icon-itdr.svg
ITDR

Containment Configuration Guide for CrowdStrike

This configuration guide provides information on prerequisites and how to integrate Zscaler ITDR with CrowdStrike Falcon Insight to contain and isolate endpoints when an attack is detected. In addition, you can configure ITDR to share intelligence along with suggested actions that CrowdStrike should perform for events with indicators of compromise (IOC).

To learn more about how to integrate Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) with CrowdStrike, see the Zscaler and CrowdStrike Deployment Guide.

Prerequisites

Ensure there is network connectivity from the Zscaler ITDR Admin Portal to CrowdStrike Falcon Insight on HTTPS port 443.

Configuring Containment Integration with CrowdStrike Falcon Insight

Follow these steps to configure containment integration with CrowdStrike Falcon Insight:

    1. Log in to the CrowdStrike Falcon Insight platform.
    2. Go to Support > API Clients and Keys.
    3. Click Add new API client.
    4. In the Add new API client window:
      • Enter the Client Name of the new API.
      • Enter the Description.
      • Under API Scopes:
        • For Detections, select Read.
        • For Hosts, select Read and Write.
        • For IOCs (Indicators of Compromise), select Read and Write.

    5. Click Add.

      The API client created window appears.

    6. Copy the client ID and secret key.
    7. Click Done.
    Close
    1. In the ITDR Admin Portal, go to Orchestrate > Containment.
    2. In the table, locate CrowdStrike and click the Edit icon.

    3. In the CrowdStrike Falcon Insight configuration window:
      • Enabled: Select to enable the containment.
      • URL: Enter the CrowdStrike API endpoint URL. For example, enter https://api.crowdstrike.com.
      • Client ID: Enter the client ID that you copied in the previous step.
      • Client Secret: Enter the client secret that you copied in the previous step.
    4. Click Save.
    5. Click Test to verify the reachability of the CrowdStrike Falcon Insight platform.

    Close
  • You can contain detected attackers automatically by creating an orchestrated rule or manually by taking action from the Investigate page.

      1. In the ITDR Admin Portal, go to Orchestrate > Rule.
      2. Click Add Rule.

      3. In the Rule Details window:
        • Enter the name of the rule.
        • Select Enabled.
        • Create a rule using queries and conditions.

        • Under Respond, locate the CrowdStrike section, and configure the following options:
          • Falcon Insight: Enable to contain an endpoint using CrowdStrike when an event matching the configured rule occurs.

            When the same IP address is encountered for more than one CrowdStrike-managed device, none of these devices are isolated and the event is recorded as a containment failure in the logs as a system message. To learn more about system messages, see Viewing and Managing System Messages.

          • IOC Hash: Enable to share file hashes that are considered indicators of compromise with CrowdStrike, and select an appropriate IOC Hash Action and IOC Hash Severity.

      4. Click Save.
      Close
      1. On the Investigate page, click an attack icon on the alert graph.

        The attacker details pane opens.

      2. Click Actions.

        A list of actions that you can take to remediate the threat appears.

      3. Click the CrowdStrike Falcon drop-down menu, and select Contain with CrowdStrike Falcon Insight.
      4. In the confirmation window, click OK.

        When the same IP address is encountered for more than one CrowdStrike-managed device, the containment action with Falcon Insight fails and an error is displayed.

      Close
    Close

After containing the detected attackers, you can view the details of the attacker.

Related Articles
About Containment IntegrationContainment Configuration Guide for CrowdStrikeContainment Configuration Guide for Identity Threat Protection with Okta AIContainment Configuration Guide for Zscaler Internet Access (ZIA)Containment Configuration Guide for Zscaler Private Access (ZPA)Viewing the Blocked Identities