Integrate IoT Security through Cortex XSOAR with CrowdStrike.
Where Can I Use This?
What Do I Need?
IoT Security (Managed by IoT Security)
IoT Security subscription for an advanced
IoT Security product (Enterprise Plus, Industrial
OT, or Medical)
One of the following Cortex XSOAR setups:
An IoT Security Third-party Integration Add-on
license that includes a cohosted, limited-featured
Cortex XSOAR instance
A full-featured Cortex XSOAR server
CrowdStrike is a detection and response app that uses
endpoint sensors to detect threats and uncover the cause to accelerate
investigations. A CrowdStrike cloud server collects endpoint data
from sensors installed on IT devices such as laptops and desktops.
By integrating IoT Security with CrowdStrike, IoT Security can
import attributes for devices in its inventory.
IoT Security can receive the following device attributes through
an integration with CrowdStrike:
Hostname – The hostname of a device
OS – The operating system running on the device
OS version – The version of the operating system
OS type – The type of operating system running on
a device
Serial number – The device serial number
Vendor – The device vendor
Endpoint Detection Response (EDR) isolation status –
Whether or not a device, or endpoint, is being isolated, a condition
in which all network access for the isolated device is blocked except
for traffic to the CrowdStrike cloud server
EDR operational status – The status of the protection
that a CrowdStrike sensor is providing the device hosting it: Protected,
Partially Protected, or Unprotected
EDR group name – The name of the endpoint group to
which a device is assigned
You can display columns on the Devices page for EDR isolation
status, EDR operational status, and EDR group name. For example,
the EDR Isolation Status column is shown below.
You can also see the three EDR attributes on the Device Details
page.
Device attributes that IoT Security discovers for hostname,
OS, OS version, OS type, serial number and vendor take precedence
over those received from CrowdStrike. If IoT Security already has
values for any of these attributes, it does not replace them with
values from CrowdStrike. If you’re using both Cortex XDR and CrowdStrike
for EDR and there’s a conflict in the reported data, IoT Security
displays whatever was reported most recently.
Integrating with CrowdStrike requires either a full-featured Cortex XSOAR server or the purchase
and activation of an IoT Security
third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan
includes a license for three integration add-ons, one of which can be used for
CrowdStrike. The advanced plan includes a license for all supported third-party
integrations.