This guide provides instructions to integrate CrowdStrike with Beyond Identity.
Contents
- How this integration works
- Requirements
- Step 1: Configure the CrowdStrike integration
- Step 2: Configure Beyond Identity
- Frequently asked questions
How this integration works
Beyond Identity ensures the Falcon agent is installed, running, and up-to-date at the time of authentication for all endpoints requesting access. At the point of authentication, Beyond Identity leverages Falcon ZTA device risk signals to inform and enhance access policies. While legacy MFA solutions authenticate only at login, Beyond Identity and CrowdStrike continuously monitor and enforce granular, risk-based access policies, establishing trust in the user and the device throughout a session. If a device falls out of compliance or the Falcon ZTA score drops below a threshold, Beyond Identity can automatically call on CrowdStrike to quarantine the offending device. Beyond Identity only uses phishing-resistant factors to ensure high assurance of user identity and device security for every authentication: local biometrics or PIN, device-bound passkeys, and device security posture checks.
The following steps describe the integration flow shown above.
- The end user initiates access, and IdP delegates to Beyond Identity phishing-resistant MFA.
- At the point of authentication, Beyond Identity ensures the user/device is authorized and the device posture meets security policy, including the presence of the CrowdStrike Falcon agent.
- By ingesting risk signals from CrowdStrike, Beyond Identity will authenticate only devices that meet
policy, including exceeding a specified ZTA score. - Phishing-resistant MFA is granted to authorized applications.
- Continuous validation of the device occurs, including CrowdStrike Falcon agent and risk signals to ensure the device continues to meet security policy.
- An automated quarantine action is sent when Beyond Identity’s continuous authentication detects a device out of compliance.
Requirements
Licensing Requirements
-
CrowdStrike SKUs and Features required:
- Falcon Insight XDR is required for compatibility with this integration. Falcon Insight XDR is an included component of the Enterprise, Elite, and Complete bundles.
- Zero Trust Assessment (ZTA) Feature
-
Beyond Identity SKUs and Features required:
- Included with Beyond Identity Secure Workforce
https://www.beyondidentity.com/products/secure-work
- Included with Beyond Identity Secure Workforce
Role/Access Requirements
-
CrowdStrike Role/Access Requirements
- Administrator role with ability to create API Token
- Token scope
- Hosts Read and Write - This permission is necessary to allow Beyond Identity to read information about the hosts within the CrowdStrike host directory, and allows Beyond Identity to take action against devices as configured in policy.
- Zero Trust Assessment Read - This permission is necessary to allow Beyond Identity to read Zero Trust Assessment results.
-
Beyond Identity Role/Access Requirements
- Log in as a user with a minimum role of ‘Integrations Administrators’ for adding and configuring integrations and ‘Policy Administrators’ for configuring policy
Valid API client key and client secret
- In addition, the CrowdStrike Falcon integration also requires the tenant base URL. Depending on your type of CrowdStrike account, you will use a specific endpoint to access the API. Use the relevant subdomain based upon where your account resides. These base URLs are:
- US-1 "api.crowdstrike.com"
- US-2 "api.us-2.crowdstrike.com"
- US-GOV-1 "api.laggar.gcw.crowdstrike.com"
- EU-1 "api.eu-1.crowdstrike.com"
OS support on Beyond Identity
- The CrowdStrike Falcon integration currently supports Windows and MacOS.
Step 1: Configure the CrowdStrike integration
Contact CrowdStrike to enable the Zero Trust Assessment feature (and data.zta)
CrowdStrike Falcon Zero Trust Assessment (ZTA) is included with Falcon Insight. You will need to contact CrowdStrike Customer Support to have them enable ZTA.
-
Contact support@crowdstrike.com and request that the following be enabled:
- CrowdStrike Falcon Zero Trust Assessment (ZTA) feature be enabled
- data.zta file is enabled on macOS
-
Verify that ZTA is enabled and populating
- The ZTA scope will be unlocked in the API credentials dashboard.
- Verify that the data.zta file has been populated at the following locations:
Windows: %ProgramData%\CrowdStrike\ZeroTrustAsssessment
MacOS: /Library/Application Support/Crowdstrike/ZeroTrustAssessment
IMPORTANT: If the data.zta file is empty, contact support@crowdstrike.com and request that they enable the data.zta and CrowdStrike Falcon Zero Trust Assessment (ZTA) feature.
Get the API credentials from CrowdStrike to configure in Beyond Identity
-
Log into the Falcon UI and navigate to Support > API Clients and Keys. In the CrowdStrike API Clients and Keys screen, click Add new API client.
- In the Add new API client dialog, enter the following information:
-
- Client Name: Beyond Identity
- Optional description.
-
Apply a checkmark as follows:
- Hosts Read and Write
- Zero Trust Assessment Read
-
Click Add.
- In the API client created dialog, copy the Client ID, Secret, and Base URL. These will be needed when you Configure Beyond Identity.
-
Click Done.
-
The Integration screen is updated to reflect that CrowdStrike Falcon is connected.
Step 2: Configure Beyond Identity
- Log into the Beyond Identity Admin console and select Integrations from the left menu.
- From the Integrations page, click Endpoint Management.
-
Click the CrowdStrike Falcon Edit icon that appears when hovering to the right of the CrowdStrike row.
-
In the Install Crowdstrike dialog, provide the following information obtained in Get the API credentials from CrowdStrike to configure in Beyond Identity.
- Base Url
- Client ID
- Client Secret
-
Click Save Changes.
CrowdStrike policy attributes
You can now create policies that allow or deny authentication. The attributes below are available by default. For more information about writing policies, see https://support.beyondidentity.com/hc/en-us/articles/9678921702295-How-to-define-policies
Attribute | Source | Description |
ZTA Score | Crowdstrike Host API | Checks the device's zero trust score. |
Device Found | Crowdstrike Host API | Checks whether CrowdStrike is able to collect data on the device. |
Connection is | Crowdstrike Host API | Checks whether the device is connected to CrowdStrike. |
Example policy using the Zero Trust Assessment Score attribute
- In the Beyond Identity Admin console, click Policy from the left menu.
-
From the Policy page, select Edit Policy > Add Rule and configure a Zero Trust Assessment Score. See the following example:
- Click Add.
Frequently asked questions
How are devices matched to the CrowdStrike Falcon device directory?
This integration uses the Agent ID (AID), a unique and device specific identifier created by CrowdStrike. We attempt to collect the Agent ID from both the data.zta file as well as from falconctl, preferring the former. We do not use the serial number to match devices to records.
Where can the data.zta file be found?
Windows: %ProgramData%\CrowdStrike\ZeroTrustAsssessment
MacOS: /Library/Application Support/Crowdstrike/ZeroTrustAssessment
What rate limits apply to this integration?
All requests to the CrowdStrike API are subject to a rate limit. The default rate limit for requests containing a valid bearer token is 6,000 requests per minute per customer account. Each request in your customer account removes one request from that pool, regardless of which API endpoint or API client is used for the request. The rate limit is calculated on a sliding window.
Comments
0 comments
Please sign in to leave a comment.