Setting Up Integrations

CrowdStrike Integration Guide for SecurityCoach

In this article, you will learn how to integrate CrowdStrike’s Falcon Insight, an endpoint protection platform (EPP), with SecurityCoach. Once the integration is complete, data provided by CrowdStrike will be available for use under the SecurityCoach tab of your KSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Create an OAuth Client

Before you can set up this integration in your KSAT console, you will need to create an OAuth client and assign it the appropriate credentials. SecurityCoach will use these credentials to access data from the CrowdStrike system.To create an OAuth client, follow the steps below:

  1. Log in to your CrowdStrike Falcon console and navigate to Support and resources > Resources and tools > API Clients and Keys..CrowdStrike API Clients and Keys
  2. In the API client and Secrets window, click Add new API Client. CrowdStrike Add New API Client
  3. Create a new client by selecting the check box next to the following API Scopes:
    • Detections
    • Hosts
    • Incidents CrowdStrike API Scopes
  4. Locate the Client ID and Client Secret. Make sure to copy both of these items and save them somewhere that you can easily access later. You will need both of these items to set up the integration in your KSAT console. CrowdStrike API Client ID and Secret
  5. Select the Base URL for your region using the table below:
    Region Base URL
    US https://api.us-2.crowdstrike.com/
    EU https://api.eu-1.crowdstrike.com/
    All other regions https://api.crowdstrike.com

Set Up the Integration in Your KSAT Console

Once you have created your CrowdStrike OAuth client, you can set up the integration in your KSAT console. To set up the integration in your KSAT console, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Setup > Security Vendor Integrations.
  2. Locate CrowdStrike and click Configure.
  3. From the Cloud API Endpoint drop-down menu, select the endpoint for your region from the following list:
    • For the USA region, select http://api.us-2.crowdstrike.com/.
    • For the EU region, select http://api.eu-1.crowdstrike.com/.
    • For any other region, select http://api.crowdstrike.com.
  4. In the Client ID and Client Secret fields, enter the Client ID and the Client Secret that you copied in the Create an OAuth Client section of this article.
  5. Click Authorize. CrowdStrike Configuration

Map Your Users

After you’ve finished integrating CrowdStrike, you can map your users either through mapping rules (recommended) or through a CSV file upload. For more information about user mapping, see our Mapping Users in SecurityCoach article.

Once you’ve successfully authorized this integration, you can manage detection rules for CrowdStrike on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.

Can't find what you're looking for?

Contact Support