1. Expel Support Center
  2. Connect your technology
  3. Endpoint integrations

CrowdStrike Falcon setup for Workbench

Sharon Burton
  • Updated

Caution

If you are a CrowdStrike Complete customer, do NOT use this guide. Use the CrowdStrike Falcon Complete article instead.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Before you start

  • If you plan to enroll in the Expel Hunting service, a Falcon Data Replicator subscription is required.

Step 1: Enable console access

Expel is a CrowdStrike Certified Managed Security Provider partner. To allow the Expel partner console access to your console, do the following:

  1. Print, complete, and sign the CrowdStrike MSP Authorization Form. This form can be provided by the Expel customer success engineer.

  2. Attach the completed form in an email to CrowdStrike Falcon Support. An Expel customer success engineer can help and can provide a template to send to CrowdStrike Falcon Support.

Step 2: Enabling the OAuth2 API

Tip

As you complete this step, you may discover you're missing a scope. If that's the case, contact your engagement manager for help.

  1. After you log into the Falcon UI, navigate to Support and resources > API Clients and Keys.

  2. Select Add new API Client.

  3. Type Expel as the Client Name.

  4. Type Expel API Access as the Description.

  5. Select the following permissions:

    • Read and Write for Detections.

      Note

      Write permission is only required to use the Mark in Progress option.

    • Read and Write for Hosts.

      Note

      Write permission for Hosts is required for Auto Host Containment. For more information, see the CrowdStrike Auto Host Containment article.

    • Read for Incidents.

      Note

      To select Incidents, you need Falcon Insight XDR enabled.

    • Read for IOCs (Indicators of Compromise).

    • Read and Write for Real Time Response.

    • Read and Write for IOC Management.

      Note

      Write permission is required to block hashes through auto-remediation. For more information, see the Auto Block Bad Hashes article.

  6. Click Save.

  7. Make a record of your Client ID and the Client Secret for the API.

  8. Go to Step 3 to type these credentials into Workbench.

Step 3: Configure the technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. Log in to https://workbench.expel.io/settings/security-devices?setupIntegration=crowdstrike.

    mceclip0.png

  2. For Name type the host name of the device.

  3. For Location type the geographic location of the appliance.

  4. After typing the name and location, complete the remaining fields using the credentials and information you collected in Step 2 above.

    • API Username and API Key can be left blank.

    • Type OAuth2 Client ID from Step 2 in Client ID.

    • Type OAuth2 Secret from Step 2 in Client secret.

    • Select the Base URL from Step 2 in CrowdStrike API access.

    • Mark alerts as 'in-progress' when Expel processes them?, select yes.

      Note

      Requires the incidents:read permission to work.

  5. Click Save.

To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles