icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Integrating with CrowdStrike

Zscaler's integration leverages CrowdStrike APIs to provide endpoint detection and response (EDR) visibility for Sandbox-detected malware. Once the integration is configured, the Zscaler service calls the CrowdStrike Falcon API and requests information for endpoints that have been exposed to the malicious file. CrowdStrike uses the new file signature to detect compromised points throughout your organization's network.

You can view information about the affected endpoints in the Sandbox logs and reports of the ZIA Admin Portal. You can also contain endpoints from the ZIA Admin Portal and go to the CrowdStrike portal for further investigation and remediation. These automated workflows reduce the threat dwell time and remediation time.

Prerequisites

Before you begin the CrowdStrike integration, ensure you have:

To learn more, refer to the CrowdStrike documentation.

Step 1: Create an API Client for CrowdStrike

To create an API client for CrowdStrike:

  1. Log in to the CrowdStrike portal.
  2. You must obtain the Client ID, Secret, and Customer ID to complete Step 2:
  • To create an API client for CrowdStrike and obtain the client ID and secret:

    1. In the left-side navigation, go to Support > API Clients and Keys.

    The API key page appears.

    1. In the API Clients section, click Add new API client.

    The Add new API client window appears.

    1. In the Add new API client window:
      • Client Name: Enter a name for the API client (e.g., Zscaler API).
      • Description: (Optional) Enter a description for the API client.
      • API Scopes: Select the following API scopes:
        • Detections (Read only)
        • Hosts (Read and Write)
        • IOCs (Read only)

    1. Click Add.

    The API client created window appears.

    1. In the API client created window, copy the Client ID and Secret values.

    You must copy the client Secret now. You aren't able to retrieve the client secret later. The Zscaler service uses the Client ID and Secret to authenticate to CrowdStrike. You need this Secret to complete the integration in the ZIA Admin Portal for Step 2.

    1. Click Done.
    Close
  • To obtain the CrowdStrike customer ID:

    1. In the left-side navigation, click the Profile icon.

    The User Profile page appears.

    1. Under User Details, copy the Customer ID. You need it to complete the integration in the ZIA Admin Portal for Step 2.

    Close

Step 2: Set Up Your CrowdStrike Integration with Zscaler

To set up your CrowdStrike integration in the ZIA Admin Portal:

  1. Log in to the ZIA Admin Portal.
  2. Go to Administration > Partner Integrations.
  3. Click the CrowdStrike tab.
  4. Under CrowdStrike Authentication Credentials:
    • API Auth FQDN: The fully qualified domain name (FQDN) for the CrowdStrike OAuth API. It's typically api.crowdstrike.com. If your organization accesses APIs using a different FQDN, enter it instead.
    • Client ID: Enter your client ID.
    • Secret: Enter your client secret.
    • Customer ID: Enter your customer ID.

Only alphanumeric symbols are accepted for the Customer ID. Remove any dashes from the value you enter.

  1. Click Save.

If your CrowdStrike credentials are valid, the Zscaler service can call the CrowdStrike Falcon APIs and sync your endpoint hits to the Zscaler service. You then can view file and endpoint information in the CrowdStrike Endpoint Hits report.

Related Articles
About Partner IntegrationsIntegrating with Microsoft Cloud App SecurityManaging SD-WAN Partner KeysIntegrating with Microsoft Azure Virtual WANIntegrating with CrowdStrikeViewing the CrowdStrike Endpoint Hits ReportIntegrating with Microsoft Defender for EndpointViewing the Microsoft Defender Endpoint Hits Report