PRODUCT GUIDE

TECHNICAL PREVIEW

DARKTRACE CROWDSTRIKE INTEGRATION

Introduction

The Darktrace CrowdStrike integration retrieves security alerts, vulnerability status and device information from the CrowdStrike
Falcon platforms, inserting relevant activity into the event logs of network devices observed by Darktrace across the organization’s
extended digital estate.

The integration closely complements Darktrace PREVENT/End-to-End; attack path modelling and risk calculations can and
draw in additional contextual detail and threat-hunting information to enhance its analysis. Where Darktrace PREVENT/E2E
is not present, Darktrace ‘pattern of life’ insights from network behavior can still be augmented by the contextual, endpoint-
level alerts retrieved by the integration.

How it Works
The Darktrace CrowdStrike integration retrieves data on devices, security events and CVEs from the CrowdStrike Falcon API.
Authentication requires the creation of an API client in the Falcon platform and the details provided to Darktrace. The integration
attempts to match network devices present in the CrowdStrike Falcon platform with those also observed by Darktrace; matched
devices are then enriched in the Threat Visualizer with vulnerability data and, if applicable, CrowdStrike security events.

CVE vulnerability data is retrieved from Falcon Spotlight every 24 hours; this data is added to Device Summary in the Threat
Visualizer interface and, where present, shared with Darktrace PREVENT/E2E to enhance attack path modelling analysis.
Devices are also tagged to indicate the highest severity category of CVE currently detected by CrowdStrike on the device.

CrowdStrike generates security alerts for activity on endpoint devices which are retrieved by the module at regular intervals
(default 60 seconds). These events are populated in Darktrace Advanced Search (@type: crowdstrike), inserted into the
event log of matched devices referenced in the event and available to Darktrace models.

Organizations with Darktrace RESPOND/Network can also trigger a manual “Isolate Machine” action against eligible devices
using the integration. If activated, Darktrace will instruct CrowdStrike to isolate the device from the network (network contain)
using the Falcon Endpoint Protection agent for the time chosen.

Device Matching
By default, devices in CrowdStrike are matched to Darktrace devices by MAC Address, hostname and IP address in order of
priority. Matching by any of these individual factors can be disabled on the Darktrace System Config page.

Considerations
The integration requires access to specific endpoints in the third-party environment to retrieve event data. The required
endpoints are listed on the System Configuration page. Please ensure these endpoints are allowed by any intermediary firewalls.
Please note, this integration does not currently support US Government (GovCloud) instances.

Delays may be incurred where the external platform does not make events available to the Darktrace integration for processing
and analysis within the expected timeframe. Delays of this nature are the responsibility of the third-party platform. Latency
between event occurrence and when it was made available to the integration are indicated in the event metadata within the
Threat Visualizer.

Licensing
The Darktrace CrowdStrike integration interacts with a number of CrowdStrike Falcon APIs. Retrieving CVE and vulnerability
data requires the CrowdStrike Falcon Spotlight module. Darktrace RESPOND actions require devices to have CrowdStrike
Falcon agents installed and licensed for CrowdStrike Falcon Endpoint Protection (Falcon Insight).
Permissions
The CrowdStrike integration requires an API client to be configured during setup with Read and Write for the following API scopes:

• Detections
• Hosts
• Host groups
• Prevention policies
• Sensor update policies
• User management
• Device control policies
• Spotlight vulnerabilities

Autonomous Response
The CrowdStrike integration supports Darktrace RESPOND response capabilities via the “Isolate Machine” action. When triggered,
Darktrace will instruct CrowdStrike to contain the endpoint from the network for the time specified using the CrowdStrike
Falcon Endpoint Protection “Network Containment” function.

This action can only be taken manually and is not available as a RESPOND inhibitor for Darktrace models at this time. To perform
an action, click “Launch RESPOND action” from any device window or click the RESPOND icon from the device omnisearch
options (eligible devices only).

Darktrace RESPOND Considerations

• This capability requires a Darktrace RESPOND/Network license to be present.
• Actions can only be taken on devices running CrowdStrike Falcon Endpoint Protection agents and where an associated
hostname has been seen in CrowdStrike alerts.

The action performs “Network Contain”, which is available on supported Linux, macOS and Windows platforms. Please refer
to the CrowdStrike documentation for more detailed information on supported operating systems.
• When the action is invoked, the host will lose the ability to make network connections to anything other than the CrowdStrike
cloud infrastructure and any internal IP addresses that have been specified in the Respond App.

Please see the CrowdStrike documentation for more information.

Configuration Process

Please note, this module is currently a technical preview and is subject to change.

Device Matching
By default, the Darktrace CrowdStrike Integration will attempt to associate devices seen in CrowdStrike alerts to network
devices observed by Darktrace by first matching on MAC Address, then hostname. If no hostname match is found, optional
private IP matching can also be performed by enabling the setting “Apply To Internal IP”. This matching is lower fidelity due to
potential for missed DHCP reassignment or overlapping private IP ranges; it is disabled by default.

Matching to devices monitored by Darktrace/Endpoint cSensor agents can also be enabled in the same location.

Events which contain no user or device information, or those for devices which Darktrace has not observed, are populated in
Advanced Search only.
 CrowdStrike Configuration
The creation of a new API client is described under “Defining
your first API Client” in the CrowdStrike guide - Getting
Access to the CrowdStrike API. The steps are repeated
below for reference.
1. Log in to the CrowdStrike Falcon UI as an administrator.
Darktrace Configuration
1. Log in to the Threat Visualizer, navigate to the System
Config page (Main menu › Admin › System Config) and
choose Modules from the left-side menu.
2. Scroll to the Threat Intelligence section and choose
CrowdStrike from the available Security Integrations.

2. Navigate to API Clients and Keys (Support › API Clients 3. Ensure the module is enabled in the top-right corner of
and Keys). the CrowdStrike Integration popup.

3. Click plus-circle Add new API Client. 4. Click New Account - if an account has already been
configured, the button will be underneath the existing
4. Enter a descriptive name (e.g. Darktrace Integration) entry.
and select Read and Write for the following API scopes:
5. Enter an Account Name, which will be displayed in the
• Detections Threat Visualizer in events retrieved by this CrowdStrike
• Hosts integration account.
• Host groups
• Prevention policies 6. Enter the Client ID and Client Secret obtained from
• Sensor update policies CrowdStrike in the previous section.
• User management
• Device control policies 7. Click Authorize, and observe a confirmation message
• Spotlight vulnerabilities that your account has been added, and the green check-circle
Good Service status message should appear at the top
5. Click ADD. of the configuration popup.

6. A Client ID and Client Secret will appear.
Make a note of both, they will be needed to configure
your Darktrace integration.
The secret will only be shown once and should be stored
securely.
8. Now, scroll to the “Settings” subheading and review
additional settings which impact all configurations - proxy
& cloud region.
Optionally override the global proxy setting if a different
proxy is required to contact the CrowdStrike instance. If
any fields are altered, ensure your changes are saved.

9. Ensure the CrowdStrike Cloud Region selected reflects

the region where API requests should be routed for your
CrowdStrike environment - the available options are
US-1, US-2 and EU-1.

If necessary, alter this field and save your changes.

The integration setup is now complete and the Darktrace

deployment will begin polling the CrowdStrike environment
for threat intelligence information.

US: +1 415 229 9100 UK: +44 (0) 1223 394 100 LATAM: +55 11 4949 7696 APAC: +65 6804 5010 info@darktrace.com darktrace.com
LAST UPDATED: JANUARY 4 2023