Configuring CrowdStrike Falcon Credentials

Configuration Guide

Overview

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the CrowdStrike Falcon API. After you complete this configuration, Arctic Wolf can monitor logs from your CrowdStrike Falcon environment.

As part of this configuration, you must provide the following information for your CrowdStrike Falcon API to Arctic Wolf using the Arctic Wolf Portal:

Note: The API Client Secret is only available to view during the API client creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new client to get a new API Client Secret.

Before you begin

This process requires:

Creating the API client

To create the API client:

  1. Sign in to the CrowdStrike Falcon UI.

  2. Select the Support tab and click API Clients and Keys.

  3. Click Add new API clients.

  4. Follow the CrowdStrike documentation to create a new API client.

    Tip: All CrowdStrike documentation is accessible within the CrowdStrike Falcon UI.

  5. When selecting the scopes for the API client, select Read access for all scopes.

  6. Make note of these values:

    • API Hostname
    • API Client UUID
    • API Client Secret - This value is only available to view when you create the client.

    Note: You need to provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf

To provide your CrowdStrike Falcon API details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select CrowdStrike from the list of cloud services.

    1. Enter a descriptive name for the credentials.
    2. Paste these values from step 4 of Creating the API client:
      • API Hostname
      • API Client UUID
      • API Client Secret
  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your CrowdStrike Falcon environment, the status of your CrowdStrike Falcon credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.