CrowdStrike Falcon Containment

Updated Sep 27, 2023

Configure CrowdStrike Falcon containment

Arctic Wolf® uses the CrowdStrike Falcon® API to monitor CrowdStrike Falcon logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain hosts in your network using CrowdStrike Falcon containment.

Note: The CrowdStrike Falcon containment integration is different from the CrowdStrike Falcon Endpoint Detection and Response (EDR) integration. You only need to complete these steps if you want Arctic Wolf to contain your endpoints using CrowdStrike Falcon. For more information on the EDR configuration, see Configure CrowdStrike Falcon Monitoring.

To implement this functionality, you must:

Requirements

Before you begin

Steps

  1. Create the API client.
  2. Provide credentials to Arctic Wolf.

Step 1: Create the API client

Notes:

  • Do not reuse API credentials from the CrowdStrike Falcon EDR configuration, since they have different permissions.
  • The API Client Secret is only available to view during API client creation. If this information is lost before you submit it to Arctic Wolf, you must create a new client to get a new API Client Secret.
  1. Sign in to the CrowdStrike Falcon UI.

  2. Click the Support tab, and then click API Clients and Keys.

  3. Click Add new API clients.

  4. Follow the CrowdStrike Falcon documentation to create a new API client.

    Tip: All CrowdStrike Falcon documentation is accessible in the CrowdStrike Falcon UI.

  5. When selecting the scopes for the API client, select Read and Write access for the Hosts scopes.

  6. Note these values:

    • API Hostname
    • API Client UUID
    • API Client Secret
  7. Proceed to Provide credentials to Arctic Wolf.

Step 2: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After a polling failure, Arctic Wolf cannot perform actions such as containment until the updated credentials are provided.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select CrowdStrike Containment.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. For each of these fields, paste the appropriate value from Create the API client:
      • Client ID
      • Client Secret
      • API Hostname
    3. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

Test CrowdStrike containment

After you configure CrowdStrike Falcon containment and provide credentials to Arctic Wolf, you should test the containment and containment lifting procedures with your CST.

Before you begin

Generate a test observation

Note: Generate the test observation at least one hour before the call.

In a command prompt, enter these commands:

Sc query csagent
choice /m crowdstrike_sample_detection
Y

For more information, see https://www.crowdstrike.com/blog/tech-center/generate-your-first-detection/ in the CrowdStrike documentation.

Next steps

Note: Turn off your auto-mitigation policy before the call because Arctic Wolf can’t contain a host if the relevant application already addressed the possible threat.

During the scheduled call, your CST: