CrowdStrike Falcon Monitoring
Updated Sep 27, 2023Configure CrowdStrike Falcon monitoring
This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor security information using the CrowdStrike Falcon® API. After you complete this configuration, Arctic Wolf can monitor logs from your CrowdStrike Falcon environment.
As part of this configuration, you must provide this information for your CrowdStrike Falcon API to Arctic Wolf:
- API Client UUID
- API Client Secret
- API Hostname
Before you begin
This process requires:
-
Using the Falcon Administrator role for the CrowdStrike Falcon environment that you want Arctic Wolf to monitor.
-
An Enterprise, Premium, or Complete CrowdStrike Falcon license.
Note: CrowdStrike Falcon Home and Pro licenses are not supported.
Create the API client
-
Sign in to the CrowdStrike Falcon UI.
-
Click the Support tab, and then click API Clients and Keys.
-
Click Add new API clients.
-
Follow the CrowdStrike Falcon documentation to create a new API client.
Tip: All CrowdStrike Falcon documentation is accessible within the CrowdStrike Falcon UI.
-
When selecting the scopes for the API client, select Read access for all scopes.
-
Note these values, to provide to Arctic Wolf as part of Provide credentials to Arctic Wolf:
- API Hostname
- API Client UUID
- API Client Secret
Note: The API Client Secret is only available to view during the API client creation. If this information is lost before you submit it to Arctic Wolf, you must create a new client to get a new API Client Secret. :::
-
Proceed to Provide credentials to Arctic Wolf.
Provide credentials to Arctic Wolf
Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select CrowdStrike.
-
On the Add Account page, complete these steps:
- Account Name — Enter a unique and descriptive name for the account.
- For each of these fields, paste the appropriate value from Create the API client:
- Client ID
- Client Secret
- API Hostname
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
MDR polling frequency
Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.
Next steps
After configuring Arctic Wolf monitoring of your CrowdStrike Falcon environment, you can optionally configure CrowdStrike Falcon to contain possibly compromised hosts. For instructions, see CrowdStrike Falcon Containment.