Creating and Configuring a CrowdStrike System of Record

Prerequisites

  • SGNL User Account with at least Protected System Admin and Log Reader (or Global Reader) privileges to your SGNL Client.
  • Crowdstrike Admin Account, able to generate OAuth Clients with Identity Protection Entities scope

Configuring CrowdStrike

Generating Client Credentials

  1. Log in to the CrowdStrike Console.
  2. From the left menu, select Support and Resources, then API Clients and Keys.
  3. Create an API Client by selecting “Create API Client”.
  4. Give the Client a Name and Description, then select Read permission for scope “Identity Protection Entities”.
  5. Select Create, and copy the Client ID, Secret, and URL – you’ll need these in SGNL in a moment.

Configuring SGNL

  1. Log in to the SGNL Console.
  2. From the left menu, select Systems of Record.
  3. Click “Add System of Record”.
  4. From the Catalog, select “CrowdStrike Identity Threat Protection”, which will open up the New System of Record screen with some configuration options pre-populated from the CrowdStrike SoR template.
    1. Enter the Hostname of your CrowdStrike instance. This is the URL provided when you configured your API Client, you can remove the https:// that prefixes this URL. For example: api.us-2.crowdstrike.com.
    2. Ensure the CrowdStrike Adapter is selected that matches the CrowdStrike System of Record Type.
    3. Select OAuth2 Client Credentials as the Authentication Method and enter the Client ID and Client Secret.
    4. For your Token URL, specify the Token URL. This will be your API Client URL, appended with /oauth2/token, e.g. https://api.us-2.crowdstrike.com/oauth2/token
  5. Click Save to save your CrowdStrike SoR. You will be taken to the CrowdStrike System of Record page.
    1. All entities and relationships are created as defined in the CrowdStrike template. If applicable, you can edit an entity and modify any properties of the entity or the associated attributes.
  6. (If applicable) You can also create relationships joining entities and attributes in CrowdStrike to entities and attributes in other Systems of Record configured in SGNL.
    • For more information on relationships, please refer to our Relationships page.
  7. Note that synchronization is disabled by default when a new System of Record is created.
    • You can choose to enable synchronization on Entities individually. Hover over the entity to see the Enable Sync button, and click on it.
  8. Repeat for all Entities you want to synchronize to SGNL. Finally, Enable synchronization for the System of Record.
  9. Go to SGNL Ingestion Logs to confirm that ingestion has started. Wait a few seconds for ingestion to complete.
  10. After some time, SGNL should complete ingesting the data from your CrowdStrike instance into the SGNL graph.
    • The number of objects ingested per entity are displayed on the CrowdStrike screen.
    • You should then be able to construct policies based on your CrowdStrike data and make access evaluation calls to SGNL.