1. Expel Support Center
  2. Connect your technology
  3. Endpoint integrations

CrowdStrike Falcon Identity Protection setup for Workbench

  • Updated

This article helps you integrate CrowdStrike Falcon Identity Protection with Workbench.

In this article

Before you start

New CrowdStrike Falcon integration

Existing CrowdStrike Falcon integration

Viewing security device details

Before you start

To complete this procedure, you must have:

  • A CrowdStrike Falcon Identity Protection subscription.

  • API credentials from your CrowdStrike Falcon integration (existing integrations only).

New CrowdStrike Falcon integration

If you are creating a new CrowdStrike Falcon integration to Workbench, and you want to include Identity Protection, do this:

  1. Follow the instructions in the CrowdStrike Falcon setup for Workbench guide.

  2. During Step 2, select these additional permissions for the OAuth2 API:

    • Alerts: Read

    • Identity Protection Entities: Read

    • Identity Protection Detections: Read

    • Identity Protection Timeline: Read

    • Identity Protection Assessment: Read

    • Identity GraphQL: Write

  3. During Step 3, select Yes for Enable crowdstrike falcon identity protection alert aggregation?

    CSFalcon_AddSecDev.png

Existing CrowdStrike Falcon integration

If you are adding an Identity Protection subscription to an existing CrowdStrike Falcon integration in Workbench, do this:

  1. In CrowdStrike, open the Expel API Client and select these additional permissions for the OAuth2 API:

    • Alerts: Read

    • Identity Protection Entities: Read

    • Identity Protection Detections: Read

    • Identity Protection Timeline: Read

    • Identity Protection Assessment: Read

    • Identity GraphQL: Write

  2. If you can't edit the existing API client:

    1. Follow the instructions in Step 2 of the CrowdStrike Falcon setup for Workbench guide to create a new API client and credentials.

    2. Select the permissions listed above in addition to the permissions listed in the guide.

    3. Save the new API client and record the Client ID and Client Secret.

  3. Log into Workbench, and click Organization Settings in the left navigation.

    CSFalcon_OrgSettings.png

  4. Click Security Devices. A table listing your security devices appears.

    CSFalcon_OrgSetting_SecDev.png

  5. Find your CrowdStrike Falcon security device, open the list on the left, and select Edit. The Edit Security Device screen appears.

    CSFalcon_SecDev_View_MenuOpen.png

  6. If you created a new API client, replace the Client ID and Client Secret.

  7. Select Yes for Enable crowdstrike falcon identity protection alert aggregation?

    CSFalcon_EditSecDev.png

  8. Click Save.

  9. Verify that your security device has a healthy connection. To check device health, follow the Viewing security device details instructions below.

    CSFalcon_HealthyConnection.png

  10. If you see an unhealthy connection message, your CrowdStrike Falcon Identity Protection subscription may not be active. Please confirm with your CrowdStrike account representative that your company has it enabled.

    CSFalcon_UnhealthyConnection.png

Viewing security device details

After your devices are connected to Workbench, you can view details about them. To open the device details, click Organization Settings > Security Devices. Locate the device you want more details for. Click the arrow next to the name and click View details.

WB_View_Details_list.png

The side panel that appears looks like this:

WB_Side_panel.png

The side panel contains the following sections:

  • Device Health: you see an Alerts Analysis dashboard snapshot for the selected device along with the device’s health status, connection, data, and alerts data. This at-a-glance information let's you stay on top of the device and what it's doing.

    Tip

    If you have a AWS CloudTrail device, you also see a Last data received time stamp that shows you when we last polled for log data. You also see a Last successful poll time stamp. These help you know if your AWS CloudTrail device is communicating with Workbench, even if alerts aren't being generated. We're working on deploying the last data received capability to other devices.

    If you have a AWS CloudTrail, you also see View Inaccessible Accounts. Clicking this button shows you the AWS accounts that are inaccessible to Workbench. This can highlight gaps in service delivery for AWS CloudTrail. To provide access, login to your AWS environment associated with the device and grant permission.

  • Information: you see general device data, including the device name, location, GUID, and so on. These are the data points associated with creating or editing a device.

  • History: you see the history of changes in health status or edits made by a Workbench user. You know what changed, who made the change, and when.

In these sections you can click buttons to copy information or go directly to other areas in Workbench. Additionally, we include tool tips to help you understand what you're seeing.

In the side panel, you can edit the selected device by clicking Edit Device. You can also navigate to the previous or next device in the list by clicking the arrows.

WB_Side_panel_Top.png

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles