Skip to main content

Crowdstrike Integration Guide

  • Updated

 

This guide provides instructions to integrate Beyond Identity with Crowdstrike.

 

How this integration works

Beyond Identity ensures the Falcon agent is installed, running, and up-to-date at the time of authentication for all endpoints requesting access. At the point of authentication, Beyond Identity leverages Falcon ZTA device risk signals to inform and enhance access policies. While legacy MFA solutions authenticate only at login, Beyond Identity and CrowdStrike continuously monitor and enforce granular, risk-based access policies, establishing trust in the user and the device throughout a session. If a device falls out of compliance or the Falcon ZTA score drops below a threshold, Beyond Identity can automatically call on CrowdStrike to quarantine the offending device. Beyond Identity only uses phishing-resistant factors to ensure high assurance of user identity and device security for every authentication: local biometrics or PIN, device-bound passkeys, and device security posture checks.

 

Architecture.png

The following steps describe the integration flow shown above.

  1. The end user initiates access, and IdP delegates to Beyond Identity phishing-resistant MFA.
  2. At the point of authentication, Beyond Identity ensures the user/device is authorized and the device posture meets security policy, including the presence of the CrowdStrike Falcon agent.
  3. By ingesting risk signals from CrowdStrike, Beyond Identity will authenticate only devices that meet
    policy, including exceeding a specified ZTA score.
  4. Phishing-resistant MFA is granted to authorized applications.
  5. Continuous validation of the device occurs, including CrowdStrike Falcon agent and risk signals to ensure the device continues to meet security policy.
  6. An automated quarantine action is sent when Beyond Identity’s continuous authentication detects a device out of compliance.

Prerequisites

Licensing Requirements

  • Crowdstrike SKUs and Features required:
    • Falcon Insight
    • Zero Trust Assessment (ZTA) Feature

ZTA is included with Falcon Insight, customers just have to reach out to support@crowdstrike.com and request that the ZTA feature flag be enabled. From there, you’ll see that the ZTA scope is unlocked in the API credentials dashboard. You can also check that the data.zta file has been populated at the following locations:

Windows: %ProgramData%\CrowdStrike\ZeroTrustAsssessment

MacOS: /Library/Application Support/Crowdstrike/ZeroTrustAssessment

 

Role/Access Requirements

  • Crowdstrike Role/Access Requirements
    • Administrator role with ability to create API Token
    • Token scope
      • Hosts Read and Write
      • Zero Trust Assessment Read
  • Beyond Identity Role/Access Requirements
    • Log in as a user with minimum role of ‘Integrations Administrators’ for adding and configuring integrations and ‘Policy Administrators’ for configuring policy

Integrating Crowdstrike

Step 1. Get the API credentials from Crowdstrike to configure in Beyond Identity.

 

  1. Log into the Falcon UI and navigate to Support > API Clients and Keys. In the Crowdstrike API Clients and Keys screen, click Add new API client.
  2.  In the Add new API client dialog, enter the following information:
    • Client Name: Beyond Identity
    • Optional description.
    • Apply a checkmark as follows:
      • Hosts Read and Write
      • Zero Trust Assessment Read
    • Click Add.
  1. The API client created dialog is displayed containing the Client ID, Secret, and Base URL.  Copy the CLIENT ID, SECRET, and BASE URL. These will be needed in Step 2. Configure Beyond Identity.
  2. Click DONE.
  3. The Integration screen is updated to reflect that CrowdStrike Falcon is connected.

 

Step 2.  Configure Beyond Identity

  1. Log in to the Beyond Identity Admin Console and select Integrations from the left menu.
  2. From the Integrations page, click ENDPOINT MANAGEMENT.
  3. Click the Crowdstrike Falcon Edit icon that appears when hovering to the right of the Crowdstrike row.
  4. In the Install Crowdstrike dialog, provide the following information obtained in Step 1.
    1. Base Url
    2. Client ID
    3. Client Secret
  5. Click Save Changes.

 

Step 3. Write a policy using the Zero Trust Assessment Score attribute.

  1. Beyond Identity Admin Console and select Policy from the left menu.
  2. From the Policy page, select Edit Policy > Add Rule and configure a Zero Trust Assessment Score. See the following example:
  3. Click Add.



Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk