This article explains how to connect CrowdStrike Falcon to Workbench.
Caution
If you are a CrowdStrike Complete customer, don't use this guide. Use the CrowdStrike Falcon Complete article instead.
Connecting your device to Workbench allows Workbench to ingest the CrowdStrike logs. CrowdStrike logs include a great deal of information that can take hours to manually review. And not all CrowdStrike alerts need attention.
CrowdStrike Falcon generates various alert types, which consist of a Mitre ATT&CK based detection framework. The Expel alert poller consumes all Falcon alerts except Machine Learning and Cloud-based ML with a vendor severity of Information or Low.
CrowdScore in CrowdStrike delivers prioritized incidents to streamline the triage process and help analysts focus on the most critical threats first. But CrowdScore logs alone don't typically have full process genealogy / indicators associated with them. This means that analysts generally need to do their own investigation using Event Search. Real Time Response also allows analysts to connect to a host, typically to query information and pull files.
After you connect CrowdStrike to Workbench, Workbench ingests Crowdscore Incidents. Workbench adds context, enriches with intel, and assesses the risk. Depending on your settings, Workbench can auto-remediate or send to an Expel analyst for further investigation.
All Expel detections for CrowdStrike Falcon are available in the Expel Workbench in the Detections area.
If you plan to enroll in the Expel Hunting service, your organization needs a Falcon Data Replicator subscription.
Step 1: Enable console access
Expel is a CrowdStrike Certified Managed Security Provider partner. This allows Expel to use the Expel FlightControl account to log into your device. You must request from CrowdStrike that Expel can have this access to your console and verify Expel is allowed to have it.
After CrowdStrike sets up this access, Expel is assigned these 4 roles in your console:
-
Detections Exceptions Manager
-
Falcon Investigator
-
Falcon Security Lead
-
Real Time Responder - Active Responder
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
To allow Expel partner console access to your console, do the following:
-
Print, complete, and sign the CrowdStrike MSP Authorization Form. Request this form from your Expelcustomer success engineer.
-
Attach the completed form in an email back to us to devicehealth@expel.io. Expel sends this form to CrowdStrike, cc-ing you, requesting partner access to your console. After you confirm this access is allowed, Expel is granted access with the roles listed above.
Step 2: Enabling the OAuth2 API
Tip
As you complete this step, you may discover you're missing a scope. If that's the case, contact your engagement manager for help.
-
After you log into the Falcon UI, navigate to Support and resources > API Clients and Keys.
-
Select Add new API Client.
-
Type Expel as the Client Name.
-
Type Expel API Access as the Description.
-
Select the following permissions. Bold is required. The more permissions you allow, the better the SOC analysts can research what's happening and the faster they can respond.
In this area...
this permission...
does this...
Notes
Detections
Read and Write
Read: view information about a detection, such as its behavior, severity, associated host, timestamps, and so on.
Write: modify metadata about a detection, such as its status, assignee, and description.
Write permission is only required to use the Mark in Progress option in CrowdStrike.
Hosts
Read and Write
Read: Search for hosts and get host details, using standard or scrolling pagination. Details include OS type and version, sensor version, assigned policies, containment status, and more.
Write: Take action on hosts, including containing or lifting containment on a host.
Write permission for Hosts is required for Auto Host Containment. For more information, see the CrowdStrike Auto Host Containment article.
Incidents
Read
Read: Search and view details on incidents and behaviors.
Write: Perform actions on incidents, such as adding tags or comments or updating the incident name or description.
Read is required to allow Expel to Mark alerts as 'in-progress' when Expel processes them.
To select Incidents, you need Falcon Insight XDR enabled.
Real Time Response (RTR)
Read and Write
Read: Run RTR commands that get information from a host, equivalent to the RTR Read OnlyAnalyst role.
Write: Run RTR commands that send information to a host, equivalent to the RTR Active Responder role.
IOC Management
Read and Write
Read: Search your custom IOCs and view hosts that observed your custom IOCs.
Write: Create, modify, or delete your custom IOCs.
Write permission is required to block hashes through auto-remediation. For more information, see the Auto Block Bad Hashes article.
-
Make a record of your Client ID and the Client Secret for the API. You need to finish the connection to Workbench.
Step 3: Configure the technology in Workbench
-
Log in to https://workbench.expel.io/settings/security-devices?setupIntegration=crowdstrike.
-
For Name type the host name of the device.
-
For Location type the geographic location of the appliance.
-
After typing the name and location, complete the remaining fields using the credentials and information you collected in Step 2 above.
-
API Username and API Key can be left blank.
-
Type OAuth2 Client ID from Step 2 in Client ID.
-
Type OAuth2 Secret from Step 2 in Client secret.
-
Select the Base URL from Step 2 in CrowdStrike API address.
-
Mark alerts as 'in-progress' when Expel processes them?, select Yes.
Tip
Requires the incidents:read permission above to work.
-
Enable Crowdstrike Falcon Identity Protection alert aggregation?, select Yes.
-
Comments
0 comments
Please sign in to leave a comment.