CrowdStrike Falcon Containment

Configuration Guide

Updated Feb 14, 2023

CrowdStrike Falcon Containment

CrowdStrike Falcon containment Direct link to this section

Arctic Wolf® uses the CrowdStrike Falcon API to monitor CrowdStrike logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain hosts within your network using CrowdStrike Falcon containment.

Note: CrowdStrike Containment integration is different from CrowdStrike Endpoint Detection and Response (EDR) integration. You only need to complete these steps if you want Arctic Wolf to be able to contain your endpoints. For more information on EDR configuration, see Configuring CrowdStrike Falcon Credentials.

To implement this functionality, you must:

API Client Secret limitations Direct link to this section

The API Client Secret is only available to view during the API client creation. If this information is lost before it is submitted to Arctic Wolf, you must create a new client to get a new API Client Secret.

Requirements Direct link to this section

Create the API client Direct link to this section

Note: Do not reuse API credentials from CrowdStrike EDR configuration, since they have different permissions.

  1. Sign in to the CrowdStrike Falcon UI.

  2. Select the Support tab and click API Clients and Keys.

  3. Click Add new API clients.

  4. Follow the CrowdStrike documentation to create a new API client.

    Tip: All CrowdStrike documentation is accessible within the CrowdStrike Falcon UI.

  5. When selecting the scopes for the API client, select Read and Write access for the Hosts scopes.

  6. Make note of these values:

    • API Hostname
    • API Client UUID
    • API Client Secret

    Note: The API Client Secret is only available to view when you create the client.

  7. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select CrowdStrike Containment from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. Paste these values from step 4 of Create the API client:

      • API Client UUID
      • API Client Secret
      • API Hostname
  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we cannot perform actions such as containment until the updated credentials are provided.