Skip to main content

CrowdStrike

Visualize Crowdstrike endpoint agents and protected devices, map agents to devices and their respective owners, and monitor changes through queries and alerts.

Installation

info

You will need to create an API client ID and an API client secret on Crowdstrike. See their documentation for more information.

When creating the API client ID and API client secret, provide (at minimum) read access to the following API Scopes:

  • Hosts
  • Prevention Policies

Other scopes are required when enabling additional ingestion steps:

  • Vulnerabilities (Requires Spotlight Module)
  • Zero Trust Assessments
  • Device control policies
  • Firewall management
  • Apps
  • User management
  • Alerts
  • Falcon Container Image
  • Cloud Security AWS Registration
  • Cloud Security Azure Registration
  • Cloud Security API Assets
  • Cloud Security API Detections

⏱️ 2. Ingestion Windows (Time Ranges)

Define how far back in time data is collected during ingestion. Each data type has its own configurable window.

FieldDescriptionDefaultOptions
Vulnerabilities Ingestion WindowDays to look back for updated vulnerabilities.9090, 180, 275, 365
Alerts Ingestion WindowDays to look back for updated alerts.9090, 180, 275, 365
Applications Ingestion WindowDays to look back for last-used applications.9090, 180, 275, 365
Device Ingestion WindowDays to look back for devices based on last seen date.507, 15, 30, 50, 60, 90, 180, 275, 365
Containers Ingestion WindowDays to look back for containers based on first seen date.507, 15, 30, 50, 60, 90, 180, 275, 365

🎯 3. Data Filtering Options

FieldTypeDescriptionDefault
Include Closed VulnerabilitiesBooleanEnables ingestion of vulnerabilities marked as closed in CrowdStrike.false
Ingest Suspicious Applications OnlyBooleanWhen enabled, only imports applications flagged as suspicious.false

To install the Crowdstrike integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Crowdstrike. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

  • The Account Name used to identify the Crowdstrike account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Your Crowdstrike API client ID and API client secret to authenticate with the CrowdStrike Falcon and Spotlight APIs.

  • Enter the Availability Zone you'd like to use for API calls. Leave blank to use the main API endpoint. For example, entering us-2 as the availability zone will result in the use of a CrowdStrike API endpoint of api.us-2.crowdstrike.com.

Click Create once all values are provided to finalize the integration.

note

The CrowdStrike integration only ingests information on applications that have vulnerabilities. Applications without vulnerabilities will not be ingested into JupiterOne.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.