This guide applies to both Falcon and Falcon Complete integrations.
Integrating your CrowdStrike console with Workbench allows Expel to access certain CrowdStrike API scopes and all of your CrowdScore incidents and alerts. After the integration is configured, Expel will be able to filter through your data programmatically, add context, enrich it with intel, assess risk, and alert an Expel analyst for further investigation.
Quick Start
Setup includes the following steps (click any step for detailed instructions):
- Add Expel as an OAuth2 API Client in CrowdStrike Falcon
- Add CrowdStrike as a Security Device in Workbench
- Request CrowdStrike Console Access for Expel
Note
Be sure to have the Expel OAuth2 API Client credentials from CrowdStrike (from Step 1) available when you add CrowdStrike as a security device in Workbench.
OAuth2 Permissions
During the OAuth2 API client setup in CrowdStrike, you will grant Expel read and/or write access to the following:
-
Alerts
- Read only
-
Detections
- Read and Write (Falcon)
- Read only (Falcon Complete)
-
Hosts
- Read and Write* (Falcon)
- Read only (Falcon Complete)
-
Incidents
- Read only
-
IOC Management
- Read and Write* (Falcon)
- Read only (Falcon Complete)
-
Real Time Response
- Read and Write (Falcon)
- Read only (Falcon Complete)
-
Threatgraph
- Read only
*Write access is required for Hosts and IOC Management to allow Expel to perform auto-remediations.
If you are also using CrowdStrike Falcon Identity Protection, there will be a few other permissions you will need to grant. Go here for more details.
Step 1: Add Expel as an OAuth2 API Client in CrowdStrike Falcon
Adding Expel as an OAuth2 API client enables our platform to interact securely with the CrowdStrike API and its REST-based API endpoints. Expel will use these API client credentials to obtain an access token for authentication, so that our team can perform all actions programmatically rather than through the Falcon console. Refer to CrowdStrike’s API scopes chart for more information about each scope and what the different permissions allow.
Note
You will need these newly-created API client credentials to successfully add CrowdStrike as a security device in Workbench, so be sure to save them in a safe place.
To create the OAuth2 API client:
- Log in to CrowdStrike Falcon.
- In the top left menu, navigate to Support and resources > Resources and tools section > API clients and keys.
- Select the Create API client button.
- Complete the first two fields as follows:
- Client Name - type “Expel”.
- Description - type “Expel API Access”.
- Use the checkboxes to grant Expel the following permissions for these CrowdStrike scopes (Expel must have these permissions to integrate with CrowdStrike):
-
Alerts
- Read only
-
Detections
- Read and Write (Falcon)
- Read only (Falcon Complete)
-
Hosts
- Read and Write* (Falcon)
- Read only (Falcon Complete)
-
Incidents
- Read only
-
IOC Management
- Read and Write* (Falcon)
- Read only (Falcon Complete)
-
Real Time Response
- Read and Write (Falcon)
- Read only (Falcon Complete)
-
Threatgraph
- Read only
-
Alerts
*Write access is required for Hosts and IOC Management to allow Expel to perform auto-remediations.
-
If you are also using CrowdStrike Falcon Identity Protection, you must grant Expel the following permissions as well (if not, skip to step 7):
- Alerts - Read
- Identity Protection Entities - Read
- Identity Protection Detections - Read
- Identity Protection Timeline - Read
- Identity Protection Assessment - Read
- Identity GraphQL - Write
- Select Create.
- A confirmation screen displays, stating that your API client has been created. Be sure to copy your Client ID, Secret, and Base URL to a safe place before closing the window, as you will need these in the next section.
Step 2: Add CrowdStrike as a Security Device in Workbench
Now that you have the API OAuth2 client credentials, you can configure the integration in Workbench:
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Security Devices.
- Select the Add Security Device button.
- In the search box, type “CrowdStrike” and then select the CrowdStrike Falcon option. Falcon Complete customers should also select this option.
- Complete the fields as follows:
- Name - enter a name that might help you more easily identify this integration, such as “CompanyName CrowdStrike”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
- Location - enter the location of your integration, for example “cloud” or “AWS cloud” or “on prem;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
- API username - enter your CrowdStrike Threat Graph API username from Step 2.
- API key - enter your CrowdStrike Threat Graph API key from Step 2.
- Client ID - enter the API Client ID you received when creating the OAuth2 API client in CrowdStrike Falcon.
- Client secret - enter the Secret you received when creating the OAuth2 API client in CrowdStrike Falcon.
- CrowdStrike API address - select the Base URL you received when creating the OAuth2 API client in CrowdStrike Falcon.
- Answer the three questions as follows:
-
Mark alerts as 'in-progress' when Expel processes them?
- Falcon - select yes (recommended) to automatically mark alerts as in-progress in the CrowdStrike console when Expel is working on them, or select no if you want to manually update each alert status in CrowdStrike.
- Falcon Complete - select no; CrowdStrike does not allow outside vendors to change an alert status, so you must update each status manually.
-
Enable crowdstrike falcon identity protection alert aggregation?
- Most users should select no.
- Only select yes if you are a Falcon Identity Protection customer AND you have already set it up in Workbench (see note below).
-
Enable crowdstrike falcon on demand scan alert aggregation?
- The default selection is no.
- Any Crowdstrike user may enable on-demand scan alert aggregation.
-
Mark alerts as 'in-progress' when Expel processes them?
Note
If you are a Falcon Identity Protection customer but have not yet completed that setup in Workbench, select no for falcon identity protection alert aggregation even if you wish to have the alert aggregation enabled. After you have completed the Falcon Identity Protection setup, you can come back and edit the device to enable alert aggregation.
- Select Save. A wizard displays to help you complete the MSP form; proceed to Step 4 for instructions on how to use the wizard, how to complete the form, and where to send it.
Step 3: Request CrowdStrike Console Access for Expel
Note
Where you send the completed MSP form is slightly different for Falcon integrations vs. Falcon Complete integrations. Instructions are below.
Expel uses CrowdStrike Flight Control, a cybersecurity management tool created for CrowdStrike’s partners, to connect to your CrowdStrike console. The final step in your Expel integration is to grant Expel access to the CrowdStrike Falcon Host via a MSP form. You can use the wizard in Workbench if you have not already been given a form during onboarding.
The Wizard
- In the wizard, which displays as soon as you finish adding CrowdStrike as a security device (Step 3), select Managed Service Provider and then follow the prompts to generate an Expel CID.
- You will see a link to download the MSP form (PDF).
- Make sure to select Save in the wizard when you are finished, or your device configuration may be lost.
How to Fill Out the MSP Form
You will need to know your host administrator’s name, email, and phone number, as well as the Expel CID (displayed by the wizard, if used, or given to you by our support team), in order to complete this form.
Remember to sign the form before sending it.
Lost your form? Get another copy here.
Where to Send the MSP Form
If you are using the wizard, be sure to select Save before exiting the window, so that Expel knows you have generated your Expel CID and are working on completing the MSP form.
- Falcon integrations - send the completed form to your Engagement Manager and also to support@expel.com.
-
Falcon Complete integrations - CrowdStrike requires you to send the completed form on our behalf; contact your Engagement Manager for an email template, contact information, and further instructions.
Troubleshooting
You can check the health of your integration in Workbench by going to Organization Settings > Security Devices and checking the Status column.
Connection errors can be caused by a number of issues, however some of the more common causes during the initial configuration process include:
- The read/write permissions for the API client in CrowdStrike were set incorrectly.
- Incorrect client credentials (Client ID, Secret, Base URL) were used for the CrowdStrike security device in Workbench.
- The alert handling and/or alert aggregation yes/no questions were chosen incorrectly for the CrowdStrike security device in Workbench.
- The completed MSP form has not yet been processed by CrowdStrike, so Expel does not yet have access to your CrowdStrike console.
If you are unable to bring your connection to a healthy status after checking the above items, and have verified that your MSP form has been accepted by CrowdStrike, contact our support team for additional assistance.