CrowdStrike Falcon Endpoint Protection Platform

Requirements #

To use the CrowdStrike Connector in Lucidum:

1. Before configuring the CrowdStrike connector in Lucidum, you must first define credentials for Lucidum in the CrowdStrike API.

2. You can then configure the CrowdStrike connector in Lucidum and start ingesting data from CrowdStrike Falcon.

Prerequisite: Define Credentials for Lucidum in the CrowdStrike API #

If you are using the latest version of the CrowdStrike API, use the following instructions.

If you are using a previous version of the CrowdStrike API, use the instructions in the second section.

Defining Client Credentials for Lucidum Using the Latest CrowdStrike API #

To create read-only credentials for Lucidum to connect to the latest version of the CrowdStrike API:

1. Log in to the Falcon Administrator panel with an Administrator account.

2. Go to Support > API Clients and Keys

   

3. Click Add new API client.

   

4. Select Read permissions for Detections, Hosts, and Host groups.

   

5. Select Read permission for Spotlight vulnerabilities.

   

6. Click Add and save the generated credentials.

Defining Client Credentials for Lucidum Using Previous Versions of the CrowdStrike API #

To create read-only credentials for Lucidum to connect to previous versions of the CrowdStrike API:

1. Verify you have a valid account in the CrowdStrike support portal: https://falcon.crowdstrike.com/support/documentation/2/query-api-reference

2. Create a GPG key pair prior to requesting the API key. For details on creating a GPG key, see https://www.redhat.com/sysadmin/creating-gpg-keypairs

3. Export your public key in ASCII format.

4. Contact CrowdStrike Support ([email protected]) and request they create an API key for the Query API. Include your public key in the email to CrowdStrike Support.

   Note that the Query API key is different than the API key for the Falcon API. Please ensure that you ask for access to the Query API when making the request.

   

5. When CrowdStrike Support sends you an API Key for the Query API, use the private GPG key to decrypt the Query API credentials.

6. Save the username and API key provided by CrowdStrike.

Configuring the CrowdStrike Connector #

1. To configure Lucidum to ingest data from CrowdStrike:

2. Log in to Lucidum.

3. In the left pane, click Connector.

4. In the Connector page, click Add Connector.

5. Scroll until you find the Connector for CrowdStrike. Click Connect. The Settings page appears.

   

6. In the Settings page, enter the following:

   • URL. The URL for the CrowdStrike API. By default, this value is https://api.crowdstrike.com. Other possible values are:

     • For legacy CrowdStrike API: https://falconapi.crowdstrike.com.

     • Alternate URL for the current API: https://api.us-2.crowdstrike.com.

   • Client ID. For the current version of the CrowdStrike API, enter the API Client ID. For previous versions of the CrowdStrike API, enter the user name.

   • API Secret. For current versions of the CrowdStrike API, enter the API Secret. For previous versions of the CrowdStrike API, enter the user API Key.To test the configuration, click Test.

7. To test the configuration, click Test.

   • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

   • If the connector is not configured correctly, Lucidum display an error message.

API Documentation #

Log in to the CrowdStrike Developer portal and go to:

https://developer.crowdstrike.com/crowdstrike/reference