This document describes integrating the Rezonate product with CrowdStrike Falcon, which provides observability to on-premise hosts, users, and CrowdStrike detection data.

Integrate through Webhook

Note: To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator.

4. Click "Add Configuration" and configure the following:

   1. Name: Rezonate Webhook

   2. Webhook URL: {Url Received From Rezonate}

   3. HMAC Secret Key: {HMAC Received from Rezonate}

   4. Signature Header Name: Keep the default value (X-Cs-Primary-Signature)

   5. Save configuration

6. Click Create workflow

7. Click Create Workflow from scratch on the new page and then click Next.

11. Click on “Add action”

13. Choose “Call webhook”.

14. In the Webhook name, choose the new “Rezonate Webhook”.

15. In data to include, choose the following data points:

    1. Alert ID

    2. Behavior timestamp

    3. Command Line

    4. Description

    5. Executable SHA256

    6. File Path

    7. Name

    8. Sensor platform

    9. Sensor hostname

    10. Sensor domain

    11. Sensor local IP address

    12. Sensor external IP address

    13. Sensor Host ID

    14. Severity

    15. Tactic

    16. Technique

    17. User name

    18. User ID

    19. Action Taken

16. Now click next and finish.

17. Name the workflow as “Rezonate Workflow”

18. Turn the workflow status to On

19. Save workflow

Integrate through API Key

To Integrate, please perform the following actions after authenticating to CrowdStrike as a Falcon Administrator

3. Configure the following:

   1. Client name - “Rezonate Integration”

   2. Description - “API key used by Rezonate”

   3. Scopes:

      1. Alerts - Read

      2. Detections - Read

      3. Hosts - Read

      4. IOC Management - Read, Write

      5. IOCs (Indicators of Compromise) - Read, Write

      6. OPTIONAL: Discover - Read

4. Click Create.

5. Copy the Client ID, Secret, and Base URL and share them back with Rezonate.