Interpres Application - CrowdStrike Next-Gen SIEM

• Type: SIEM/Data Lake
• Vendor: Crowdstrike

The Crowdstrike Spotlight App Returns Hosts and Vulnerabilities as seen by Crowdstrike.

Vendor setup

Go to Support and Resources then API clients and keys

1. Click Create API client
2. For Client name enter "Interpres"
3. Add the below Scopes as with the "Read" permission

Alerts
Correlation Rules

1. Add the below Scopes as with the "Read" and "Write" permissions

NGSIEM

1. Click Create

2. Copy the Client ID, Secret, and Base URL to Interpres. If setting up more than one CrowdStrike integration (e.g. CrowdStrike Falcon EDR and CrowdStrike Spotlight) then do not click Done until you have used these credentials for both integrations.

App Configuration

App Parameters:

• Base URL: the base url for the api this should just be scheme + host e.g. https://api.us-2.crowdstrike.com
• Client ID: The API Client ID created
• Client Secret: The API Secret created
• Proxy: Proxy Settings. Example: 'https://proxy.example.com:8443'

App Validation

Check there is connectivity (green light) in the integration created.

Implemented Actions

• Get Alerts: Returns a list of alerts.

• Get Available Telemetry: Queries Next-Gen SIEM to get the telemetry.

• Get Detections: Gets a list of correlation rules.