Step 1: Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Expel is a CrowdStrike Certified Managed Security Provider partner. To allow the Expel partner console access to your console, do the following:

1. Print, complete, and sign the CrowdStrike MSP Authorization Form. This form can be provided by the Expel Solutions Architect, Engagement Manager or Customer Success Engineer.
2. Attach the completed form in an email to Falcon Complete Support. An Expel Customer Success Engineer can help and can provide a template to send to Falcon Complete Support.

To integrate the technology with Expel, we need to create secure credentials to the API.

Step 2: Enabling the OAuth2 API

To enable the OAuth2 API, follow the steps below:

1. After logged into the Falcon UI, navigate to Support > API Clients and Keys.
2. If API Clients and Keys doesn't appear in your Falcon UI, we need to reach out to Falcon Support to get it enabled for the integration. An Expel Customer Success Engineer can help you with this.
3. Select Add new API Client.
4. Type Expel as the Client Name.
5. Type Expel API Access as the Description.
6. Select Read for Detections.
7. Click Save.
8. Make a record of your Client, Client Secret and Base URL for the API.
   
9. Go to Step 3 to enter these credentials into Workbench.

Step 3: Configure the technology in Workbench

Now that we have all the correct access configured and have noted the credentials, we can integrate CrowdStrike Falcon Complete with Expel.

Register device in Expel Workbench

1. Login to https://workbench.expel.io.
2. On the console page, navigate to Settings > Security Devices.
3. At the top right of the page, select Add Security Device.
   
4. Search for and select CrowdStrike Falcon (Not Data Replicator!). 
   
5. For Name type the hostname of the device.
6. For Location type the geographic location of the appliance.
7. After typing the name and location, complete the remaining fields using the credentials and information you collected in Step 2 above.
   
8. API Username and API Key can be left blank.
9. Type OAuth2 Client ID from Step 2 in Client ID.
10. Type OAuth2 Secret from Step 2 in Client secret.
11. Mark in console is left blank because the API access being read-only.
12. Enter the Base URL from Step 2 in Crowdstrike API access.
13. Click Save.

After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.

To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.