CrowdStrike Falcon Protect

This document provides instructions for configuring CrowdStrike in order for the Vectra context integration to have the correct access to pull label contexts.

Prerequisites

Before configuring the CrowdStrike Falcon Protect context integration in Vectra, you will need to have an API user created in CrowdStrike.

Configure an API Client

• On the left hand menu expand the "Support and resources" submenu.

• Then click on API clients and keys.

• Click on the "Create API client" button in the top right

• Fill out the client name.

• Give the key a description.

• In the API Scopes table select Read permission for "Hosts".

• Click add at the bottom to create this api client.

📘The CrowdStrike Falcon Protect setup uses the same steps as Discover but only the Read permission is required for Hosts, as exampled below in the Add new API client window:

• After clicking "Create" you will be presented with a screen that shows the credentials like below. Make note of the CLIENT ID, SECRET and subdomain from the BASE URL.

  • Note: The Subdomain of the base URL is what to select for Cloud abbreviation.

    📘 If the BASE URL is api.crowdstrike.com then your cloud is US-1.

    

Vectra portal steps

Navigate to Integrations (make sure you are on the Context tab) and click "Add Integration", then select CrowdStrike Falcon Protect

Configuration

The following fields are specific to the CrowdStrike Falcon Protect integration.

Authentication

The following fields are necessary for the integration to authenticate with CrowdStrike.