CrowdStrike Falcon Containment
Updated Sep 27, 2023Configure CrowdStrike Falcon containment
Arctic Wolf® uses the CrowdStrike Falcon® API to monitor CrowdStrike Falcon logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain hosts in your network using CrowdStrike Falcon containment.
Note: The CrowdStrike Falcon containment integration is different from the CrowdStrike Falcon Endpoint Detection and Response (EDR) integration. You only need to complete these steps if you want Arctic Wolf to contain your endpoints using CrowdStrike Falcon. For more information on the EDR configuration, see Configure CrowdStrike Falcon Monitoring.
To implement this functionality, you must:
- Define your containment policy with your Concierge Security® Team representative.
- Provide these credentials to Arctic Wolf:
- API Client UUID
- API Client Secret
- API Hostname
Requirements
-
Falcon Administrator role for the CrowdStrike Falcon environment that you want Arctic Wolf to monitor.
-
Enterprise, Premium, or Complete CrowdStrike Falcon license.
Notes:
- Although we support containment actions on Falcon Complete, you should confirm the terms of your CrowdStrike Falcon agreements to ensure that third-party containment actions are permitted.
- CrowdStrike Falcon Home, GovCloud, and Pro licenses are not supported.
Before you begin
- Complete the steps in Configure CrowdStrike Falcon monitoring to configure the EDR integration.
Steps
Step 1: Create the API client
Notes:
- Do not reuse API credentials from the CrowdStrike Falcon EDR configuration, since they have different permissions.
- The API Client Secret is only available to view during API client creation. If this information is lost before you submit it to Arctic Wolf, you must create a new client to get a new API Client Secret.
-
Sign in to the CrowdStrike Falcon UI.
-
Click the Support tab, and then click API Clients and Keys.
-
Click Add new API clients.
-
Follow the CrowdStrike Falcon documentation to create a new API client.
Tip: All CrowdStrike Falcon documentation is accessible in the CrowdStrike Falcon UI.
-
When selecting the scopes for the API client, select Read and Write access for the Hosts scopes.
-
Note these values:
- API Hostname
- API Client UUID
- API Client Secret
-
Proceed to Provide credentials to Arctic Wolf.
Step 2: Provide credentials to Arctic Wolf
Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After a polling failure, Arctic Wolf cannot perform actions such as containment until the updated credentials are provided.
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select CrowdStrike Containment.
-
On the Add Account page, complete these steps:
- Account Name — Enter a unique and descriptive name for the account.
- For each of these fields, paste the appropriate value from Create the API client:
- Client ID
- Client Secret
- API Hostname
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
Test CrowdStrike containment
After you configure CrowdStrike Falcon containment and provide credentials to Arctic Wolf, you should test the containment and containment lifting procedures with your CST.
Before you begin
- Schedule a call with your CST for containment testing.
Generate a test observation
Note: Generate the test observation at least one hour before the call.
In a command prompt, enter these commands:
Sc query csagent
choice /m crowdstrike_sample_detection
Y
For more information, see https://www.crowdstrike.com/blog/tech-center/generate-your-first-detection/ in the CrowdStrike documentation.
Next steps
Note: Turn off your auto-mitigation policy before the call because Arctic Wolf can’t contain a host if the relevant application already addressed the possible threat.
During the scheduled call, your CST:
-
Promotes the test observation to an incident, making it eligible for containment.
-
Contains the affected host to make sure that the containment works as expected.
-
Resolves any issues that may arise, such as misconfigured containment permissions.
-
Lifts containment from the host.