Skip to main content
Sign in

Creating an extended integration for CrowdStrike Falcon assets

  • July 13, 2023 13:33
  • Updated

Let Oomnitza be your single source of truth!

Choose from two Crowdstrike asset integrations in Oomnitza to gain complete visibility of your assets as data from Crowdstrike is automatically transformed into consumable information and actionable insights.

Crowdstrike Falcon Asset Load: Retrieves host detail information.

CrowdStrike Falcon Asset Load with Filtering: Retrieves host details, but with a special feature. If you are using the US Commercial Cloud URL (https:// api.crowdstrike .com) there is a limit of 100,000 assets when you run the extended integration for Crowdstrike assets. If you specify any other Crowdstrike Cloud environment, the limit is 10,000 assets. To address these limits, you can use the Crowdstrike Falcon Asset Load with Filtering. 

Connect Oomnitza and CrowdStrike Falcon in minutes

Get the information and insights that you need to reduce costs and the time that you spend on administration tasks such as:

  • Configurable dashboards and list views of key asset information
  • Configurable reports to share information about assets with your colleagues and management
  • Configurable asset workflows that you can easily create such as:
    • Workflows for adding or removing device tags
    • Workflows for performing device actions

Before you start

Before you can create the integration with Oomnitza, you need to have added your CrowdStrike credentials to Oomnitza and added the value for your cloud environment as a global variable. For further information, refer to Adding your CrowdStrike credentials to Oomnitza.

The required API SCOPES to get assets from CrowdStrike Falcon to Oomnitza are: Read for Hosts and Host groupsIf you plan to run any of the workflows, you need to also have Write access.

Important
The latest version of the Crowdstrike Falcon Asset Load and Crowdstrike Falcon Asset Load with Filtering uses version 2 of the Crowdstrike API (devices/entities/devices/v2). Version 1 of the Crowdstrike API reaches its end of life and will be removed from production from 9 Feb 2023. Requests made to the endpoint from this point forward will return an HTTP 301 MOVED PERMANENTLY status and no longer provide device data. Please follow the prompts in your instance to upgrade to the latest version and read our guidance on how to upgrade an extended integration.

Note on the CrowdStrike Falcon Asset Load with Filtering

This integration leverages the Falcon Query Language, allowing you to filter the integration response, thereby optimizing the data retrieval process. The filter follows the format property_name:'STRING_VALUE' with the value encapsulated in single quotes. Boolean and integer values do not use quotes. 

  • To filter by host status use: status:'normal', status:'contained', status:'lift_containment_pending', or status:'containment_pending'
  • To filter by host status using a wildcard use: status:'containment*'
  • To filter by host status using an exact search use: status:['normal']
  • To filter by date use an operator < then the value: first_seen:<='2022-10-22T00:00:00Z'
  • To filter using AND or OR conditions use + or ,, example: platform_name:'Windows'+ hostname='string'or status:'normal', status:'contained'or first_seen:>='2022-10-22T00:00:00Z'+first_seen:<='2022-11-10T00:00:00Z'
  • To filter using a complex expression that evaluates more than one expression use the(and)characters, for example: (platform_name:'Windows', hostname='string'),(platform_name:'Linux', hostname=!'is not other string')

BlueLink.svgFiltering examples in CrowdStrike Falcon Asset Load with Filtering.

BlueLink.svgFalcon Query Language documentation.

Creating the asset integration

  1. In Oomnitza, click Configuration> Integrations> Overview.
  2. Click Block view block_view.PNG
  3. Scroll down to the Extended section for asset integrations.
  4. Click NEW INTEGRATION.
  5. Select the integration in the sidebar.
  6. Click ADD.

Integration Overview

More information is provided about the following fields to help you complete the integration:

  • Integration preferences:  By default, the option Create & Update is selected, which allows for editing existing asset records and adding new ones. If your goal is only to edit existing asset records, choose Update Only. On the other hand, if you only want to add new records, select Create Only.

Integration details

To review or update the integrations details, click the pencil:

  1. Update the integration name if necessary. 
  2. For installation type decide whether you want to store the credentials locally or in Oomnitza:
    1. Select Local if you want to store credentials locally. This mode does not support OAuth or AWS authentication.
    2. Select Cloud if you want to store credentials in your Oomnitza instance.
  3. For integration preferences, select an option.
  4. Enter the name of the integration user.

Credential details

Choose one of the following options:

  • Select the credentials that were created for the integration.
  • Edit the credentials that were created for the integration.
  • Create new credentials

Schedule

By default, user data is streamed to Oomnitza once every day.

You can configure the schedule to meet your needs such as changing the interval or changing the time so that the data is streamed when your system isn't busy.

  1. Click the pencil.
  2. Configure your schedule.
  3. Click Update.

Mappings

To map the fields to Oomnitza, click the pencil.

Create custom mappings

Map the CrowdStrike Falcon fields to Oomnitza fields and create custom mappings to get the information that you need to manage your assets.

Complete these actions:

  1. Click Smart Mapping to automatically detect appropriate mapping fields. Values from the integration can also be dragged to the appropriate field on the Oomnitza side, or selected from the integration field dropdown.
  2. Create a custom mapping for the Crowdstrike Device ID. Complete the following steps:
    1. Click the down arrow on the Device ID field.
    2. Select Add new Oomnitza assets field.
    3. Change the name of the field to Crowdstrike Device ID.
    4. Select the Unique checkbox
    5. Click CREATE
  3. Map and assign a sync key to a unique field, such as the Crowdstrike Device ID. We recommend that you do not sync on Serial Number as it has the potential to be non-unique or blank.
  4. Click UPDATE

Tracking information for asset loads 

When the integration is run, you can track the name of the credentials that were used and the source of the data. To do this, you map the following fields to Oomnitza:   

  • Connect: Credentials
  • Connect: CrowdStrike Cloud Environment
  • Connect: Filter on Status (for Crowdstrike Falcon Asset Load with Filtering)

Standard CrowdStrike Falcon to Oomnitza mappings

Agent Local Time
Agent Version
Bios Manufacturer
Bios Number
Bios Version
CID
Config ID Base
Config ID Build
Config ID Platform Connector Sync Time
CPU Signature
Device Device Control Policy Applied
Device Device Control Policy Applied Date
Device Device Control Policy Assigned Date
Device Device Control Policy ID
Device Device Control Policy Type
Device Global Config Policy Applied
Device Global Config Policy Applied Date
Device Global Config Policy Assigned Date
Device Global Config Policy ID
Device Global Config Policy Settings Hash
Device Global Config Policy Type
Device ID
Device Prevention Policy Applied
Device Prevention Policy Applied Date
Device Prevention Policy Assigned Date
Device Prevention Policy ID
Device Prevention Policy Rule Groups
Device Prevention Policy Type
Device Remote Response Policy Applied
Device Remote Response Policy Applied
Device Remote Response Policy Applied Date
Device Remote Response Policy Applied Date
Device Remote Response Policy Assigned Date
Device Remote Response Policy Assigned Date
Device Remote Response Policy ID
Device Remote Response Policy ID
Device Remote Response Policy Rule Set ID
Device Remote Response Policy Settings Hash
Device Remote Response Policy Type
Device Remote Response Policy Type
Device Sensor Update Policy Applied
Device Sensor Update Policy Applied Date
Device Sensor Update Policy Assigned Date
Device Sensor Update Policy ID
Device Sensor Update Policy Type
Device Sensor Update Policy Uninstall Protection
External IP
First Seen
Group Hash
Groups
Hostname
Last Seen
Local IP
MAC Address
Machine Domain
Major Version
Minor Version
Modified Timestamp
OS Version
OU List
Platform ID
Platform Name
Policies Policy Type
Product Type
Product Type Description
Provision Status
Reduced Functionality Mode
Serial Number
Service Pack Major
Service Pack Minor
Site Name
Status
System Manufacturer
System Product Name
Tags

CrowdStrike Falcon to Oomnitza with Filtering mappings

Agent Load Flags
Agent Local Time
Agent Version
Bios Manufacturer
Bios Version
Build Number
Cid
Config Id Base
Config Id Build
Config Id Platform
Connector Sync Time
Cpu Signature
Device Id
Device Policies Device Control Applied Date
Device Policies Device Control Assigned Date
Device Policies Device Control Policy Id
Device Policies Device Control Policy Type
Device Policies Firewall Applied Date
Device Policies Firewall Assigned Date
Device Policies Firewall Policy Id
Device Policies Firewall Policy Type
Device Policies Firewall Rule Set Id
Device Policies Global Config Applied Date
Device Policies Global Config Assigned Date
Device Policies Global Config Policy Id
Device Policies Global Config Policy Type
Device Policies Global Config Settings Hash
Device Policies Prevention Applied Date
Device Policies Prevention Assigned Date
Device Policies Prevention Policy Id
Device Policies Prevention Policy Type
Device Policies Prevention Rule Groups List
Device Policies Prevention Settings Hash
Device Policies Remote Response Applied Date
Device Policies Remote Response Assigned Date
Device Policies Remote Response Policy Id
Device Policies Remote Response Policy Type
Device Policies Remote Response Settings Hash
Device Policies Sensor Update Applied Date
Device Policies Sensor Update Assigned Date
Device Policies Sensor Update Policy Id
Device Policies Sensor Update Policy Type
Device Policies Sensor Update Settings Hash
Device Policies Sensor Update Uninstall Protection
External Ip
First Seen
Group Hash
Groups List
Hostname
Instance Id
Is Device Policies Device Control Applied
Is Device Policies Firewall Applied
Is Device Policies Global Config Applied
Is Device Policies Prevention Applied
Is Device Policies Remote Response Applied
Is Device Policies Sensor Update Applied
Last Seen
Local Ip
Mac Address
Machine Domain
Major Version
Meta Version
Minor Version
Modified Timestamp
Os Build
Os Version
Ou List
Platform Id
Platform Name
Pointer Size
Product Type
Product Type Desc
Provision Status
Reduced Functionality Mode
Serial Number
Service Pack Major
Service Pack Minor
Site Name
Slow Changing Modified Timestamp
Status
System Manufacturer
System Product Name
Tags List

Did you know? 
You can define rules for your integration by selecting Edit integration edit_integration.svg on the mapping page. For example, you may only want to run the integration if a certain contact or region exists. See Filtering integration results.  

You can add new fields to your integration by selecting Add new field  add_grey_rectangel_icon.svg on the mapping page. All you need to do is specify the property name. See Creating custom API fields. 

Launching the integration

Your integration is in Draft mode until all the required mandatory fields are added. Once you have added all of the required fields, select Launch to activate your integration. 

small_blue_link.svg If you selected Cloud as the installation type when creating the integration, refer to Running an extended integration

small_blue_link.svg If you selected Local as the installation type when creating the integration, refer to Running an extended integration locally.

Getting your results
To view the information that is collected about your assets, click Assets. To view the information about software, click the Software tab.  
To view the information that is collected about your users, click People. If you selected User plus SaaS User when running the user integration, you can also find a list of users in the Software > SaaS menu

Related Links

Use API presets to create asset workflows

To reduce costs by automating repetitive and  complex tasks, take advantage of the built-in presets for assets.

To add a preset to a workflow, complete these steps:

  1. Click Configuration > Workflows 
  2. Click Add (+) and select Assets from the list.
  3. Edit the Begin Block and add rules to trigger the workflow. For example, if you set the  Actions to New, the workflow will run for every new asset record added to Oomnitza.
  4. Drag and drop the API block onto the Sandbox.
  5. Click Edit on the API block and enter CrowdStrike in the search field. 
  6. Select a preset from the list below. To choose a preset, click the forward arrow (>).
    • CrowdStrike Add or Remove Device Tags
    • CrowdStrike Perform Device Action
  7. Select the credentials that you created in Adding your CrowdStrike credentials to Oomnitza.
  8. Select Advanced Mode.
  9. Select the Body tab. You will notice that the Device ID is referenced in the property {{crowdstrike_device_id}}. Follow the mapping steps when creating the asset integration so that this property exists in Oomnitza and is populated with information before you run this workflow.
  10. Select the Response tab. You can map the entire response by placing {{response}} in the Response field and mapping it to a custom long text Oomnitza field, such as API Response. Once you have the entire response, you can then parse the JSON response values to custom Oomnitza fields.
  11. Connect the Blocks. 
  12. Save, validate, and activate your workflow.

blue_link.svg Understanding Workflows

Unleash the power of Oomnitza

To get valuable actionable insights that help you manage your assets, learn how to:

  • Configure dashboards for your users and software
  • Configure custom reports about your users and software
  • Create workflows to automate tasks

See Getting started for more information.

Related articles

Comments

0 comments

Please sign in to leave a comment.