Skip to main content

Netskope Help

Crowdstrike Plugin for User Risk Exchange

This document explains how to configure the CrowdStrike integration with the User Risk Exchange module of the Netskope Cloud Exchange platform. This integration collects uids and their scores from CrowdStrike’s platform to Netskope. The fetched record types are hosts.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances).

  • A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.

  • Your CrowdStrike instance credentials(Client ID, Client Secret) for API Token

  • A CrowdStrike Real Time Response Administrator role for Put RTR Script action

  • For each platform (Linux, Windows, Mac), there should be a response policy with Real Time Response (High Risk Commands) enabled.

  • All the policies under Real Time Response enabled.

  • Connectivity to the following host: https://api.crowdstrike.com.

Workflow
  1. Get your CrowdStrike credentials.

  2. Configure the Crowdstrike Plugin for User Risk Exchange

  3. Configure Actions for the CrowdStrike Plugin.

  4. Validate the CrowdStrike plugin.

Click play to watch a video.

 
  1. Log in into your CrowdStrike account and go to Crowdstrike Icon > Support > API Client and Keys.

    image1.png
  2. Click Add new API Client.

    image2.png
  3. Add a Client Name, Description ( Optional ), and API Scopes as needed, and then click Add.

    image3.png
  4. Copy the Client ID and Secret.

  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the Crowdstrike plugin box.

    image4.png
  3. Enter these values:

    • Configuration Name: Unique a name for the configuration.

    • Sync Interval: Leave the default.

    • Use System Proxy: Enable if a proxy is required for communication.

  4. Click Next.

  5. Enter these values:

    • Base URL: Enter your Crowdstrike API Base URL.

    • Client ID: Enter your Crowdstrike API Client ID.

    • Client Secret: Enter your Crowdstrike API Client Secret.

    • Minimum Score: Enter a score. Only the hosts with score greater than the minimum score will be tracked.

  6. Click Next.

  7. Select Range: Select the range of scores for all categories.

    image5.png
  8. Click Save.

First create a business rule, and then create actions for the business rule.

Put RTR Script

The Put RTR Script action will put the file on the host depending on their respective score, and then restarts Netskope present on that host.

Score to File Mapping

Score

File

Less than 260

crwd_zta_1_25.txt

260 to 510

crwd_zta_26_50.txt

510 to 760

crwd_zta_51_75.txt

760 to 100

crwd_zta_76_100.txt

  1. Go to User Risk Exchange.

    image7.png
  2. Click Business Rules.

    image8.png
  3. Click Create New Rule.

    image9.png

    You’’ll see a page like this.

    image10.png
  4. Enter a Rule Name.

    image11.png
  5. Click Select Field.

    image12.png

    Here are the filters you can apply to sort out hosts/users to which you want to perform actions. In this case, select Aggregate Score.

  6. Select an Aggregate Score Field from the dropdown list.

    image13.png
  7. In the second field, select the condition you need on aggregate score to be used.

    image14.png
  8. For now, select less than <.

    image15.png
  9. Enter the number in the last field. In this case, it is 250, so enter that.

    image16.png
  10. All the configurations are done. Click Save.

    image17.png
  11. After clicking Save, you’ll see the new business rule.

    image18.png
  12. To verify how much hosts/users are in this business rule, click Sync.

    image19.png

    You’ll see a page like this.

    image20.png
  13. Enable the All time checkbox.

    image21.png
  14. Click Fetch.

    image22.png

You’ll see a number of records for this business rule. In this case, it is 2.

image23.png
  1. In User Risk Exchange, click Actions.

    image24.png
  2. Click Add Action Configuration.

    image25.png

    You’ll see a page like this.

    image26.png
  3. Select a Business Rule.

    image27.png
  4. Select Configuration.

    image28.png
  5. Select Put RTR script on the Action dropdown list.

    image29.png

    Your Configuration should look like this.

    image30.png
  6. Click Save.

    image31.png
  7. Click Save to create the configuration.

    image32.png
  8. To perform an action on users/hosts, click Sync.

    image33.png
  9. Select All time.

    image34.png
  10. Click Fetch.

    image35.png
  11. Click Sync.

    image36.png

Now a manual sync is done on the users filtered by a business rule. In the future, whenever sync intervals occur, this action will be automatically triggered.

For pulling of users/hosts:

  • When a user matches one of the configured business rules, the configured action would be performed on the user. This can be seen at User Risk Exchange > Action Logs.

  • Get verification from Crowdstrike.

To validate:

  1. Go to the dashboard in your CrowdStrike account. You’ll see a dashboard like this.

    image38.png
  2. Click on the menu option on the top left corner.

  3. Click Host Setup and management.

    image39.png
  4. Click Host Management.

    image40.png
  5. You’ll see a window like this.

    image41.png

You’ll see the number of hosts.

image42.png