Home Knowledge Base CrowdStrike Adaptive Defense

CrowdStrike Adaptive Defense

Introduction

JoinNow’s Real-Time Intelligence service integrates seamlessly with CrowdStrike to automate security workflows and enforce endpoint compliance.

The integration works by taking Security Signals, which in this case are Webhooks from CrowdStrike, performing an assessment, such as validating the user from the Signal Source, and implementing an action.

Auto-remediation actions include:

  • Reactivation of a user certificate when the user account is reactivated.
  • Temporary removal of access by suspending the device.
  • Email alerts to admins about the risk posed by an anomaly.
  • Complete certificate revocation for a high-risk user.

This guide provides the steps to integrate CrowdStrike with Adaptive Defense.

Prerequisites

The following are the prerequisites for setting up a webhook in CrowdStrike:

  1. User with Falcon Admin permission.
  2. Active subscription to the JoinNow Platform.

    NOTE: This feature is available to existing customers with JoinNow Real-Time Intelligence.

Configuring CrowdStrike

Creating CrowdStrike API

The first thing we need to do is create an API in CrowdStrike that SecureW2 can use to validate the Risk Score of a device. 

To do this, we will create an API Client and Key, and ensure that the API has enough permissions.

  1. Log in to the CrowdStrike portal.
  2. On the left pane, navigate to Support and resources > API clients and Keys.
  3. On the OAuth2 API clients tab, click the Create API client button. The CrowdStrike API uses OAuth2 authentication with access tokens to make API requests.

  4. On the Create API client pop-up window, enter the name of the client in the Client name field.
  5. In the Description field, enter a suitable description for the API client.
  6. In the API Scopes section, select the Read check box for the following scopes to enable access to their endpoints.

    1. Hosts
    2. Zero Trust Assessment

      NOTE: On the Zero trust assessment page, the value in the Overall assessment section is what SecureW2 considers Risk Score.
  7. Click Create to generate the client ID and secret.
  8. On the API client created pop-up window, copy the Client ID, Secret, and Base URL to your device.

  9. Click Done.

Integrating CrowdStrike Webhook with JoinNow Management Portal

The CrowdStrike webhook integration enhances automation within the platform by enabling the seamless transmission of real-time events to the JoinNow Management Portal. This functionality ensures that CrowdStrike-generated event notifications are promptly triggered via webhooks. To enable integration with the JoinNow Management Portal, the Webhook URL and HMAC Secret Key must be configured in CrowdStrike.

To integrate the CrowdStrike Webhook with the JoinNow Management Portal, perform the following steps:

  1. On the left pane, navigate to Fusion SOAR > Integrations.

  2. On the CrowdStrike Store page, under the Plugins section, select CrowdStrike Webhook to enable real-time event notifications from CrowdStrike to the JoinNow Management Portal.
  3. On the CrowdStrike Webhook page, click Configure.

  4. On the Configure CrowdStrike Webhook pop-up window, click Add configuration.

  5. In the Name field, enter a name for the CrowdStrike Webhook.
  6. In the Webhook URL field, enter the Notification URL obtained from the .csv file (refer to the Configuring Adaptive Defense Platform section, step 7) to integrate with the JoinNow Management Portal.
  7. In the HMAC Secret Key field, enter the HMAC Secret Key obtained from the .csv file (refer to the Configuring Adaptive Defense Platform section, step 7) to integrate with the JoinNow Management Portal.
  8. Click Save configuration.

Creating an Event Hook Workflow

A workflow can help streamline and automate the generation of event notifications based on changes in a device’s risk assessment score detected by CrowdStrike. These workflows operate on a trigger-condition-action framework to ensure seamless and efficient process automation.

To create an Event hook workflow, perform the following steps:

  1. On the left pane, navigate to Next-Gen SIEM > Workflows.
  2. On the Workflows page, click Create workflow.

  3. In the Create workflow pop-up window, select Create workflow from scratch and click Next.
  4. In the Create workflow section, select Event to configure the Workflow to trigger based on an event in the CrowdStrike environment, and click Next.

  5. From the Trigger category drop-down list, select Zero Trust Assessment.
  6. From the Subcategory drop-down list, select Host assessment change.
  7. From the Type drop-down list, select Overall assessment and click Next.
  8. Click the Condition workflow to define the conditions that trigger the events in the JoinNow Management Portal.

    1. Under the Customize condition section:

      i. From the Parameter drop-down list, select Overall assessment.

      ii. Select an operator from the Operator drop-down list based on your business requirements, and enter the required value in the Value field. For example, if the risk assessment score of a client device is greater than or equal to 70, an event is triggered by CrowdStrike to the JoinNow Management Portal. To configure this condition, select ‘is greater than or equal to’ from the Operator drop-down list and enter ‘70’ in the Value field.

      iii. Click Next.

  9. Click the Action workflow to transfer the configured data from CrowdStrike to the JoinNow Management Portal in compliance with security standards.

    a. Under Browse action tags, select Webhook in the OBJECT section.

    b. Select the Call webhook option and click Add.

    c. In the Configure section:

    1. From the Webhook name drop-down list, select the webhook created earlier in the Integrating CrowdStrike Webhook with JoinNow Management Portal section.
    2. From the Data format drop-down list, select Default.
    3. In the Data to include field, select the following options:

      • Domain
      • External IP
      • Host ID
      • Hostname
      • OS assessment
      • Overall assessment
      • Workflow name
      • Category
      • Serial number
    4. Click Next.

  10. Click Finish.
  11. On the Add workflow name and description pop-up window:

    1. In the Name field, enter a unique name for the Workflow.
    2. In the Description field, enter a suitable description for the Workflow.
    3. In the Workflow status section, enable the workflow to initiate the execution.
    4. Click Save workflow.

Integrating CrowdStrike into SecureW2

At a high level, there are two main points of configuration: 

Configuring CrowdStrike as a Security Vendor in JoinNow

To create our API integration, we first need to create a Security Vendor in SecureW2.

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Integration Hub > Security Platforms.
  3. Click Add.
  4. In the Name field, enter a name for the security platform.
  5. In the Description field, enter a suitable description for the security platform.
  6. From the Type drop-down list, select CrowdStrike to integrate with the JoinNow Management Portal.

  7. Click Save.
  8. Select the Configuration tab.

    1. In the Provider URL field, enter the Base URL obtained from the CrowdStrike console.
    2. In the Client ID field, enter the client ID obtained from the CrowdStrike console.
    3. In the Client Secret field, enter the secret obtained from the CrowdStrike console.
    4. Click Validate to check for a successful connection.

CrowdStrike Risk Configuration

By default, the JoinNow Management Portal provides predefined risk scores with risk levels, which can be customized. 

To modify any default values:

  1. Select the Risk Configuration tab.
  2. On the Risk Configuration page, click the corresponding edit icon.
  3. The values in the Remote Attribute and Attribute Type fields are non-editable. They retain the values provided during the risk score creation.
  4. In the Remote Value field, enter the risk score range for the required risk level (between 1 and 100). Ensure that these values do not overlap with other entries and are not duplicates.
  5. From the Composite Risk Exposure level drop-down list, select the updated risk level based on your business requirements.

  6. Click Update to save all the configurations.

Creating a New Risk Score

Creating a new Risk Score follows the same steps as modifying a default value. To do this, perform the following steps:

  1. Select the Risk Configuration tab.
  2. On the Risk Configuration page, click Add.
  3. From the Remote Attribute drop-down list, retain the overall option. The CrowdStrike security vendor specifically uses this attribute to return the risk score value from the Overall assessment section in the CrowdStrike console to the JoinNow Management Portal.
  4. In the Attribute Type field, the type of risk score value returned by the CrowdStrike security vendor to the JoinNow Management Portal is displayed. The default value displayed is the Number type.
  5. In the Remote Value field, enter the risk score range for the required risk level (between 1 and 100).
  6. From the Composite Risk Exposure level drop-down list, select the required risk level.

  7. Click Next.

  8. Click Update.

Mapping Additional Device Attributes

The Attribute Mapping includes device attributes along with existing risk-related attributes as part of the Security Signal Sources setup for device validation. The list of attributes supported by the Security Platform and SecureW2 is displayed in the Attribute Mapping section.

  1. From the Attribute Type drop-down list, select any one of the following options based on your business requirements.

    1. Device
    2. Custom

      Admin can configure multiple Signal Source attributes by selecting the checkboxes next to the attributes.

      Attributes

      Description

      aid

      Agent ID – Unique identifier for the installed CrowdStrike sensor

      cid

      Customer ID – Identifier for the customer or organization

      system_serial_number

      Hardware serial number of the endpoint device

      event_platform

      Indicates the OS platform where the event occurred (e.g., Windows, Linux)

      product_type_desc

      Describes the role/type of the device (e.g., server, workstation)

      modified_time

      Timestamp of the most recent sensor update or data change

      sensor_file_status

      Status of sensor files (e.g., healthy, missing, tampered)

      os

      Operating system and version information

      version

      Version number of the CrowdStrike sensor installed

      sensor_config

      Configuration settings applied to the sensor

  2. The Custom attribute displays the customized attributes configured by the Admin.
  3. To create custom attributes:

    a. Click the Add Custom Attributes link.


    b. In the Local Attribute field, enter the name to identify the attribute locally.

    c. In Remote Attribute, select the attribute to be mapped to the Local attribute. If you select User Defined, enter the attribute returned by the Core Provider to be mapped.

    d. Click Save.

    e. Click Update.

Configuring Adaptive Defense in the JoinNow Management Portal

This section describes the steps to configure SecureW2 to receive webhooks from CrowdStrike in the JoinNow Management Portal

Configuring a Signal Source

Before certificate issuance and during the RADIUS authentication process, the Signal Source feature validates that a device or user is active within the organization by checking the identifying information against existing accounts in the Core Provider.

You can create any signal source for lookup. This example shows how to configure an Azure signal source.

To create a signal source, perform the following steps:

  1. Navigate to Integration Hub > Core Platforms.
  2. Click Add.
  3. In the Basic section, in the Name field, enter the name of the signal source.
  4. In the Description field, enter a suitable description for the signal source.
  5. From the Type drop-down list, select Azure Identity Lookup.
  6. Click Save. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
  7. Click the Configuration tab.

    1. From the Access Token Grant Flow drop-down list, select one of the following options.

      1. Client Credentials – This option eliminates the need for frequent token reauthorization from the Azure portal and is the recommended method.
      2. Authorization Code – This option requires reauthorization of the token from the Azure portal every 90 days. 
    2. In the Provider URL field, enter the URL you created earlier using the Directory (tenant) ID: https://login.microsoftonline.com/{Directory (tenant) ID}. This should look like this:
      https://login.microsoftonline.com/561bc66f-1d86-4244-8bc4-5eb12cba45ac
    3. In the Client Id field, enter the Application (client) ID that you retrieved from Azure Portal earlier (refer to the Creating a Client ID and Tenant ID section).
    4. In the Client Secret field, enter the Client secret you generated in the Azure Portal earlier (refer to the Creating a Client Secret section).
    5. Under the Lookup Configuration section, from the Device Lookup via drop-down list, select the required device lookup attribute from the options listed below:
      1. Azure Device ID – The lookup is performed using Azure ADID. 
      2. Azure Device Name – The lookup is performed using the device name. For additional search filters, select the required checkboxes:
         
        • Is Managed – checks if the device is managed. 
        • Is Compliant – checks if the device is compliant.
  8. Click the Attribute Mapping tab. The list of attributes supported by Azure Signal Source and SecureW2 is displayed in the Attribute Mapping section.

    1. From the Attribute Type drop-down list, select any one of the following options based on your business requirements.

      1. Device 
      2. User
      3. Custom
    2. To create custom attributes:

      1. Click the Add Custom Attributes link.
      2. In the Local Attribute field, enter the name to identify the attribute locally.
      3. From the Remote Attribute drop-down list, select any one of the attributes to be mapped to the Local attribute.

        • Name
        • Email
        • User Defined

          If you select User Defined, enter a value to be mapped.

      4. Click Save to create the custom attribute with the appropriate mapping.
  9. Click the Groups tab.

    1. Click Add.
    2. In the Local Group field, enter the local group name. This group name can be used to configure network policies.
    3. In the Remote Group field, enter the Object ID that you retrieved from the Azure Portal earlier (refer to the Creating a Client ID and Tenant ID section).

    4. Click Create.

  10. Click Update
  11. Repeat all the steps above as needed to create as many groups as required.

Configuring Adaptive Defense Platform

This section describes the steps to configure webhooks in the Adaptive Defense Platform.

  1. Navigate to Integration Hub > Adaptive Defense Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the webhook in the Name field.
  4. In the Description field, enter a brief description of the webhook.
  5. From the Provider drop-down list, select CrowdStrike.

  6. Click Save. The page refreshes, and the Configuration and Events tabs appear.
  7. Click the Configuration tab.

    1. From the Security Platform drop-down list, select the CrowdStrike security vendor configured in the Configuring CrowdStrike as a Security Vendor in JoinNow section.
    2. In the Credential field, click Download. A .csv file containing the Notification URL and HMAC Secret Key is downloaded. These values are used to configure the CrowdStrike Webhook.

  8. Click the Events tab.
    1. Select the following events to receive the event notifications from CrowdStrike:

      • Low
      • Medium
      • High
      • Critical
  9. Click Update.

Configuring Adaptive Defense Template

The Adaptive Defense Templates define and manage policies within the workflow by allowing you to configure multiple signal sources and make decisions based on attributes returned from adaptive defense providers.

To configure the Adaptive Defense Template, perform the following steps:

  1. Navigate to Policy Management > Adaptive Defense.
  2. In Adaptive Defense Templates, click Add Template.
  3. In the Basic section, enter the name of the adaptive defense template in the Name field.
  4. In the Display Description section, enter a brief description for the adaptive defense template.

  5. Click Save. The Lookup and Conditions tabs are displayed.
  6. Click the Lookup tab.

    a. Click + Add Lookup to verify the identity of a user or device from the Signal Source or Security Platform.


    b. From the Provider drop-down list, select an option from the Security Platform or Signal Source that you created earlier. Multiple lookups can be created according to specific requirements. Based on your selection, the DEVICE and/or USER attributes are displayed in the Lookup Type drop-down list.

    c. From the Identity drop-down list, configure the attribute to use in the lookup for Signal Source or Security Platform. The attributes are:

    i. Event – Select this option to add attributes received from the event.

    ii. Custom – Select this option to add custom attributes during lookup, in addition to the listed attributes.

    iii. Certificate – If a certificate already exists on the device, select this option to add attributes received from the event.

     

  7. Click the Conditions tab. You can configure the evaluation policy to define the conditions for successful lookups and perform actions based on the configuration.

    a. Click Add Evaluation Policy.


    b. In the Basic section, enter the name of the evaluation policy in the Name field.

    c. In the Display Description field, enter a suitable description for the evaluation policy.

    d. Select the Conditions tab.

    e. Click + Add Condition to define actions based on attributes from the Signal Source or Security Platform.

    f. From the Core Provider drop-down list, select the provider that you mapped earlier in the Lookup tab of the Adaptive Defense Templates section.

    g. Click + Add Attribute

    Attribute – From the Attribute drop-down list, select an option to be mapped to a value on the right side to create a specific condition. The mapping can be done in two ways:

    * Equals – Assigns the role to a user or device based on the attribute received from the Signal Source.

    * Matches – Use a regular expression (RegEx) to match the attribute received from the Signal Source. Based on the result, assign a role to the user or device.

    h. If the specified attribute matches the entered value and the Risk Configuration matches the Risk Level, the conditions are met and the action is configured accordingly.

    You can add multiple conditions by clicking + Add Condition to include them in a single evaluation policy. The evaluation policy succeeds when all configured conditions are met. Conditions are triggered sequentially, starting from the first condition.

    i. Click Update.


    j. Again, click Update to save all configurations.

Configuring Adaptive Defense Workflow

Adaptive Defense workflow defines the actions to perform when an event is received from an adaptive defense provider. You can configure the workflow to perform tasks such as suspending a certificate, sending an email notification, or taking other appropriate actions based on the event.

This section describes the steps to configure the Adaptive Defense Workflow.

  1. Navigate to Policy Management > Adaptive Defense.
  2. Scroll down to the Adaptive Defense Workflows.
  3. In Adaptive Defense Workflows, click Add Workflow.
  4. In the Basic section, enter the name of the Adaptive Defense workflow in the Name field.
  5. In the Display Description section, enter a brief description for the Adaptive Defense workflow.

  6. Click Save. The Conditions and Settings are displayed.
  7. Click the Conditions tab. Select the conditions for executing the workflow based on the event received from the provider. The workflow executes based on the selected events.

    a. From the Event Trigger Source drop-down list, select the adaptive defense platform that you created earlier. The relevant events are displayed in the Event Type field.


    b. In the Event Type field, select the events based on your business requirements.

  8. Click the Settings tab to configure the type of action to perform.
  9. From the Template drop-down list, select the Adaptive Defense template you created earlier to set conditions for actions based on attributes from signal sources.

    If you create multiple Adaptive Defense workflows, you can avoid defining lookup conditions for each one individually by mapping a template to automatically trigger all lookup conditions in the workflow.
  10. Click Add Action.

    1. From the Action drop-down list, select one of the following options:
    2. From the Action drop-down list, select one of the following options:

      1. Notification

        a. Email Notification – Sends an email notification when the workflow is executed, including all event details.
      2. PKI

        a. Permanently Revoke Certificate – This action permanently revokes the certificate and cannot be unrevoked.


        b. Suspend without CRL Update – This action revokes the certificate with an On-Hold status and can be reactivated; however, the certificate serial is not updated in the CRL.

        c. Suspend with CRL Update – This action revokes the certificate with an On-Hold status, updates its serial in the CRL, and can be reactivated.

        d. ReActivate Certificate – Reactivates a Suspended Certificate.

      3. RADIUS

        a. Deregister WebAuth Device – Deletes the MAC address from the database.

        b. Deregister VPN Token – Deletes the VPN token(s) associated with the user.
    3. The following scenarios can be configured based on user requirements:

      1. Evaluation Policy set to Low: When the adaptive defense provider returns a “Low” event, the suspended certificate is reactivated.
      2. Evaluation Policy set to Medium: When the adaptive defense provider returns a “Medium” event, the certificate is suspended.

      3. Evaluation Policy set to High: When the adaptive defense provider returns a “High” event, the certificate is permanently revoked.
      4. Evaluation Policy set to Critical: When the adaptive defense provider returns a “Critical” event, the certificate is permanently revoked.

      5. To configure the custom attribute, specify the path as /auth/platform/<idp-name>/<attributename>. Based on business requirements, map the attributes retrieved from the Signal Source or Security Vendor setup to the appropriate fields.

        Example: Configuring a Custom Attribute for a Security Vendor

        In this example, the aid attribute from the security vendor is configured in /auth/platform/CrowdStrike-Security-Platform/aid

        Adaptive defense actions are triggered based on the configured agent ID attribute.
        Example: Configuring a Custom Attribute for a Signal Source

        In this example, the operatingSystem attribute from the security vendor is configured in /auth/platform/Azure-Signal-Source/operatingSystem

        Adaptive defense actions are triggered based on the configured operating system attribute.

      6. Evaluation Policy set to No Condition: To receive email notifications for all actions regardless of a specific event, set the policy to “No Condition.”

        From the Distribution Book drop-down list, select the distribution book you created earlier.

      7. Click Save.

      8. Click Update.

Data and Monitoring

When the conditions are met, Adaptive Defense triggers events based on configured actions from the Adaptive Defense provider. These events provide real-time insights to help admin users monitor and manage potential threats.

Adaptive Defense Events

To view the Adaptive Defense events, navigate to Data Monitoring > Enhanced Events. The following page is displayed.


Adaptive Defense Email Notification

Adaptive Defense sends a notification email to users listed in the Distribution Book, which is configured in the Adaptive Defense workflow.

Reference Configurations

Integrating Azure with JoinNow for Signal Source

To look up during certificate issuance and network authentication, follow these steps:

Creating a Client ID and Tenant ID

To retrieve the client ID, create a new application in Microsoft Azure and perform the following steps:

  1. Log in to the Azure portal.
  2. Navigate to App registrations.
  3. Click New registration.

  4. On the Register an application page, enter the name of the application in the Name field.
  5. In the Supported account types section, specify who can use the application by selecting any one of the following options:

    1. Accounts in this organizational directory only (MSFT only – Single tenant)
    2. Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant)
    3. Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
    4. Personal Microsoft accounts only
  6. Click Register. The following screen is displayed.

  7. Copy the Application (client) ID, Object ID, and Directory (tenant) ID values to your console. These values are used during the JoinNow Management Portal integration.

Creating a Client Secret

  1. In the left pane, navigate to Manage and click Certificates & secrets.
  2. Click New client secret.
  3. In the Add a client secret pop-up window, enter a description for the client secret in the Description field.
  4. From the Expires drop-down list, select the expiration date of the client secret.

  5. Click Add.
  6. The client’s secret is displayed under the Value column. This secret is used during the JoinNow Management Portal integration.


    NOTE: Ensure that you save the client secret on your console properly, as this secret is non-recoverable.

Creating a Distribution Book

To create a distribution book, perform the following steps:

  1. Navigate to General > Organization > Distribution Book.
  2. Click Add Distribution Book.
  3. In the Name field, enter a name for the distribution book.
  4. Add the required users to the distribution book by clicking on the To, Cc, and Bcc fields. The drop-down list containing the users in the organization will be displayed. Click on the required user to add to the Distribution book.

  5. Click Add New User to add a new user outside of the organization to the distribution list.
  6. In the Email Address field, enter the email address of the recipient.
  7. Select the required radio button for To, Cc, or Bcc to select the required recipient type.
  8. Click Add.
  9. Click Save to save the distribution book.

  10. Click Update.
More Explainers