Extended Connector Integration for CrowdStrike Falcon Assets and Users

Let Oomnitza be your single source of truth!

You'll get visibility of your assets and users as data from CrowdStrike Falcon is automatically transformed into consumable information and actionable insights.

Connect Oomnitza and CrowdStrike Falcon in minutes

Get the information and insights that you need to reduce costs and the time that you spend on administration tasks such as:

  • Configurable dashboards and list views of key asset and user information
  • Configurable reports to share information about assets and users with your colleagues and management
  • Configurable asset workflows that you can easily create such as:
    • Workflows for adding or removing device tags
    • Workflows for changing user names
    • Workflows for changing and removing user roles
    • Workflows for deleting users
    • Workflows for performing device actions

blue_link.svg Extended connector integration for assets

blue_link.svg Extended connector integration for users  

Before you start

Best practice
For the integration with Oomnitza, create a dedicated user account.

Create CrowdStrike Falcon credentials

To stream CrowdStrike Falcon network data into Oomnitza, you must add your CrowdStrike Falcon authentication credentials to the credentials vault in Oomnitza. CrowdStrike Falcon requires OAuth 2.0 authentication. 

blue_link.svg CrowdStrike Falcon Installation and Configuration Guide provides you with information about creating OAuth 2.0 credentials and the base URLs for CrowdStrike Falcon instances.

Information you need
Don't forget to keep the client ID and client secret that you created. You'll need this information to add credentials to Oomnitza. You'll also need the current base URL for OAuth 2.0 authentication, which is region specific. In Oomnitza, you enter the highlighted part of the URL when you add credentials to the vault and when you integrate CrowdStrike Falcon with Oomnitza.
Let's say your instance of CrowdStrike Falcon is located in Europe, you enter the highlighted part of this URL https:// api.eu-1.crowdstrike .com .
For your convenience, the following CrowdStrike Falcon base URLs for OAuth 2.0 are provided:
- US Commercial Cloud: https:// api.crowdstrike .com
- US Commercial Cloud 2 https:// api.us-2.crowdstrike .com
- US GovCloud https:// api.laggar.gcw.crowdstrike .com

Add CrowdStrike Falcon credentials to Oomnitza

To authorize connections between Oomnitza and CrowdStrike Falcon, complete these steps:

  1. Log into Oomnitza.
  2. Click Settings > Credentials, and then click Add new credential (+).
  3. Add the information details.
  4. Click the AUTHORIZATION tab.
  5. From the Authorization Type list, select OAuth 2.0.
  6. From the SaaS list, select CrowdStrike Falcon.
  7. In the CrowdStrike Cloud Environment field, enter the highlighted part of the base URL for your region. Let's say your region is US Commercial Cloud, you enter the highlighted part of this URL: https:// api.crowdstrike .com .
  8. Enter your CrowdStrike Falcon client ID and secret.
  9. Click Authenticate.
  10. Click CREATE

You use the credentials that you added to create and customize your CrowdStrike Falcon integrations with Oomnitza.

Add the cloud environment value for CrowdStrike Falcon to global settings

To save time entering information when you integrate CrowdStrike Falcon, you can add the value for your cloud environment as a global variable in Oomnitza.

  1. In Oomnitza, click Settings > Global Settings.
  2. Click Add new variable (+). 
  3. Enter CrowdStrike.CrowdStrike Cloud Environment as the variable name.
  4. Enter the value.
  5. Click SAVE.

Extended connector integration for assets

Info and connect details

  1. From the menu, select Settings.
  2. On the Integrations page, scroll down to the Extended section for Assets.
  3. Click NEW INTEGRATION.
  4. In the New Asset Integration sidebar, click CrowdStrike Falcon.
  5. To integrate Oomnitza with the CrowdStrike Falcon Asset Load, click APPLY and then click NEXT twice.

Connect page

  1. Enter a descriptive name for the integration such as CrowdStrike Falcon Assets. That'll be the name of the user integration that is shown on the Integrations page.
  2. Select Cloud as the installation type.
  3. From the Credentials list, select the credentials from the Oomnitza vault that you added for the connection.
  4. From the Integration Preferences list, select Create & Update
  5. Enter the name of the user of the integration.
  6. Enter the CrowdStrike Falcon API domain such as api.CrowdStrike.
  7. Click Next.

Mappings

Map the CrowdStrike Falcon fields to Oomnitza fields and create custom mappings to get the information that you need to manage your assets.

Try it out!
Click the down arrow down-arrow-icon.svg in the field that you want to map to Oomnitza.  Select Add new Oomnitza assets field. Replace the name with a user-friendly label, and click CREATE.

Standard CrowdStrike Falcon to Oomnitza mappings

Agent Local Time
Agent Version
Bios Manufacturer
Bios Number
Bios Version
CID
Config ID Base
Config ID Build
Config ID Platform Connector Sync Time
CPU Signature
Device Device Control Policy Applied
Device Device Control Policy Applied Date
Device Device Control Policy Assigned Date
Device Device Control Policy ID
Device Device Control Policy Type
Device Global Config Policy Applied
Device Global Config Policy Applied Date
Device Global Config Policy Assigned Date
Device Global Config Policy ID
Device Global Config Policy Settings Hash
Device Global Config Policy Type
Device ID
Device Prevention Policy Applied
Device Prevention Policy Applied Date
Device Prevention Policy Assigned Date
Device Prevention Policy ID
Device Prevention Policy Rule Groups
Device Prevention Policy Type
Device Remote Response Policy Applied
Device Remote Response Policy Applied
Device Remote Response Policy Applied Date
Device Remote Response Policy Applied Date
Device Remote Response Policy Assigned Date
Device Remote Response Policy Assigned Date
Device Remote Response Policy ID
Device Remote Response Policy ID
Device Remote Response Policy Rule Set ID
Device Remote Response Policy Settings Hash
Device Remote Response Policy Type
Device Remote Response Policy Type
Device Sensor Update Policy Applied
Device Sensor Update Policy Applied Date
Device Sensor Update Policy Assigned Date
Device Sensor Update Policy ID
Device Sensor Update Policy Type
Device Sensor Update Policy Uninstall Protection
External IP
First Seen
Group Hash
Groups
Hostname
Last Seen
Local IP
MAC Address
Machine Domain
Major Version
Minor Version
Modified Timestamp
OS Version
OU List
Platform ID
Platform Name
Policies Policy Type
Product Type
Product Type Description
Provision Status
Reduced Functionality Mode
Serial Number
Service Pack Major
Service Pack Minor
Site Name
Status
System Manufacturer
System Product Name
Tags

Want to map more fields to Oomnitza?
Contact Support, or see Mapping extended connectors.

Complete mapping CrowdStrike Falcon fields to Oomnitza fields. Select a sync key, such as serial number, and then click NEXT.   

Schedule

By default, CrowdStrike Falcon asset data is streamed to Oomnitza once every day.

You can configure the schedule to meet your needs such as changing the interval or changing the time so that the data is streamed when your system isn't busy.

  1. Configure your schedule.
  2. Click FINISH.

Result

A new tile is created for the integration on the Integrations page. 

What to do next

If you want to see what information is collected now, click the tile on the Integrations page and click RUN.

edit-integration.svg

If you want to change the integration settings, you can click a navigation link on the page, such as 4 Mappings, and edit the settings. 

Tip
To view the information that is collected about your assets, click Assets.

Use API presets to create asset workflows

To reduce costs by automating repetitive and  complex tasks, take advantage of the built-in presets for assets.

To add a preset to a workflow, complete these steps:

  1. Click Assets > Workflow.
  2. Click Add (+) and enter the name and description of the workflow.
  3. Click Add new. A Begin and End block is automatically added to the Sandbox.   
  4. Drag and drop the API block onto the Sandbox.
  5. Click Edit on the API block.
  6. Enter CrowdStrike to search for the presets.
  7. Select a preset:
    1. CrowdStrike Add or Remove Device Tags
    2. CrowdStrike Change User Name
    3. CrowdStrike Change User Roles
    4. CrowdStrike Delete User
    5. CrowdStrike Preform Device Action
    6. CrowdStrike Remove User Role
  8. Configure and save your changes. 
  9. Edit the Begin block to set the trigger for the workflow.
  10. Connect the three blocks together.
  11. Validate, launch, and save your workflow.

blue_link.svg Understanding Workflows

Extended connector integration for users

Info and connect details

  1. From the menu, click Settings.
  2. On the Integrations page, scroll down to the Extended section for User Integrations.
  3. Click NEW INTEGRATION.
  4. In the New User Integration sidebar, click CrowdStrike Falcon.
  5. To integrate Oomnitza with the CrowdStrike User Load, click APPLY and then click NEXT twice.

Connect page

Best practice
To ensure that only live user records are streamed from CrowdStrike Falcon to Oomnitza, choose Update only as your integration preference. When you run the integration, you can check the error logs to see which user records weren't uploaded and why they weren't uploaded. You can then decide whether to upload the user records that were skipped by changing your integration preference to create and upload. See Access error logs.

  1. Enter a descriptive name for the integration such as CrowdStrike Users. That'll be the name of the user integration that is shown on the Integrations page.
  2. From the User Selection list, select User plus SaaS User.
  3. From the installation type list, select Cloud.
  4. From the Credentials list, select the credentials from the Oomnitza vault.
  5. From the Integration Preferences list, select Update only.   
  6. Enter the name of the user of the integration.
  7. Enter the address of the cloud environment such as api.crowdstrike.
  8. Click Next.

Mappings

Map the CrowdStrike Falcon fields to Oomnitza fields and create custom mappings to get the user information that you need.

Standard CrowdStrike Falcon to Oomnitza mappings

The following CrowdStrike Falcon fields can be mapped to Oomnitza: 

  • Connector Sync Time
  • Customer ID
  • Email
  • First Name
  • Last Name
  • UUID

Ensure that you select one of the fields as the Sync Key such as the email address of the user. 

Want to map more CrowdStrike Falcon fields to Oomnitza?
Contact Support, or see Mapping extended connectors.

When you've completed mapping the CrowdStrike Falcon fields to Oomnitza fields, click NEXT.

Schedule

By default, CrowdStrike Falcon user data is streamed to Oomnitza once every day.

You can configure the schedule to meet your needs such as changing the interval or changing the time so that the data is streamed when your system isn't busy.

  1. Configure your schedule.
  2. Click FINISH.

Result

A new tile is created for the integration on the Integrations page. 

What to do next

If you want to see what information is collected now, click the tile on the Integrations page and click RUN.

edit-integration.svg

Figure: Mock-up for illustration purposes

If you want to change the integration settings, you can click a navigation link on the page, such as 4 Mappings, and edit the settings. 

Review the errors. You can then decide whether you need to change your integration preference from Update only to Create & Update.

Unleash the power of Oomnitza

To get valuable actionable insights that help you manage your assets, learn how to:

  • Configure dashboards for your assets
  • Configure custom reports
  • Configure workflows for automating complex and repetitive tasks

blue_link.svg See Getting started

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk