Rumble Enterprise integrates with CrowdStrike by importing data through the CrowdStrike Falcon API. This integration allows you to sync and enrich your asset inventory. Adding your CrowdStrike data to Rumble makes it easier to find things like endpoints that are missing an EDR agent.
This integration will import all hosts reported by Falcon into Rumble, setting the CrowdStrike-specific attributes, and updating asset-level attributes including the operating system, hardware platform, hostname, and MAC address. Please note that any IP address reported by Falcon will be treated as a secondary address, not a primary address, since these IPs can be stale and may not be associated with a specific network or site. Rumble is able to merge existing assets with Falcon data when the MAC address or hostname overlaps. Falcon devices can also be manually merged into Rumble assets using the Merge button on the Asset Inventory screen.
To set up the CrowdStrike integration, you’ll need to:
- Configure CrowdStrike to allow API access through Rumble.
- Add the CrowdStrike credentials, which will include the client ID and client secret, and CrowdStrike base API URL in Rumble.
- Activate the CrowdStrike connection to sync your data with Rumble.
Before you can set up the CrowdStrike integration:
- Verify that you have Rumble Enterprise.
- Make sure you have access to the CrowdStrike admin portal.
Step 1: Configure CrowdStrike to allow API access to Rumble
- Log in to CrowdStrike.
- Go to Support > API Clients and Keys. When the API Key page appears, choose to add a new API client.
- Provide the following details for the API client:
- Client name - API client name, such as Rumble.
- API scope - Read permissions for Hosts and Host Groups.
- When you are done, add the client. An API client created window appears and shows you the client ID and client secret. You’ll need them to configure the integration in Rumble.
- Copy the client ID and client secret now. You may not be able to get them later.
Step 2: Add the CrowdStrike credentials to Rumble
- Go to the Credentials page in Rumble.
Provide a name for the credentials, like
- Choose CrowdStrike Falcon API key from the list of credential types.
- Provide the following information:
- CrowdStrike client ID and CrowdStrike client secret - To generate your client ID and client secret, go to Support > API Clients and Keys > OAuth2 API clients > Add new API Client in your CrowdStrike portal.
- CrowdStrike API URL - Your organization-specific base URL, which will depend on your account type. It will be something like
- If you want other organizations to be able to use these credentials, select the
Make this a global credentialoption. Otherwise, you can configure access on a per organization basis.
- Save the credentials. You’re now ready to set up and activate the connection to bring in data from CrowdStrike.
Step 3: Set up and activate the CrowdStrike connection to sync data
After you add your CrowdStrike credentials, you’ll need to set up a connection to sync your data from Crowdstrike. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where the data is organized.
- Activate a connection to CrowdStrike. You can access all available third-party connections from your inventory or tasks page.
- Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
- Enter a name for the task, like
- Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
- Under Task configuration, choose the site you want to add your assets to. All newly discovered assets will be stored in this site.
- Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.
Step 4: View CrowdStrike assets
After a successful sync, you can go to your inventory to view your CrowdStrike assets. These assets will have a CrowdStrike icon listed in the Source column.
To filter by CrowdStrike assets, consider running the following queries:
- View all CrowdStrike assets:
- Find assets that have a CrowdStrike EDR agent installed:
- Find Windows assets, excluding servers, that are missing a CrowdStrike EDR agent:
os:windows and not type:server and not edr.name:CrowdStrike
Click into each asset to see its individual attributes. Rumble will show you the attributes returned by the CrowdStrike API, with the exception of policies.
Rumble will enrich your assets with the following attributes, if the information is available:
bios_manufacturer bios_version build_number cid config_id_base config_id_build config_id_platform detection_suppression_status device_id email external_ip first_login_timestamp first_login_user first_seen group_hash groups host_hidden_status hostname instance_id last_login_timestamp last_login_user last_seen local_ip mac_address machine_domain meta.version modified_timestamp notes os_version ou platform_id platform_name pointer_size product_type product_type_desc provision_status reduced_functionality_mode serial_number service_pack_major service_pack_minor service_provider service_provider_account_id site_name slow_changing_modified_timestamp status system_manufacturer system_product_name tags