CrowdStrike Falcon Containment
CrowdStrike Falcon containment Direct link to this section
Arctic Wolf® uses the CrowdStrike Falcon API to monitor CrowdStrike logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain hosts within your network using CrowdStrike Falcon containment.
Note: CrowdStrike Containment integration is different from CrowdStrike Endpoint Detection and Response (EDR) integration. You only need to complete these steps if you want Arctic Wolf to be able to contain your endpoints. For more information on EDR configuration, see Configuring CrowdStrike Falcon Credentials.
To implement this functionality, you must:
- Define your containment policy with your Concierge Security® Team representative.
- Provide the following to Arctic Wolf:
- API Client UUID
- API Client Secret
- API Hostname
API Client Secret limitations Direct link to this section
The API Client Secret is only available to view during the API client creation. If this information is lost before it is submitted to Arctic Wolf, you must create a new client to get a new API Client Secret.
Requirements Direct link to this section
-
Falcon Administrator role for the CrowdStrike Falcon environment that you want Arctic Wolf to monitor.
-
Enterprise, Premium, or Complete CrowdStrike Falcon license.
Notes:
- Although we support containment actions on Falcon Complete, you should confirm the terms of your CrowdStrike agreements to ensure that third-party containment actions are permitted.
- CrowdStrike Falcon Home, GovCloud, and Pro licenses are not supported.
Create the API client Direct link to this section
Note: Do not reuse API credentials from CrowdStrike EDR configuration, since they have different permissions.
-
Sign in to the CrowdStrike Falcon UI.
-
Select the Support tab and click API Clients and Keys.
-
Click Add new API clients.
-
Follow the CrowdStrike documentation to create a new API client.
Tip: All CrowdStrike documentation is accessible within the CrowdStrike Falcon UI.
-
When selecting the scopes for the API client, select Read and Write access for the Hosts scopes.
-
Make note of these values:
- API Hostname
- API Client UUID
- API Client Secret
Note: The API Client Secret is only available to view when you create the client.
-
Proceed to Provide credentials to Arctic Wolf.
Provide credentials to Arctic Wolf Direct link to this section
-
Sign in to the Arctic Wolf Portal.
-
Select Connected Accounts in the banner menu to open the Connected Accounts page.
-
Select +Add Account to open the Add Account form.
-
Select Cloud Detection and Response as the Account Type.
-
Select CrowdStrike Containment from the list of cloud services.
-
Enter a descriptive name for the credentials.
-
Paste these values from step 4 of Create the API client:
- API Client UUID
- API Client Secret
- API Hostname
-
-
Select Submit to CST.
-
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.
Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.
If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we cannot perform actions such as containment until the updated credentials are provided.