In this article, you will learn how to integrate CrowdStrike’s Falcon Insight, an endpoint protection platform (EPP), with SecurityCoach. Once the integration is complete, data provided by CrowdStrike will be available for use under the SecurityCoach tab of your KSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Setting Up the Integration in Crowdstrike

To set up the Crowdstrike integration, you will first need to create an OAuth Client in your Crowdstrike admin console. To create your OAuth Client, follow the steps below:

1. Log in to your CrowdStrike Falcon admin console.
2. From the sidebar menu, navigate to Support and resources > Resources and tools > API Clients and Keys.
3. A new API clients and keys window will open. In this window, navigate to OAuth2 API clients > Create API client. 
   
4. See the screenshot and list below to configure and create your API client:
   
   1. Client name: Enter your preferred client name.
   2. Alerts permissions: Select the check box to enable Read permissions for Alerts.
   3. Create: Click this button to create the new API client.
5. Locate the Client ID and Client Secret. Copy both of these items and save them somewhere that you can easily access later. You will need both of these items to set up the integration in SecurityCoach.
    
6. Select the Base URL for your region using the table below:

   Region	Base URL
   US	https://api.us-2.crowdstrike.com/
   EU	https://api.eu-1.crowdstrike.com/
   All other regions	https://api.crowdstrike.com

Setting Up the Integration in Your SecurityCoach Console

To set up the Crowdstrike integration in SecurityCoach, follow the steps below:

1. Log in to your KnowBe4 Security Awareness Training console.
2. Navigate to SecurityCoach > Setup > Security Vendor Integrations.
3. Locate the CrowdStrike vendor tile and click Configure.
4. From the Cloud API Endpoint drop-down menu, select the endpoint for your region from the following list:
   • For the USA region, select http://api.us-2.crowdstrike.com/.
   • For the EU region, select http://api.eu-1.crowdstrike.com/.
   • For any other region, select http://api.crowdstrike.com.
5. In the Client ID and Client Secret fields, enter the Client ID and the Client Secret that you copied in the Setting Up the Integration in Crowdstrike section of this article.
6. Click Authorize.

Mapping Your Users

After setting up the CrowdStrike integration, we recommend mapping your users through mapping rules or through a CSV file upload. For more information about user mapping, see our Map Users in SecurityCoach article

Managing Crowdstrike Detection Rules

After setting up the Crowdstrike integration, use the Detection Rules subtab of SecurityCoach to manage your detection rules for Crowdstrike. For a full list of available system detection rules for this vendor, see our System Detection Rules by Vendor article. For more information on detection rules, see our Detection Rules Guide.

Deleting the Integration in SecurityCoach

If you want to delete the Crowdstrike integration from SecurityCoach, follow the steps below:

1. Log in to your KnowBe4 Security Awareness Training console.
2. Navigate to SecurityCoach > Setup > Security Vendor Integrations.
3. Locate the Crowdstrike vendor tile and click Edit.
4. Click Delete Integration near the bottom of the page.
5. A new pop-up window will open. If you are sure you want to delete the integration, click Confirm.