Crowdstrike
Attach a Crowdstrike Falcon control to Detect
To attach a Crowdstrike account to Detect, you will need:
- The Prelude CLI
- A limited API client/user that can report new detections
The API client must have permissions to the
/iocs/entities/indicators/v1
route.
Attach the control
Run the following command to attach the control
prelude iam attach-control crowdstrike --api <HOST> --user <CLIENT_ID> --secret <SECRET>
The host should look like https://api.us-2.crowdstrike.com
Your account credentials are stored, encrypted at REST, behind the Prelude Service API. Prelude manages the OAUTH refresh automatically, refreshing your token with Crowdstrike every 30 minutes.
After attachment, the Prelude Service will send your Crowdstrike account a new IOC every time a probe reports a test in the UNPROTECTED state. Following this report, Falcon should start catching the test.
Detach the control
To detach the control from your account, run:
prelude iam detach-control crowdstrike
Updated about 1 month ago