Rezonate
  • 🏠Home
  • 🚩Platform Tour
    • 🇻🇳Platform Dashboard
    • 🆔Identity Analytics
      • 🪪Identity Centric
      • 🔡Identity By Platform
    • ⚠️Risks & Threats
      • Highlighted ITDR Capabilities
  • ℹ️How-to Guides
    • ➕Adding Integrations
    • 🤦Manage Users
    • 🧑‍💼Customize Exposures
    • 👁️‍🗨️Querying & Filtering Data
  • 📐Core Integrations
    • Azure Integration
      • Required Privilegees
      • Update Certificate for Existing Installation
    • Okta Integration
      • Okta Integration -Remediation Supported
    • Google Workspace
      • 1-Click Integration
      • Legacy Integration
    • Google Cloud Integration
    • Zoom Integration
    • DocuSign Integration
    • GitHub Integration
      • GitHub Enterprise Expansion
    • AWS Integration
      • AWS - Required Privileges
      • Log Streaming Integration
    • Salesforce Integration
      • Salesforce - Collected Data & Query Volume
    • JAMF Pro Integration
    • CircleCI Integration
    • Auth0 Integration
    • Cloudflare Integration
    • CrowdStrike Integration
      • Integrating Permissions
    • Slack Integration
    • Workday Integration
    • BambooHR Integration
    • Snowflake Integration
    • LastPass Integration
    • SentinelOne integration
    • SAP Cloud Platform Integration
    • GitLab Integration
    • Oracle NetSuite Integration
    • Atlassian Cloud Integration
    • Zendesk Integration
    • HiBob Integration
    • Microsoft Defender Integration
    • Docusign Integration
    • Mongo Atlas Integration
    • Ping Identity One Integration
    • Generic HRIS Integration
  • 📍Notifications & Alerts
    • Slack Integration
    • HTTP Webhook Integration
      • Webhook Alert Example - Saved Search
      • Webhook Alert Example- ITDR
    • Microsoft Teams Integration
    • Torq Integration
    • Email Integration
    • Splunk Integration
    • Datadog Integration
    • PagerDuty Integration
    • Jira Integration
  • 🆘Troubleshooting & Support
    • Collectors IP Ranges
    • Data Processing
      • AWS
      • Azure Active Directory
      • Azure Cloud
      • Google Workspace
    • SSO Integrations
      • SSO Login - Okta
      • SSO Login - AzureAd
  • 📓Legal & Terms
Powered by GitBook
On this page
  • Integrate through Webhook
  • Integrate through API Key
  1. Core Integrations
  2. CrowdStrike Integration

Integrating Permissions

PreviousCrowdStrike IntegrationNextSlack Integration

Last updated 1 year ago

This document describes integrating the Rezonate product with CrowdStrike Falcon, which provides observability to on-premise hosts, users, and CrowdStrike detection data.

Integrate through Webhook

Note: To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator.

  1. Navigate to CrowdStrike Store > All apps

  2. Scroll down to the “Plugins” section and click on Webhook

  3. Click “Configure”:

  4. Click "Add Configuration" and configure the following:

    1. Name: Rezonate Webhook

    2. Webhook URL: {Url Received From Rezonate}

    3. HMAC Secret Key: {HMAC Received from Rezonate}

    4. Signature Header Name: Keep the default value (X-Cs-Primary-Signature)

    5. Save configuration

  5. Navigate to Fusion workflows > All workflows

  6. Click Create workflow

  7. Click Create Workflow from scratch on the new page and then click Next.

  8. In the “Create workflow dialog, choose Event as the workflow trigger and click next.

  9. In the “Select trigger” dropdown box, choose Alert. Choose the subcategory to be “EPP Detection”, and click next.

  10. On the right side of the “Create workflow” dialog, click the + button next to the trigger box.

  11. Click on “Add action”

  12. In the workflow dialog, choose Notify.

  13. Choose “Call webhook”.

  14. In the Webhook name, choose the new “Rezonate Webhook”.

  15. In data to include, choose the following data points:

    1. Alert ID

    2. Behavior timestamp

    3. Command Line

    4. Description

    5. Executable SHA256

    6. File Path

    7. Name

    8. Sensor platform

    9. Sensor hostname

    10. Sensor domain

    11. Sensor local IP address

    12. Sensor external IP address

    13. Sensor Host ID

    14. Severity

    15. Tactic

    16. Technique

    17. User name

    18. User ID

    19. Action Taken

  1. Now click next and finish.

  2. Name the workflow as “Rezonate Workflow”

  3. Turn the workflow status to On

  4. Save workflow

Integrate through API Key

To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator

  3. Configure the following:

    1. Client name - “Rezonate Integration”

    2. Description - “API key used by Rezonate”

    3. Scopes:

      1. Alerts - Read

      2. Detections - Read

      3. Hosts - Read

      4. IOC Management - Read, Write

      5. IOCs (Indicators of Compromise) - Read, Write

      6. OPTIONAL: Discover - Read

  1. Click Create.

  2. Copy the Client ID, Secret, and Base URL and share them back with Rezonate.

Navigate to Support and Resources> API clients and keys

Click on “Create API client”

📐