Integrating Permissions

This document describes integrating the Rezonate product with CrowdStrike Falcon, which provides observability to on-premise hosts, users, and CrowdStrike detection data.

Integrate through Webhook

Note: To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator.

1. Navigate to CrowdStrike Store > All apps

2. Scroll down to the “Plugins” section and click on Webhook

3. Click “Configure”:

4. Click "Add Configuration" and configure the following:

   1. Name: Rezonate Webhook

   2. Webhook URL: {Url Received From Rezonate}

   3. HMAC Secret Key: {HMAC Received from Rezonate}

   4. Signature Header Name: Keep the default value (X-Cs-Primary-Signature)

   5. Save configuration

5. Navigate to Fusion workflows > All workflows

6. Click Create workflow

7. Click Create Workflow from scratch on the new page and then click Next.

8. In the “Create workflow dialog, choose Event as the workflow trigger and click next.

9. In the “Select trigger” dropdown box, choose Alert. Choose the subcategory to be “EPP Detection”, and click next.

10. On the right side of the “Create workflow” dialog, click the + button next to the trigger box.

11. Click on “Add action”

12. In the workflow dialog, choose Notify.

13. Choose “Call webhook”.

14. In the Webhook name, choose the new “Rezonate Webhook”.

15. In data to include, choose the following data points:

    1. Alert ID

    2. Behavior timestamp

    3. Command Line

    4. Description

    5. Executable SHA256

    6. File Path

    7. Name

    8. Sensor platform

    9. Sensor hostname

    10. Sensor domain

    11. Sensor local IP address

    12. Sensor external IP address

    13. Sensor Host ID

    14. Severity

    15. Tactic

    16. Technique

    17. User name

    18. User ID

    19. Action Taken

1. Now click next and finish.

2. Name the workflow as “Rezonate Workflow”

3. Turn the workflow status to On

4. Save workflow

Integrate through API Key

To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator

3. Configure the following:

   1. Client name - “Rezonate Integration”

   2. Description - “API key used by Rezonate”

   3. Scopes:

      1. Alerts - Read

      2. Detections - Read

      3. Hosts - Read

      4. IOC Management - Read, Write

      5. IOCs (Indicators of Compromise) - Read, Write

      6. OPTIONAL: Discover - Read

1. Click Create.

2. Copy the Client ID, Secret, and Base URL and share them back with Rezonate.