1. Expel Support Center
  2. Connect your technology
  3. Endpoint integrations

CrowdStrike Falcon Complete setup for Workbench

  • Updated

This guide is specific to the CrowdStrike Falcon Complete service. For CrowdStrike Falcon, use the CrowdStrike Falcon article instead.

In this article

Before you start

If you plan to enroll in the Expel Hunting service, your organization requires a Falcon Data Replicator subscription.

About console permissions in your devices

As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from 1 device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench.

Without minimum permissions to your devices, the SOC analysts are limited in their insight into your technology. This can mean they surface more benign alerts to your team for further investigation, resulting in increasing the workload for your team, and resulting in alert fatigue.

If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. It also allows our SOC analysts to perform health checks to make sure Workbench is not missing alerts from your security devices. Depending on what your organization purchased from Expel, the SOC analysts may even be able to contain and/or remediate the issues on your behalf.

Ultimately, the more permissions you can grant Workbench, the better and faster the SOC analysts can find and investigate alerts in your environment.

Step 1: Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

Expel is a CrowdStrike Certified Managed Security Provider partner. To allow the Expel partner console access to your console, do the following:

  1. Print, complete, and sign the CrowdStrike MSP Authorization Form. This form can be provided by the Expel customer success engineer.

  2. Attach the completed form in an email to CrowdStrike Falcon Complete Support. An Expel customer success engineer can help and can provide a template to send to CrowdStrike Falcon Complete Support.

To integrate the technology with Expel, we need to create secure credentials to the API.

Step 2: Enabling the OAuth2 API

To enable the OAuth2 API, follow the steps below:

  1. After you log into the Falcon UI, navigate to Support > API Clients and Keys.

  2. If API Clients and Keys doesn't appear in your CrowdStrike Falcon Complete UI, you need to reach out to CrowdStrike Falcon Complete Support to get it enabled for the integration. An Expel customer success engineer can help you with this.

  3. Select Add new API Client.

  4. Type Expel as the Client Name.

  5. Type Expel API Access as the Description.

  6. Select the following permissions. Bold is required. The more permissions you allow, the better the SOC analysts can research what's happening and the faster they can respond.

    In this area...

    this permission...

    does this...

    Notes

    Detections

    Read and Write

    Read: view information about a detection, such as its behavior, severity, associated host, timestamps, and so on.

    Write: modify metadata about a detection, such as its status, assignee, and description.

    Write permission is only required to use the Mark in Progress option in CrowdStrike.

    Hosts

    Read and Write

    Read: Search for hosts and get host details, using standard or scrolling pagination. Details include OS type and version, sensor version, assigned policies, containment status, and more.

    Write: Take action on hosts, including containing or lifting containment on a host.

    Write permission for Hosts is required for Auto Host Containment. For more information, see the CrowdStrike Auto Host Containment article.

    Incidents

    Read

    Read: Search and view details on incidents and behaviors.

    Write: Perform actions on incidents, such as adding tags or comments or updating the incident name or description.

    Read is required to allow Expel to Mark alerts as 'in-progress' when Expel processes them.

    To select Incidents, you need Falcon Insight XDR enabled.

    Real Time Response (RTR)

    Read and Write

    Read: Run RTR commands that get information from a host, equivalent to the RTR Read OnlyAnalyst role.

    Write: Run RTR commands that send information to a host, equivalent to the RTR Active Responder role.

    IOC Management

    Read and Write

    Read: Search your custom IOCs and view hosts that observed your custom IOCs.

    Write: Create, modify, or delete your custom IOCs.

    Write permission is required to block hashes through auto-remediation. For more information, see the Auto Block Bad Hashes article.

  7. Click Save.

  8. Make a record of your Client, Client Secret, and Base URL for the API.

Step 3: Configure the technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. Login to https://workbench.expel.io/settings/security-devices?setupIntegration=crowdstrike.

    mceclip0.png

  2. For Name type the host name of the device.

  3. For Location type the geographic location of the appliance.

  4. After typing the name and location, complete the remaining fields using the credentials and information you collected in Step 2 above.

    • API Username and API Key can be left blank.

    • Type OAuth2 Client ID from Step 2 in Client ID.

    • Type OAuth2 Secret from Step 2 in Client secret.

    • Leave Mark in console blank because the API access is read-only.

    • Type the Base URL from Step 2 in CrowdStrike API access.

    • Enable CrowdScore ingest, type y.

      Note

      Requires the incidents:read permission aboveto work.

  5. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles