Skip to main content

Integrate ISS Internal Security with CrowdStrike Falcon

Mark Glinski
  • Updated

In this article:

    A different CrowdStrike integration, available in Integrate360° Marketplace, enables you to enrich insights in the SecurityScorecard and CrowdStrike platform. To learn about that Marketplace option, see this article.

    Take the following integration steps to provide ISS Internal Security with necessary information to communicate with CrowdStrike Falcon. 

    When integrated, Internal Security extracts the following information from CrowdStrike:

    • Event streams
    • Hosts data
    • Incident data
    • Indicator of compromise (IOC) data
    • Data about threat actors in the environment

    Prepare for your integration

    Before configuring the integration, Install Internal Security from Integrate360°: Marketplace. See ISS Internal Security module for guidance. 

    The Internal Security integration requires the following configuration values:

    Setting Description
    Client ID One of a pair of tokens that authorizes a user to perform the GET request
    Secret token

    One of a pair of tokens that authorizes a user to perform the GET request
    Customer ID

    The identifier assigned by the product to the user permitted to perform the GET request
    Access URL Base URL of the API endpoint; example: https://api.us-2.crowdstrike.com/
    Note: Contact your internal Support or Engineering team if you are unable to provide the information required for this integration.

    Step 1: Add Internal Security to your allowlist

    To enable communication with Internal Security, add the IP address  54.88.49.59  to your allowlist.

    1. Log into your CrowdStrike Falcon account.
    2. From the Configuration tab, select IP Allowlist Management.

      iss-crowdstrike-configuration.png

    3. In IP allowlist management, click Create IP group.

      iss-crowdstrike-create-ipgroup.png
    4. Name the group and enter the IP address 54.88.49.59. Then click Create IP group.

      iss-crowdstrike-ip-group-details.png

      The new IP group appears in the list.

      iss-crowdstrike-ipgroup-created.png

    Step 2: Create an API access token

    1. Log into your CrowdStrike Falcon account.
    2. From the Support tab, select API Clients and Keys.

      iss-crowdstrike-support-api-keys.png

    3. In API Clients and Keys, click Add new API client above the table to the right.

      iss-crowdstrike-add-api-client.png

    4. In the new client form, name the new client, and add all available scopes with Read access. Then, click Add.

      iss-crowdstrike-add-scopes.png
      Note: While SecurityScorecard does not currently support all available scopes, we continue to add support on an ongoing basis.
    5. In the dialog that appears, copy the displayed values for use in the next step and then click DONE:
      • Client ID
      • Secret
      • Base URL

        iss-crowdstrike-new-client-details.png

    The new client appears in the table.

    iss-crowdstrike-all-clients.png

    Step 3: Add a CrowdStrike integration in Internal Security

    1. In your Scorecard header, click Internal Security Suite and then select Internal Security.

      iss-iss-cloud.png
    2. Click Add integrations.
    3. Select CrowdStrike Falcon from the drop-down list.
    4. Enter the required information from the preceding step. Then click Save Configuration.

      • The base URL for the API

      • Your CrowdStrike customer ID 

      • The client ID that you created

      • The secret token that you created

        iss-internal-crowdstrike-config.png

    Your new integration appears in a table on the Internal Security page. Start viewing your Internal Security score and findings within 24 hours.

    iss-internal-integrations-list.png

    Note: Internal Security starts to provide data within 24 hours for each new integration as it syncs with SecurityScorecard's scanning and scoring cycles. 

    Additional documentation and resources

    Related articles