Integrate with CrowdStrike

With CrowdStrike integration you get access to additional signals that you can use to monitor corporate devices and allow or deny application access.

CrowdStrike offers the Falcon cybersecurity software for endpoint devices.

With the EAA-Crowdstrike integration, you can use Device Posture to calculate the status of the CrowdStrike Agent (CrowdStrike Falcon sensor) running on the user’s device. The Agent’s status can be reported as healthy if the CrowdStrike Agent is running on the device and communicating regularly with the CrowdStrike server, or unhealthy if the Agent is inactive. The CrowdStrike Agent status is included in the Device Posture security evaluation.

The following is the list of the CrowdStrike data that you can monitor in the Integration tab of the Device Details report:

CrowdStrike Signal Description
AID (Agent ID) Identifies each installation of a Falcon sensor. If the sensor is updated or reinstalled, the host gets a new AID. For this reason, a single host can have multiple AID values over time.

Agent ID is also called a Sensor ID.

CID (Customer ID) Identifies your company's account with CrowdStrike.
AID/CID Status Displays a status based on the validity of the AID and CID in the CrowdStrike cloud. If AID and CID are valid this signal returns Valid value, otherwise its value is Invalid.
Version Reports the current version of the CrowdStrike Falcon sensor installed on a device.
Agent Status Displays the health status of the CrowdStrike Falcon sensor. If the sensor communicates regularly to the CrowdStrike cloud, the status is set as Healthy. Otherwise, the status is indicated as Unhealthy.
Last Contact Indicates the time that the CrowdStrike cloud last received contact from the Falcon sensor on a given device. The time indicated corresponds to the local time zone of Akamai Control Center user.
Note: Device Posture uses the value of the Last Contact signal to calculate the status of the CrowdStrike Agent Status.


Note: This integration requires that end user devices are running the EAA Client and the CrowdStrike Falcon endpoint protection software. It also requires access credentials to the CrowdStrike administrator portal.

Additionally, in order for the anti-malware detection feature to detect CrowdStrike as an anti-malware product, Crowdstrike Prevention Policy should have Quarantine & Security Center Registration enabled. To enable this setting go to, Prevention Policies > <Your Policy Name> > Next Gen Antivirus > Type: Quarantine in the CrowdStrike portal.

Prerequisites

  • You must have access credentials to your CrowdStrike administrator portal.
  • Install the EAA Client on the end user desktop macOS and Windows devices.
  • Install and run the CrowdStrike Falcon Sensor on end user devices. The Falcon sensor must be properly associated with the customer account used to access and configure the CrowdStrike portal mentioned above.
  • Authentication to the CrowdStrike API requires a Client ID and Client Secret. You can generate these credentials from the CrowdStrike portal.
  • CrowdStrike integration is only supported for desktop (Windows and macOS) devices.
  • In order for the integration to work correctly on macOS, the CrowdStrike Falcon utility and OS sysctl utility must be installed and accessible. See CrowdStrike documentation for further details.
To integrate with CrowdStrike, you need to follow these steps:
  1. Configure CrowdStrike cloud to allow API access via Akamai Control Center.
  2. Configure Akamai Control Center for CrowdStrike integration.

Configure CrowdStrike cloud to allow API access via Akamai Control Center

Complete this procedure in the CrowdStrike portal to obtain your CrowdStrike Client ID and Client Secret.

  1. Log in to the CrowdStrike portal.
  2. Go to Support > API Clients and Keys.
    The API Key page appears.
  3. In API Clients, click Add new API Client.
    The Add new API client dialog appears.
  4. In Add new API client:
    1. In Client Name, enter a unique name for the API client.
    2. In Description, enter a description for the API client (Optional).
    3. In API Scopes, select Hosts (Read and Write) permissions.


  5. Click Add.
    The API client create dialog appears.
  6. From the API client created window, copy Client ID and Client Secret values.
    Note: You should copy the Client Secret now as you won't be able to retrieve its value later.
  7. Click Done.


Configure Akamai Control Center for CrowdStrike integration

Complete this procedure in Akamai Control Center to integrate with the CrowdStrike cloud and get access to signals reported by the Falcon client.

  1. In the EAA Management Portal, select System > Device Posture.
    The Device Posture page appears.
  2. On the Device Posture page, click Integrations.
  3. Go to CrowdStrike and fill in the following fields:
    Field Description
    Enabled Select Enabled to use CrowdStrike signals in tiers and tags.
    Note: If the CrowdStrike integration is not enabled, the CrowdStrike Status Healthy signal will not be displayed either in tiers and tags criteria. The agent status will also not appear in the inventory reports including filter criteria and device details.
    Base URL Enter your organization-specific Base URL

    In most cases you can use the cloud environment US-1’s URL http://api.crowdstrike.com

    Other cloud environments and their corresponding base URLs are the following:
    • US-GOV: api.laggar.gcw.crowdstrike.com
    • EU-1: api.eu-1.crowdstrike.com
    • US-2: api.us-2.crowdstrike.com

    If none of these work, consult CrowdStrike for your Base URL.

    Client ID and Client Secret Enter the Client ID and Client Secret.

    To get your Client ID and Client Secret, go to Support > API Clients and Keys > OAuth2 API Clients > Add new API Client in the CrowdStrike portal.



  4. Click Test Credentials to ensure the values are correct. A confirmation message appears if credentials' values are successfully tested.

Next steps

After you configured the CrowdStrike integration, you can:
  • Use the CrowdStrike Status Healthy to configure risk tiers and tags. See Configure tiers and tags for more information.
  • Use the CrowdStrike Healthy criterion to filter inventory reports for healthy and unhealthy devices. See Create an inventory report for more information.
  • View the Integration section of the Device Details report report to check the CrowdStrike information.