Crowdstrike

Attach partner account

To attach a Crowdstrike account to Prelude, you will need:

  • A Crowdstrike API key

In Crowdstrike

Create API Key

Open the CrowdStrike navigation bar and select Support and resource > API clients and keys.

Generate a new API key with following permissions:

IOC Submission

Self healing functionality requires the following API Client permissions

  • Hosts - Read
  • IOC Management - Write

Alert Suppression

Self healing functionality requires the following API Client permissions

  • Detections - Write

Probe deployment

Probe deployment requires these additional API client persmissions

  • Real time response - Read, Write
  • Real time response (admin) - Write
  • Included capabilities

Self-healing

After attachment, the Prelude Service will automatically start sending failed tests to your Crowdstrike account. New IOC prevention rules will be created for each, marked as informational. Following this, Falcon should start catching the test on all endpoints.

Probe deployment

Use the Detect console to provision probes on your Crowdstrike managed endpoints. Probe deployment requires additional API Client permissions (referenced above) and 1 additional setup step within the Crowdstrike console.

Crowdstrike Setup

In the Crowdstrike console, navigate to Host setup and management and then response policies. Each operating platform will have a policy, the following need to be enabled for each target operating system:

  • Custom Scripts
  • put
  • run
  • put and run

Probe deployment

  1. Click + Add a Probe
  2. Click Deploy using Crowdstrike
  3. Select target OS Platform
  4. Select a number of target endpoints or Select All
  5. Deploy and review results