ITDR
Containment Configuration Guide for CrowdStrike
This configuration guide provides information on prerequisites and how to integrate Zscaler ITDR with CrowdStrike Falcon Insight to contain and isolate endpoints when an attack is detected. In addition, you can configure ITDR to share intelligence along with suggested actions that CrowdStrike should perform for events with indicators of compromise (IOC).
To learn more about how to integrate Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) with CrowdStrike, see the Zscaler and CrowdStrike Deployment Guide.
Prerequisites
Ensure there is network connectivity from the Zscaler ITDR Admin Portal to CrowdStrike Falcon Insight on HTTPS port 443.
Configuring Containment Integration with CrowdStrike Falcon Insight
Follow these steps to configure containment integration with CrowdStrike Falcon Insight:
- Step 1: Create a Client and Secret Key in CrowdStrike Falcon Insight
- Log in to the CrowdStrike Falcon Insight platform.
- Go to Support > API Clients and Keys.
- Click Add new API client.
- In the Add new API client window:
- Enter the Client Name of the new API.
- Enter the Description.
- Under API Scopes:
- For Detections, select Read.
- For Hosts, select Read and Write.
For IOCs (Indicators of Compromise), select Read and Write.
Click Add.
The API client created window appears.
- Copy the client ID and secret key.
- Click Done.
- Step 2: Configure the Containment Integration Between ITDR and CrowdStrike Falcon Insight
- In the ITDR Admin Portal, go to Orchestrate > Containment.
In the table, locate CrowdStrike and click the Edit icon.
- In the CrowdStrike Falcon Insight configuration window:
- Enabled: Select to enable the containment.
- URL: Enter the CrowdStrike API endpoint URL. For example, enter
https://api.crowdstrike.com. - Client ID: Enter the client ID that you copied in the previous step.
- Client Secret: Enter the client secret that you copied in the previous step.
- Click Save.
Click Test to verify the reachability of the CrowdStrike Falcon Insight platform.
- Step 3: Configure Orchestration Rule or Take Action to Contain Detected Attackers
You can contain detected attackers automatically by creating an orchestrated rule or manually by taking action from the Investigate page.
Close- Create a rule.
- In the ITDR Admin Portal, go to Orchestrate > Rule.
Click Add Rule.
- In the Rule Details window:
- Enter the name of the rule.
- Select Enabled.
Create a rule using queries and conditions.
- Under Respond, locate the CrowdStrike section, and configure the following options:
Falcon Insight: Enable to contain an endpoint using CrowdStrike when an event matching the configured rule occurs.
When the same IP address is encountered for more than one CrowdStrike-managed device, none of these devices are isolated and the event is recorded as a containment failure in the logs as a system message. To learn more about system messages, see Viewing and Managing System Messages.
IOC Hash: Enable to share file hashes that are considered indicators of compromise with CrowdStrike, and select an appropriate IOC Hash Action and IOC Hash Severity.
- Click Save.
- Take action from the Investigate page.
On the Investigate page, click an attack icon on the alert graph.
The attacker details pane opens.
Click Actions.
A list of actions that you can take to remediate the threat appears.
- Click the CrowdStrike Falcon drop-down menu, and select Contain with CrowdStrike Falcon Insight.
In the confirmation window, click OK.
When the same IP address is encountered for more than one CrowdStrike-managed device, the containment action with Falcon Insight fails and an error is displayed.
- Create a rule.
After containing the detected attackers, you can view the details of the attacker.