrations Settings.
   Note:If a CrowdStrike timeout occurs, PhishER will still wait for your CrowdStrike results to return. However, automated actions will not run against the item while CrowdStrike scans it.
2. CS_ERROR: This tag is attached to your message when a CrowdStrike scan results in processing errors or when CrowdStrike is unable to detonate a file sample.
3. CS_IGNORED: This tag is attached to your message when URLs or domains found on your Ignored Domains list are detected on a message.
4. CS_MALICIOUS: This tag is attached to your message when a CrowdStrike scan determines that a threat was detected from the attachments or URLs.
5. CS_NO_SPECIFIC_THREAT: This tag is attached to your message when a CrowdStrike scan determines that no threat was detected from the attachment or URL.
6. CS_NOT_FOUND: This tag is attached to your message when a CrowdStrike scan doesn’t return a match for the hashed attachments or the URLs.
7. CS_PENDING: This tag is attached to your message when a CrowdStrike scan is queued. This tag will be removed when the scan is completed.
8. CS_SCANNED: This tag is attached to your message when a CrowdStrike scan or detonation is completed and has not found results for threats.
9. CS_SUSPICIOUS: This tag is attached to your message when a CrowdStrike scan determines that the attachments or URLs are suspicious but are not confirmed to be malicious.