This article is intended to serve as a reference guide on setting up CrowdStrike Falcon to monitor the confirmed compromise incidents found by Lumu in your infrastructure.
Out-of-the-box Integrations are part of Lumu Defender. This tier was built to help organizations orchestrate and automate defense against confirmed compromise instances. To know more about our Illumination options, visit our site.
The first step is to define a CrowdStrike API client. For this, you must have admin access to CrowdStrike’s Falcon Platform.
1. Once logged into the CrowdStrike Falcon platform, use the hamburger button at the top left size of the screen, and navigate to Support and resources > API Clients and Keys.
2. On the API clients and keys window, click on the Create API client button.Within the Create API client window, provide a descriptive name and select the appropriate API scopes. For the Lumu configuration, you should mark the options Read and Write for the IOC Management and the IOCs (Indicators of Compromise) scopes.
1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.
2. Locate the CrowdStrike Falcon integration in the available apps area and click to add. Then click to view details.
3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.4. To generate the integration URL, add a description and select the threat types you want to include in the list. You may define a custom severity per threat type.
5. Enter the information provided by your CrowdStrike account (step 2) to proceed with the creation of automatic lists.
Once you create an integration, it will be shown in the portal as in the following example:
The ‘lumu’ custom tag will be added to uploaded IOCs to identify them as pushed by Lumu. Deleting an integration will cause the purging of all custom IOCs pushed by Lumu. This action cannot be undone. To reintegrate, you will have to generate a new CrowdStrike integration.