Integrating Permissions

PreviousCrowdStrike Integration NextSlack Integration

Last updated 1 year ago

Integrating Permissions

This document describes integrating the Rezonate product with CrowdStrike Falcon, which provides observability to on-premise hosts, users, and CrowdStrike detection data.

Integrate through Webhook

Note: To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator.

Navigate to CrowdStrike Store > All apps
Scroll down to the “Plugins” section and click on Webhook
Click “Configure”:
Click "Add Configuration" and configure the following:
1. Name: Rezonate Webhook
2. Webhook URL: {Url Received From Rezonate}
3. HMAC Secret Key: {HMAC Received from Rezonate}
4. Signature Header Name: Keep the default value (X-Cs-Primary-Signature)
5. Save configuration
Navigate to Fusion workflows > All workflows
Click Create workflow
Click Create Workflow from scratch on the new page and then click Next.
In the “Create workflow dialog, choose Event as the workflow trigger and click next.
In the “Select trigger” dropdown box, choose Alert. Choose the subcategory to be “EPP Detection”, and click next.
On the right side of the “Create workflow” dialog, click the + button next to the trigger box.
Click on “Add action”
In the workflow dialog, choose Notify.
Choose “Call webhook”.
In the Webhook name, choose the new “Rezonate Webhook”.
In data to include, choose the following data points:
1. Alert ID
2. Behavior timestamp
3. Command Line
4. Description
5. Executable SHA256
6. File Path
7. Name
8. Sensor platform
9. Sensor hostname
10. Sensor domain
11. Sensor local IP address
12. Sensor external IP address
13. Sensor Host ID
14. Severity
15. Tactic
16. Technique
17. User name
18. User ID
19. Action Taken

Now click next and finish.
Name the workflow as “Rezonate Workflow”
Turn the workflow status to On
Save workflow

Integrate through API Key

To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator

Configure the following:
1. Client name - “Rezonate Integration”
2. Description - “API key used by Rezonate”
3. Scopes:
  1. Alerts - Read
  2. Detections - Read
  3. Hosts - Read
  4. IOC Management - Read, Write
  5. IOCs (Indicators of Compromise) - Read, Write
  6. OPTIONAL: Discover - Read

Click Create.
Copy the Client ID, Secret, and Base URL and share them back with Rezonate.

PreviousCrowdStrike Integration NextSlack Integration

Last updated 1 year ago

This document describes integrating the Rezonate product with CrowdStrike Falcon, which provides observability to on-premise hosts, users, and CrowdStrike detection data.

Integrate through Webhook

Note: To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator.

Navigate to CrowdStrike Store > All apps
Scroll down to the “Plugins” section and click on Webhook
Click “Configure”:
Click "Add Configuration" and configure the following:
1. Name: Rezonate Webhook
2. Webhook URL: {Url Received From Rezonate}
3. HMAC Secret Key: {HMAC Received from Rezonate}
4. Signature Header Name: Keep the default value (X-Cs-Primary-Signature)
5. Save configuration
Navigate to Fusion workflows > All workflows
Click Create workflow
Click Create Workflow from scratch on the new page and then click Next.
In the “Create workflow dialog, choose Event as the workflow trigger and click next.
In the “Select trigger” dropdown box, choose Alert. Choose the subcategory to be “EPP Detection”, and click next.
On the right side of the “Create workflow” dialog, click the + button next to the trigger box.
Click on “Add action”
In the workflow dialog, choose Notify.
Choose “Call webhook”.
In the Webhook name, choose the new “Rezonate Webhook”.
In data to include, choose the following data points:
1. Alert ID
2. Behavior timestamp
3. Command Line
4. Description
5. Executable SHA256
6. File Path
7. Name
8. Sensor platform
9. Sensor hostname
10. Sensor domain
11. Sensor local IP address
12. Sensor external IP address
13. Sensor Host ID
14. Severity
15. Tactic
16. Technique
17. User name
18. User ID
19. Action Taken

Now click next and finish.
Name the workflow as “Rezonate Workflow”
Turn the workflow status to On
Save workflow

Integrate through API Key

To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator

Navigate to Support and Resources> API clients and keys
Click on “Create API client”
Configure the following:
1. Client name - “Rezonate Integration”
2. Description - “API key used by Rezonate”
3. Scopes:
  1. Alerts - Read
  2. Detections - Read
  3. Hosts - Read
  4. IOC Management - Read, Write
  5. IOCs (Indicators of Compromise) - Read, Write
  6. OPTIONAL: Discover - Read

Click Create.
Copy the Client ID, Secret, and Base URL and share them back with Rezonate.