Crowdstrike
Attach partner account
To attach a Crowdstrike account to Prelude, you will need:
- A Crowdstrike API key
In Crowdstrike
Create API Key
Open the CrowdStrike navigation bar and select Support and resource > API clients and keys.
Generate a new API key with following permissions:
IOC Submission
Self healing functionality requires the following API Client permissions
- Hosts - Read
- IOC Management - Write
Alert Suppression
Self healing functionality requires the following API Client permissions
- Detections - Write
Probe deployment
Probe deployment requires these additional API client persmissions
Self-healing
After attachment, the Prelude Service will automatically start sending failed tests to your Crowdstrike account. New IOC prevention rules will be created for each, marked as informational. Following this, Falcon should start catching the test on all endpoints.
Probe deployment
Use the Detect console to provision probes on your Crowdstrike managed endpoints. Probe deployment requires additional API Client permissions (referenced above) and 1 additional setup step within the Crowdstrike console.
Crowdstrike Setup
In the Crowdstrike console, navigate to Host setup and management and then response policies. Each operating platform will have a policy, the following need to be enabled for each target operating system:
- Custom Scripts
- put
- run
- put and run
Probe deployment
- Click + Add a Probe
- Click Deploy using Crowdstrike
- Select target OS Platform
- Select a number of target endpoints or Select All
- Deploy and review results
Updated about 13 hours ago