CrowdStrike Falcon

Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response analyzes the logs from CrowdStrike Falcon management portal for malicious activity, and suggests preventive actions, which you must manually enforce on the endpoint.

Integrating CrowdStrike Falcon

1. Log in to the CrowdStrike Falcon web portal:

   1. Go to Support and resources > API clients and keys.

      

      The API Clients and Keys window appears.

      

   2. Click Add new API client.

      The Create API client window appears.

      

   3. Enter these:

      1. Client name

      2. Description

   4. Select the relevant scopes checkbox(s).

   5. Click Create.

      The API client created window appears.

      

   6. Click to copy Client ID, Secret Key and Base URL.

   7. Click Done.

2. Log in to the Infinity XDR/XPR Administrator Portal:

   1. Go to Settings > Integrations.

   2. In the Falcon widget, click Integrate.

      

      The Falcon Endpoint integration window appears.

      

   3. Enter these:

      1. Client ID

      2. Secret Key

      3. Base URL

   4. Click Add.

      The Falcon widget status changes to Active.

      

3. To check if the integration is successful, in the Infinity XDR/XPR Administrator Portal:

   • Go to Settings > Integrations.

     In the Integrated products section, verify if Falcon is listed as Active.

     

     Note - The widget will display Inactive status until Infinity XDR/XPR begins receiving logs from CrowdStrike Falcon.

   • Go to the Overview page and in the Connectivity widget, verify if Crowd Strike is listed as connected.

     

     Note - If the connectivity status is disconnected for more than 30 minutes, verify the Client ID, Secret Key and Base URL.

IOC Management

You can manage Indicators Of Compromise (IoCs) on CrowdStrike Falcon and you can import IoCs to it. For more information, see CrowdStrike documentation.

Deleting the Integration

1. Go to Settings > Integrations.

2. In the Falcon widget, click .

3. Click Delete.

   The Delete Integration window appears.

   

4. Click Yes.

Supported Preventive Actions

When Infinity XDR/XPR detects any malicious activity, it generates an incident and recommends preventive actions to mitigate it. The supported preventive action is to isolate a machine. For more information, see Incidents Overview > Prevention.