To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

This article is intended to serve as a reference guide on setting up CrowdStrike Falcon to monitor the confirmed compromise incidents found by Lumu in your infrastructure.

Requirements

• CrowdStrike’s Falcon platform (Falcon Insight or Falcon Prevent) with API administrator access
• A Lumu Defender subscription.

Out-of-the-box Integrations are part of Lumu Defender. This tier was built to help organizations orchestrate and automate defense against confirmed compromise instances. To know more about our Illumination options, visit our site.

Set Up CrowdStrike

The first step is to define a CrowdStrike API client. For this, you must have admin access to CrowdStrike’s Falcon Platform.

1. Once logged into the CrowdStrike Falcon platform, use the hamburger button at the top left size of the screen, and navigate to Support and resources > API Clients and Keys.

2. On the API clients and keys window, click on the Create API client button.Within the Create API client window, provide a descriptive name and select the appropriate API scopes. For the Lumu configuration, you should mark the options Read and Write for the IOC Management and the IOCs (Indicators of Compromise) scopes.

Make sure to save the API secret, as according to the CrowdStrike documentation, the secret will only be shown once when a new API Client is created, and should be stored in a secure place. If the Client Secret is lost, a reset must be performed and a new Lumu integration should be created with the new credentials.

It is recommended to create one API Client per integration to avoid throttling issues with CrowdStrike. Using the same credential for many integrations might cause CrowdStrike to limit the number of API requests that can be made in a certain period.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen. 

2. Locate the CrowdStrike Falcon integration in the available apps area and click to add. Then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. To generate the integration URL, add a description and select the threat types you want to include in the list. You may define a custom severity per threat type.

5. Enter the information provided by your CrowdStrike account (step 2) to proceed with the creation of automatic lists.

Once you create an integration, it will be shown in the portal as in the following example:

New incidents detected by Lumu will be added to your CrowdStrike IOC list with the retrodetections parameter, meaning your CrowdStrike Falcon Cloud can monitor for events related to the created IOC before the date of uploading. This allows detecting adversarial contacts that took place before integrating Lumu with CrowdStrike.

The ‘lumu’ custom tag will be added to uploaded IOCs to identify them as pushed by Lumu. Deleting an integration will cause the purging of all custom IOCs pushed by Lumu. This action cannot be undone. To reintegrate, you will have to generate a new CrowdStrike integration.