Important Note: If you are a CrowdStrike Complete customer, do NOT use this guide. Use the CrowdStrike Falcon Complete getting started guide instead.
Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
Expel is a CrowdStrike Certified Managed Security Provider partner. To allow the Expel partner console access to your console, you need to do the following:
- Print, complete, and sign the CrowdStrike MSP Authorization Form. This form can be provided by the Expel Solutions Architect, Engagement Manager or Customer Success Engineer.
- Create a CrowdStrike support ticket, attaching the completed form.
Step 2: Enabling the OAuth2 API
- After you're logged into the Falcon UI, navigate to Support > API Clients and Keys.
- Select Add new API Client.
- Enter Expel as the Client Name.
- Enter Expel API Access as the Description.
- Select the following permissions:
Read and Write for Detections. Note: Write permission is only required if you want to use the Mark in Progress option.
Read and Write for Hosts. Note: Write permission for Hosts is required for Auto Host Containment. For more information, see the CrowdStrike Auto Host Containment getting started guide.
- Read for Incidents.
- Read for IOCs (Indicators of Compromise).
Read and Write for Real Time Response.
Read and Write for IOC Manager APIs. Note: Write permission is required to block hashes through auto-remediation. For more information, see the Auto Block Bad Hashes Getting Started Guide.
- Click Save.
- Make a record of your Client ID and the Client Secret for the API.
- Go to Step 3 to type these credentials into Workbench.
Step 3: Configure the technology in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate CrowdStrike Falcon with Expel.
Register device in Expel Workbench
- Login into https://workbench.expel.io/settings/security-devices?setupIntegration=crowdstrike.
- For Name type the hostname of the device.
- For Location type the geographic location of the appliance.
- After typing the name and location, complete the remaining fields using the credentials and information you collected in Step 2.
- API username (Legacy API), leave this blank.
- API key (Legacy API), leave this blank.
- Client secret (OAuth2), type the secret from Step 2.
- Client ID (OAuth2), type the ID from Step 2.
- Mark in console, type y to mark the events on the console to in-progress status.
- Enable CrowdScore ingest, type y. Note: Requires the incidents:read permission to work.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.
Note: Vendors can change their UI. Our description was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave us a comment in the comment field below and let us know!