CrowdStrike Falcon delivers next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence.

Lucidum uses the CrowdStrike connector to ingest data from CrowdStrike Falcon.

The CrowdStrike connector supports these Actions:

  • Contain a host

  • Lift containment on the host

  • Run a Powershell Script

Requirements

To use the CrowdStrike Connector in Lucidum:

  1. Before configuring the CrowdStrike connector in Lucidum, you must first define credentials for Lucidum in the CrowdStrike API.

  2. You can then configure the CrowdStrike connector in Lucidum and start ingesting data from CrowdStrike Falcon.

Prerequisite: Define Credentials for Lucidum in the CrowdStrike API

If you are using the latest version of the CrowdStrike API, use the following instructions.

If you are using a previous version of the CrowdStrike API, use the instructions in the second section.

Defining Client Credentials for Lucidum Using the Latest CrowdStrike API

To create read-only credentials for Lucidum to connect to the latest version of the CrowdStrike API:

  1. Log in to the Falcon Administrator panel as a Falcon Administrator.

  2. Go to Support > API Clients and Keys

  3. Click Add new API client.

  4. Select Read permissions for Detections, Hosts, and Host groups.

  5. Click Add and save the generated credentials.

Defining Client Credentials for Lucidum Using Previous Versions of the CrowdStrike API

To create read-only credentials for Lucidum to connect to previous versions of the CrowdStrike API:

  1. Verify you have a valid account in the CrowdStrike support portal: https://falcon.crowdstrike.com/support/documentation/2/query-api-reference

  2. Create a GPG key pair prior to requesting the API key. For details on creating a GPG key, see this article: https://www.redhat.com/sysadmin/creating-gpg-keypairs

  3. Export your public key in ASCII format.

  4. Contact CrowdStrike Support (support@crowdstrike.com) and request they create an API key for the Query API. Include your public key in the email to CrowdStrike Support.

    The Query API key is different than the API key for the Falcon API. Please ensure that you ask for access to the Query API when making the request.

  5. When CrowdStrike Support sends you an API Key for the Query API, use the private GPG key to decrypt the Query API credentials.

  6. Save the username and API key provided by CrowdStrike.

Configuring the CrowdStrike Connector

To configure Lucidum to ingest data from CrowdStrike:

  1. Log in to Lucidum.

  2. In the left pane, click Connector.

  3. In the Connector page, click Add Connector.

  4. Scroll until you find the Connector for CrowdStrike. Click Connect. The Settings page appears.

  5. In the Settings page, enter the following:

    • CrowdStrike Domain. The URL for the CrowdStrike API. By default, this value is https://api.crowdstrike.com. Other possible values are:

    • Client ID. For the current version of the CrowdStrike API, enter the API Client ID. For previous versions of the CrowdStrike API, enter the user name.

    • API Secret. For current versions of the CrowdStrike API, enter the API Secret. For previous versions of the CrowdStrike API, enter the user API Key.

    • Threat Graph API User and Threat Graph API Key. Optional. Enter the user name and API key for CrowdStrike Threat Graph API. If supplied, Lucidum will fetch data from CrowdStrike Threat Graph API.

    • Verify SSL. For future use.

    • Member CID. Optional. Specify a CrowdStrike CID to fetch data from.

      • If supplied, Lucidum will fetch data from all tenants associated with the Member CID (customer identification).

      • If not supplied, Lucidum will only fetch data from the main tenant.

  6. To test the configuration, click Test.

    • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

    • If the connector is not configured correctly, Lucidum display an error message.

Supported Actions

  • Contain a host

  • Lift containment on the host

  • Run a Powershell Script