This article helps you integrate CrowdStrike Falcon Identity Protection with Workbench.

Prerequisites

  1. You must have a CrowdStrike Falcon Identity Protection subscription.
  2. You must have API credentials from your CrowdStrike Falcon integration (existing integrations only).

Quick Links

New CrowdStrike Falcon Integration

If you are creating a new CrowdStrike Falcon integration to Workbench, and you want to include Identity Protection, do this:

  1. Follow the instructions in the CrowdStrike Falcon setup for Workbench guide.

  2. During Step 2 of CrowdStrike Falcon setup for Workbench, select these additional permissions for the OAuth2 API:

    • Alerts: Read

    • Identity Protection Entities: Read

    • Identity Protection Detections: Read

    • Identity Protection Timeline: Read

    • Identity Protection Assessment: Read

    • Identity GraphQL: Write

  3. During Step 3 of CrowdStrike Falcon setup for Workbench, for Enable crowdstrike falcon identity protection alert aggregation?, select Yes.

    CSFalcon_AddSecDev.png

Existing CrowdStrike Falcon Integration

If you are adding an Identity Protection subscription to an existing CrowdStrike Falcon integration in Workbench, do this:

  1. In CrowdStrike, open the Expel API Client and select these additional permissions for the OAuth2 API:

    • Alerts: Read

    • Identity Protection Entities: Read

    • Identity Protection Detections: Read

    • Identity Protection Timeline: Read

    • Identity Protection Assessment: Read

    • Identity GraphQL: Write

  2. If you can't edit the existing API client:

    1. Follow the instructions in Step 2 of the CrowdStrike Falcon setup for Workbench guide to create a new API client and credentials.

    2. Select the permissions listed above in addition to the permissions listed in the guide.

    3. Save the new API client and record the Client ID and Client Secret.

  3. Log into Workbench, and select Organization Settings in the left navigation.

    CSFalcon_OrgSettings.png
  4. Select Security Devices. A table listing your security devices appears.

    CSFalcon_OrgSetting_SecDev.png
  5. Find your CrowdStrike Falcon security device, open the list on the left, and select Edit. The Edit Security Device screen appears.

    CSFalcon_SecDev_View_MenuOpen.png
  6. If you created a new API client, replace the Client ID and Client Secret.

  7. For Enable crowdstrike falcon identity protection alert aggregation?, select Yes.

    CSFalcon_EditSecDev.png
  8. Select Save.
  9. Verify that your security device has a healthy connection. To check device health, follow the View Security Device Details instructions below.

    CSFalcon_HealthyConnection.png
  10. If you see an unhealthy connection message, your CrowdStrike Falcon Identity Protection subscription may not be active. Please confirm with your CrowdStrike account representative that your company has it enabled.

    CSFalcon_UnhealthyConnection.png

View Security Device Details

After your devices are connected to Workbench, you can view details about them.

  1. To open the device details, select Organization Settings > Security Devices.
  2. Locate the device you want more details for.
  3. Select the arrow next to the name and select View details.
WB_View_Details_list.png

The side panel that appears looks like this:

WB_Side_panel.png

The side panel contains the following sections:

  • Device Health: you see an Alerts Analysis dashboard snapshot for the selected device along with the device’s health status, connection, data, and alerts data. This information updates you on the device's status.

    Note
    If you have a AWS CloudTrail device, you also see a Last data received timestamp that shows you when we last polled for log data. You also see a Last successful poll timestamp. These help you know if your AWS CloudTrail device is communicating with Workbench, even if alerts aren't being generated. We're working on deploying the last data received capability to other devices.

    Selecting View Inaccessible Accounts shows you the AWS accounts that are inaccessible to Workbench. This can highlight gaps in service delivery for AWS CloudTrail. To provide access, log in to your AWS environment associated with the device and grant permission.

  • Information: you see general device data, including the device name, location, GUID, and so on. These are the data points associated with creating or editing a device.

  • History: you see the history of changes in health status or edits made by a Workbench user. You know what changed, who made the change, and when.

In these sections you can select buttons to copy information or go directly to other areas in Workbench. Additionally, we include tool tips to help you understand what you're seeing.

In the side panel, you can edit the selected device by selecting Edit Device. You can also navigate to the previous or next device in the list by selecting the arrows.

WB_Side_panel_Top.png