1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. CrowdStrike

CrowdStrike Falcon Insight XDR Setup for Workbench

This guide supports Falcon, Falcon Complete, and Falcon Identity Protection integrations.

Integrating your CrowdStrike console with Workbench allows Expel to access certain CrowdStrike API scopes and all of your CrowdScore incidents and alerts. After the integration is configured, Expel will be able to filter through your data programmatically, add context, enrich it with intel, assess risk, and alert an Expel analyst for further investigation.

Prerequisites

  1. (Optional) Add Expel IPs to your CrowdStrike IP Allowlist (Host setup and management > Falcon users > IP Allowlist Management) to ensure access is not restricted. Once configured, it can take 10-20 minutes to take effect.

Quick Start

Setup includes the following steps (click any step for detailed instructions):

  1. Add Expel as an OAuth2 API Client in CrowdStrike Falcon
  2. Add CrowdStrike as a Security Device in Workbench
  3. Request CrowdStrike Console Access for Expel
  4. Reference

Note

Be sure to have the Expel OAuth2 API Client credentials from CrowdStrike (from Step 1) available when you add CrowdStrike as a security device in Workbench.

OAuth2 Permissions

During the OAuth2 API client setup in CrowdStrike, you will grant Expel read and/or write access to the following:

  • Alerts
    • Read only
    • Read and Write (required for Falcon Status Syncing)
  • Detections
    • Read and Write (Falcon)
    • Read only (Falcon Complete)
  • Hosts
    • Read and Write* (Falcon)
    • Read only (Falcon Complete)
  • Incidents
    • Read only
  • IOC Management
    • Read and Write* (Falcon)
    • Read only (Falcon Complete)
  • NGSIEM
    • Read and Write
  • Real Time Response
    • Read and Write (Falcon)
    • Read only (Falcon Complete)
  • Threatgraph
    • Read only

*Write access is required for Hosts and IOC Management to allow Expel to perform auto-remediations.

If you are also using CrowdStrike Falcon Identity Protection, there will be a few other permissions you will need to grant. Go here for more details.

Step 1: Add Expel as an OAuth2 API Client in CrowdStrike Falcon

Adding Expel as an OAuth2 API client enables our platform to interact securely with the CrowdStrike API and its REST-based API endpoints. Expel will use these API client credentials to obtain an access token for authentication, so that our team can perform all actions programmatically rather than through the Falcon console. Refer to CrowdStrike’s API scopes chart for more information about each scope and what the different permissions allow.

Note

You will need these newly-created API client credentials to successfully add CrowdStrike as a security device in Workbench, so be sure to save them in a safe place.

To create the OAuth2 API client:

  1. Log in to CrowdStrike Falcon.
  2. In the top left menu, navigate to Support and resources > Resources and tools section > API clients and keys.
  3. Select the Create API client button.
  4. Complete the first two fields as follows:
    • Client Name - type “Expel”.
    • Description - type “Expel API Access”.
  5. Use the checkboxes to grant Expel the following permissions for these CrowdStrike scopes (Expel must have these permissions to integrate with CrowdStrike):
    • Alerts
      • Read only
      • Read and Write (required for Falcon Status Syncing)
    • Detections
      • Read and Write (Falcon)
      • Read only (Falcon Complete)
    • Hosts
      • Read and Write* (Falcon)
      • Read only (Falcon Complete)
    • Incidents
      • Read only
    • IOC Management
      • Read and Write* (Falcon)
      • Read only (Falcon Complete)
    • NGSIEM
      • Read and Write
    • Real Time Response
      • Read and Write (Falcon)
      • Read only (Falcon Complete)
    • Threatgraph
      • Read only

*Write access is required for Hosts and IOC Management to allow Expel to perform auto-remediations.

  1. If you are also using CrowdStrike Falcon Identity Protection, you must grant Expel the following permissions as well (if not, skip to step 7):
    • Alerts - Read
    • Identity Protection Entities - Read
    • Identity Protection Detections - Read
    • Identity Protection Timeline - Read
    • Identity Protection Assessment - Read
    • Identity GraphQL - Write
  2. Select Create.
  3. A confirmation screen displays, stating that your API client has been created. Be sure to copy your Client ID, Secret, and Base URL to a safe place before closing the window, as you will need these in the next section.

Step 2: Add CrowdStrike as a Security Device in Workbench

Now that you have the API OAuth2 client credentials, you can configure the integration in Workbench:

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select the Add Security Device button.
  4. In the search box, type “CrowdStrike” and then select the CrowdStrike Falcon option.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName CrowdStrike”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud” or “AWS cloud” or “on prem;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • API username - leave blank.
    • API key - leave blank.
    • Client ID - enter the API Client ID you received when creating the OAuth2 API client in CrowdStrike Falcon.
    • Client secret - enter the Secret you received when creating the OAuth2 API client in CrowdStrike Falcon.
    • CrowdStrike API address - select the Base URL you received when creating the OAuth2 API client in CrowdStrike Falcon.
  6. Answer the three questions as follows:
    • Enable crowdstrike falcon identity protection alert aggregation?
      • Only select yes if you are a Falcon Identity Protection customer AND you have added additional permissions as instructed in Step 1.6.
    • Enable crowdstrike falcon on demand scan alert aggregation?
      • The default selection is no.
      • Any Crowdstrike user may enable on-demand scan alert aggregation.
    • Enable 1way status syncing & comments for Expel alerts?
      • The default selection is no.
      • For more information on this option, refer to Status Syncing.
  1. Select Save. A wizard displays to help you complete the MSP form; proceed to Step 3 for instructions on how to use the wizard, how to complete the form, and where to send it.

Step 3: Request CrowdStrike Console Access for Expel

Note

Where you send the completed MSP form is slightly different for Falcon integrations vs. Falcon Complete integrations. Instructions are below.

Expel uses CrowdStrike Flight Control, a cybersecurity management tool created for CrowdStrike’s partners, to connect to your CrowdStrike console. The final step in your Expel integration is to grant Expel access to the CrowdStrike Falcon Host via a MSP form. You can use the wizard in Workbench if you have not already been given a form during onboarding.

For more information, see Why Expel Asks for Console Access.

The Wizard

  1. In the wizard, which displays as soon as you finish adding CrowdStrike as a security device (Step 2), select Managed Service Provider and then follow the prompts to generate an Expel CID.
  2. You will see a link to download the MSP form (PDF).
  3. Make sure to select Save in the wizard when you are finished, or your device configuration may be lost.

CrowdStrike_MSP_dropdown.png

How to Fill Out the MSP Form

You will need to know your host administrator’s name, email, and phone number, as well as the Expel CID (displayed by the wizard, if used, or given to you by our support team), in order to complete this form.

Please fill out the entire form, including the information on who completed the form at the bottom.

Remember to sign the form before sending it.

 

MSP_form_mocked.png

Lost your form? Get another copy here.

Where to Send the MSP Form

If you are using the wizard, be sure to select Save before exiting the window, so that Expel knows you have generated your Expel CID and are working on completing the MSP form.

  • Falcon integrations - send the completed form to your Customer Success Manager and also to devicehealth@expel.io.
  • Falcon Complete integrations - CrowdStrike requires you to send the completed form on our behalf; contact your Customer Success Manager for an email template, contact information, and further instructions.
    Troubleshooting

You can check the health of your integration in Workbench by going to Organization Settings > Security Devices and checking the Status column.

Connection errors can be caused by a number of issues, however some of the more common causes during the initial configuration process include:

  • The read/write permissions for the API client in CrowdStrike were set incorrectly.
  • Incorrect client credentials (Client ID, Secret, Base URL) were used for the CrowdStrike security device in Workbench.
  • The alert handling and/or alert aggregation yes/no questions were chosen incorrectly for the CrowdStrike security device in Workbench.
  • The completed MSP form has not yet been processed by CrowdStrike, so Expel does not yet have access to your CrowdStrike console.

If you are unable to bring your connection to a healthy status after checking the above items, and have verified that your MSP form has been accepted by CrowdStrike, contact our support team for additional assistance.

Reference

Status Syncing

Expel supports alert status syncing between Workbench and CrowdStrike Falcon. Specifically, when an ingested alert or incident from CrowdStrike Falcon results in the creation of an Expel Alert, Workbench maps the Expel Alert status (e.g. Open, Investigating, Closed) back to the CrowdStrike alert and appends a comment for every state change or action taken by Expel Analysts. Syncing is keyed off the original CrowdStrike alert ID that was ingested.

Syncing is currently one-way and Workbench serves as the source of truth. This means statuses in CrowdStrike Falcon are updated by Workbench, but Workbench is not informed or updated by status changes made in CrowdStrike Falcon.

Syncing can be enabled by editing your CrowdStrike device in Workbench.
crowdstrike-sync-option.png

Object Mappings

Workbench Object Syncing Key CrowdStrike Falcon Object
Expel Alert CrowdStrike alert ID Alert
Investigation* N/A N/A
Incident* N/A N/A

*There are no mappings for CrowdStrike Falcon incidents to Workbench Investigations/Incidents. Mapping and syncing is based on the most granular alert object - in this case CrowdStrike detections and Expel Alerts. State changes applied to a “parent” object are applied to the corresponding “child” or “children.”

State Mappings

Expel Alert State CrowdStrike Detection State
New / Reopened New
Investigating In_Progress
Closed Closed
(Closed Reason) N/A - to be captured via Comment 

Comments

In addition to the above state syncing, the closed reason and associated analysis is added as a comment to the CrowdStrike Falcon alert or incident upon closure. A comment is also appended for any Investigative Action taken by a SOC analyst (e.g. a Verify Action is sent).

Supported Events

The below table outlines all supported events for status syncing. Please note that not all events trigger a state change, but all events do trigger a comment.

Event Triggers Status Sync? Triggers Comment?
Expel Alert Created
Expel Alert Closed
Expel Alert Reopened
Investigation Created
Investigation Closed
Investigation Reopened*  
Incident Created
Incident Closed
Incident Reopened*  
Investigative Actions Triggers Status Sync? Triggers Comment?
Comment Created  
Expel Alert Assigned  
Investigation Assigned  
Investigation Alert Added  
Incident Assigned  
Incident Downgraded  
Investigative Action Analysis Assigned  
Investigative Action Manual Action  
Investigative Action Assigned  
Notify Action Assigned  
Verify Action Assigned  
Verify Action Approved  
Verify Action Denied  
Incident Finding Created  
Incident Finding Updated  
Incident Finding Completed  
Remediation Action Automated  
Remediation Action Assigned  
Remediation Action Completed  
Remediation Action Automated Failed  

*Currently, reopening a Workbench Investigation/Incident does not trigger the associated CrowdStrike alert to reopen.

Limitations

  1. Status syncing is not available for CrowdStrike Falcon Complete users. This is due to a CrowdStrike limitation - their API prevents any changes made by a third party if you are using Complete (CrowdStrike’s MDR service).
  2. Status syncing behaviors are limited to alert status and commenting. Expel Alert assignment metadata (i.e. assigned to Expel, assigned to your organization) does not map back to CrowdStrike alerts.
  3. Status syncing only applies to CrowdStrike alerts that produce an Expel Alert. If a CrowdStrike alert is ingested, but does not meet Expel’s detections (i.e. remains a “vendor alert”), then nothing “happens” in CrowdStrike. We acknowledge this creates a possible blind spot with regard to what our SOC is or is not triaging, and we are committed to supporting this use case in the future.

Related articles