Author: Accelerynt
For any technical questions, please contact info@accelerynt.com
This playbook syncs vulnerabilities and configuration risks identified from Crowdstrike CSPM. It will pull CrowdStrike detections from the current CrowdStrike scan into Microsoft Sentinel custom logs where they can be tracked and queried.
Note
Estimated Time to Complete: 1 hour
Tip
Required deployment variables are noted throughout. Reviewing the deployment page and filling out fields as you proceed is recommended.
The following items are required under the template settings during deployment:
- CrowdStrike Domain - the domain of the base URL indicated on the CrowdStrike OAuth client page. Documentation link
- CrowdStrike Client ID - the Client ID the CrowdStrike OAuth client. Documentation link
- CrowdStrike API token - the value of the API token generated for the CrowdStrike OAuth client. Documentation link
- Azure Key Vault Secret - this will store the CrowdStrike API token. Documentation link.
- Sentinel Logs Workspace ID & Key - the workspace ID and primary key of the Log Analytics Workspace that the CrowdStrike logs will be sent to. Documentation link.
Important
Preexisting and recent detections will need to be present in CrowdStrike's current scan in order to properly initialize the integration to Microsoft Sentinel
From the home page of your CrowdStrike account, navigate to Support and resources in the left menu blade. Click Resources and tools and then click API Clients and Keys.
From the API client and Secrets page, click Add new API Client.
Select the necessary API scopes and click Save to create the client.
Locate the Client ID and Client Secret. Make sure to copy both of these items and save them somewhere that you can easily access later, as they will be needed for the deployment step.
Select the Base URL for your region using the table below:
Note the domain of the URL you selected, as it will be needed for the deployment step. It should follow this format "api.example.CrowdStrike.com".
Navigate to the Azure Key Vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults.
Navigate to an existing Key Vault or create a new one. From the Key Vault overview page, click the "Secrets" menu option, found under the "Settings" section. Click "Generate/Import".
Choose a name for the secret, such as "AS-Crowdstrike-CloudPosturing-Integration-API-Token", and enter the CrowdStrike API token copied previously in the previous section. All other settings can be left as is. Click "Create".
Once your secret has been added to the vault, navigate to the "Access policies" menu option, also found under the "Settings" section on the Key Vault page menu. Leave this page open, as you will need to return to it once the playbook has been deployed. See Granting Access to Azure Key Vault.
Navigate to the Log Analytics Workspace page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces.
Select the workspace that the CrowdStrike logs will be sent to, and take note of the name, as this will be needed for the deployment step.
From the left menu blade, click Agents and expand the Log Analytics agent instructions section. Take note of both the workspace ID and primary key for a post deployment step.
To configure and deploy this playbook:
Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:
https://github.com/Accelerynt-Security/AS-Crowdstrike-CloudPosturing-Integration
Click the “Deploy to Azure” button at the bottom and it will bring you to the custom deployment template.
In the Project details section:
-
Select the Subscription and Resource group from the dropdown boxes you would like the playbook deployed to.
In the Instance details section: -
Playbook Name: This can be left as "AS-Crowdstrike-CloudPosturing-Integration" or you may change it.
-
CrowdStrike Domain: Enter the domain of the CrowdStrike base URL, following the format of 'api.CrowdStrike.com' referenced in Create a CrowdStrike OAuth Client.
-
Client ID: Enter the Client/ Token ID of your CrowdStrike API token referenced in Create a CrowdStrike OAuth Client.
-
Key Vault Name: Enter the name of the key vault referenced in Create an Azure Key Vault Secret.
-
Secret Name: Enter the name of the key vault Secret created in Create an Azure Key Vault Secret.
Towards the bottom, click on "Review + create".
Once the resources have validated, click on "Create".
The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "Deployment details" section to view them. Click the one corresponding to the Logic App.
This Logic app is intentionally deployed as disabled. Complete the following steps before enabling.
Before the logic app should be enabled, the playbook must be granted access to the Key Vault storing your CrowdStrike API token.
From the Key Vault "Access policies" page, click "Create".
Select the "Get" checkbox under "Secret permissions", then click "Next".
Paste "AS-Crowdstrike-CloudPosturing-Integration" into the principal search box and click the option that appears. Click "Next" towards the bottom of the page.
Navigate to the "Review + create" section and click "Create".
Before the logic app should be enabled, the azureloganalyticsdatacollector API connection will need to be edited and authorized.
From the playbook overview page, navigate to API connections from the left menu blade.
Click the azureloganalyticsdatacollector connection and click Edit API connection. Enter in your Workspace ID and key, then click Save.
Now that access has been granted to the appropriate resources and API connections have been authorized, the playbook can be enabled.
After the initial run has been completed, navigate to the Log Analytics Workspace page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces From there, select the workspace your deployed logic apps reference and click "Logs" in the left-hand menu blade. Expand "Custom Logs". Here, you should see a table called CrowdstrikeDetections_CL. Note that it may take a while for this table to appear after it is created by the playbook, so if the logs are not yet visible, try querying them periodically.
