Integrate CrowdStrike Falcon Identity Protection with Red Canary
- 13 Nov 2024
- 3 Minutes to read
- PDF
Integrate CrowdStrike Falcon Identity Protection with Red Canary
- Updated on 13 Nov 2024
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Permission Requirements
Permission (Scope) | Reason/Enablement |
Alerts: Read |
|
Alerts: Write |
|
License Requirements
The following CrowdStrike subscriptions are required for the Falcon Identity Protection module:
Falcon Identity Threat Detection
Falcon Identity Threat Protection
All Prerequisites
You have an active Falcon EDR Integration with Red Canary that is not already associated with an active Falcon Identity Protection Integration.
You have the Falcon Identity Protection module with CrowdStrike. The Falcon Identity Protection module requires these subscriptions:
Falcon Identity Threat Detection
Falcon Identity Threat Protection
You have the Administrator Role in Red Canary.
You have the Falcon Administrator Role in the CrowdStrike Falcon Console.
Step 1: Navigate to the Falcon Identity Protection configuration page
From your Red Canary homepage, click Integrations.
On the Integrations page, click Add Integration and search for “CrowdStrike Falcon Identity Protection.”
Click Configure.
Step 2: Configure the Falcon Identity Protection Integration
Enter a name for the integration.
For Ingest Format / Method, select the “CrowdStrike Falcon Identity Protection via API Poll” option.
For CrowdStrike Integration, select the Falcon EDR Integration and CID (CrowdStrike Customer Identification) you want to associate with this Falcon Identity Protection Integration.
Step 3: Grant Red Canary access to the Alerts API in the CrowdStrike Falcon Console
Click the API Clients and Keys link to navigate to the CrowdStrike Falcon Console configured for the selected “CrowdStrike Integration.”
Alternatively, manually navigate to API Clients and Keys in the CrowdStrike Falcon Console by clicking the Menu (top left) > Support and resources > API client and keys.
On the OAuth API Clients tab, click the ellipsis (3 dot menu on the right) for the OAuth Client used by Red Canary, then click Edit API client.
Enable the Read and Write permissions for the Alerts scope, then click Update client details.
Step 4: Complete Falcon Identity Protection configuration in Red Canary
On the Falcon Identity Protection configuration page in Red Canary, select “I’ve updated the API permissions” to confirm you’ve enabled the correct API scopes, then click Save.
The Falcon Identity Protection Integration will initially be inactive. Click on the “Activate it to begin processing alerts” link in the banner to activate the Integration and complete the configuration.
Ingest Details
Once this integration is enabled, Red Canary will begin ingesting CrowdStrike XDR detection alerts where the product type of the alert is “idp.” We poll for these alerts on a regular interval that accounts for and respects CrowdStrike’s API rate limits. Once the alerts are ingested, they’re subject to investigation by Red Canary. You can learn more about alert investigations here.
Troubleshooting FAQ
What if I don’t have an active Falcon EDR Integration with Red Canary?
You can contact us to configure a Falcon EDR Integration.
What if I already have an active Falcon EDR Integration with an active Falcon Identity Protection Integration and would like to add another Falcon Identity Protection Integration?
You must first configure a new Falcon EDR Integration.
What if I deactivate an active Falcon EDR Integration with an active Falcon Identity Protection Integration?
The Falcon Identity Protection Integration associated to the deactivated Falcon EDR Integration will also deactivate.
What if I encountered a “You do not have permission to add this Integration” error while trying to configure a Falcon Identity Protection Integration?
Your profile does not have Administrator Role permissions. Please try again with a profile that has Administrator Role permissions.
Why does the Falcon Identity Protection Integration say “Contact us to configure”?
One of these situations may apply:
You do not have any active Falcon EDR Integrations
You do not have any Falcon EDR Integrations that are available for configuration with Falcon Identity Protection
Falcon EDR Integrations are only available if they haven’t been selected by an existing Falcon Identity Protection Integration
You do not have the required MDR Identity package with Red Canary
Why am I unable to successfully save the Falcon Identity Protection configuration and see an “Unable to verify read/write permissions” error?
When saving the Falcon Identity Protection Integration configuration, we confirm read/write permissions for the Alerts scope by sending an API request to CrowdStrike’s API client. Please confirm that you’ve granted the correct Alerts scope permissions to Red Canary (see Step 3).
How do I confirm that the Falcon Identity Protection Integration is successfully configured?
You can confirm successful configuration by:
Navigating to the Alerts page in Red Canary and confirming that any Falcon Identity Protection alerts have been created
Visiting the Status Checks page in Red Canary to confirm status checks are passing for your Falcon Identity Protection Integration
Was this article helpful?
