This article discusses integrating data from CrowdStrike EDR to generate stories that you can review in the Cato Stories Workbench.
Using an API connector, you can integrate data from CrowdStrike detections to generate stories for endpoint devices. The endpoint stories help you get a more complete picture of potential threats in your network.
A story is created in the CMA by correlating CrowdStrike detections based on the Incident ID. These stories include all relevant evidence for the detection identified by CrowdStrike. The Stories Workbench shows the endpoint stories together with the other story types, and you can sort and filter the stories to focus on the Endpoint incidents.
CrowdStrike stories are created in near real-time after the original alert is generated.
To integrate CrowdStrike EndPoint Detection data with Cato XOps, you need to set up the API connectors for CrowdStrike. After creating the connector, the Endpoint Detection engine retrieves and analyzes the detection data from CrowdStrike.
For more information on reviewing XOps stories, including data from CrowdStrike, see Drilling-Down and Analyzing XOps Security Stories.
- To view Cato XOps stories for CrowdStrike detections, an XOps, or MDR license is required. Events are generated without a license
- A Falcon Insight (EDR) license is required
- To add a connector, you must have editor permission for Integrations (in the Resources section). For more information, see Managing Admin Roles Using RBAC.
To create the connector between Cato and your CrowdStrike tenant, you need to:
- Create the API Client in the Falcon Crowdstrike platform
- Create the API connector in the CMA
In the Falcon CrowdStrike platform, create the API Client.
To create the API Client:
-
In your Falcon CrowdStrike platform, navigate to Support and resources > API clients and keys.
- Click Create API client.
-
Add a Client name and Description, and Read access for these scopes:
- Alerts
- Incidents
- Threatgraph
- Save the Client ID, Secret, and Base URL so they can be added in the CMA.
After you have created the API client, add the details in the CMA.
To configure the CrowdStrike Connector in the CMA:
- From the navigation menu, select Resources > Integrations.
- On the Integrated Apps tab, click New. The New Integration panel opens.
- From the SaaS Application drop-down menu, select CrowdStrike.
- Enter a Name, Description (optional), and the Base URL, Application ID, and Client Secret Value from step 1.
- (Optional) Choose to track errors in the integration by creating an event.
- Click Save.
The Status column on the Connectors Settings page shows the status of the connection between the CrowdStrike app and your Cato account. These are the explanations of the statuses:
- Connected - Your account is connected to the app and working correctly
- Pending user consent - Permissions have not been granted to let Cato access the CrowdStrike app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.
- Error - There is a connectivity, permissions, license, or other issue with the connector. Delete and recreate the connector.
Once you have created the connector, stories will be visible in the Stories Workbench.
For information about the columns in the Stories Workbench, see Understanding the Stories Columns
For more information on reviewing XOps stories, including data from Microsoft Defender, see Drilling-Down and Analyzing XOps Security Stories
0 comments
Article is closed for comments.