CrowdStrike Falcon

Rumble Enterprise integrates with CrowdStrike by importing data through the CrowdStrike Falcon API. This integration allows you to sync and enrich your asset inventory. Adding your CrowdStrike data to Rumble makes it easier to find things like endpoints that are missing an EDR agent.

This integration will import all hosts reported by Falcon into Rumble, setting the CrowdStrike-specific attributes, and updating asset-level attributes including the operating system, hardware platform, hostname, and MAC address. Please note that any IP address reported by Falcon will be treated as a secondary address, not a primary address, since these IPs can be stale and may not be associated with a specific network or site. Rumble is able to merge existing assets with Falcon data when the MAC address or hostname overlaps. Falcon devices can also be manually merged into Rumble assets using the Merge button on the Asset Inventory screen.

Getting Started

To set up the CrowdStrike integration, you’ll need to:

  1. Configure CrowdStrike to allow API access through Rumble.
  2. Add the CrowdStrike credentials, which will include the client ID and client secret, and CrowdStrike base API URL in Rumble.
  3. Activate the CrowdStrike connection to sync your data with Rumble.

Requirements

Before you can set up the CrowdStrike integration:

  • Verify that you have Rumble Enterprise.
  • Make sure you have access to the CrowdStrike admin portal.

Step 1: Configure CrowdStrike to allow API access to Rumble

  1. Log in to CrowdStrike.
  2. Go to Support > API Clients and Keys. When the API Key page appears, choose to add a new API client.
  3. Provide the following details for the API client:
    • Client name - API client name, such as Rumble.
    • API scope - Read permissions for Hosts and Host Groups.
  4. When you are done, add the client. An API client created window appears and shows you the client ID and client secret. You’ll need them to configure the integration in Rumble.
  5. Copy the client ID and client secret now. You may not be able to get them later.

Step 2: Add the CrowdStrike credentials to Rumble

  1. Go to the Credentials page in Rumble. Provide a name for the credentials, like CrowdStrike Falcon.
  2. Choose CrowdStrike Falcon API key from the list of credential types.
  3. Provide the following information:
    • CrowdStrike client ID and CrowdStrike client secret - To generate your client ID and client secret, go to Support > API Clients and Keys > OAuth2 API clients > Add new API Client in your CrowdStrike portal.
    • CrowdStrike API URL - Your organization-specific base URL, which will depend on your account type. It will be something like api.crowdstrike.com.
  4. If you want other organizations to be able to use these credentials, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
  5. Save the credentials. You’re now ready to set up and activate the connection to bring in data from CrowdStrike.

Step 3: Set up and activate the CrowdStrike connection to sync data

After you add your CrowdStrike credentials, you’ll need to set up a connection to sync your data from Crowdstrike. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where the data is organized.

  1. Activate a connection to CrowdStrike. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
  3. Enter a name for the task, like CrowdStrike sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  5. Under Task configuration, choose the site you want to add your assets to. All newly discovered assets will be stored in this site.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4: View CrowdStrike assets

After a successful sync, you can go to your inventory to view your CrowdStrike assets. These assets will have a CrowdStrike icon listed in the Source column.

To filter by CrowdStrike assets, consider running the following queries:

Click into each asset to see its individual attributes. Rumble will show you the attributes returned by the CrowdStrike API, with the exception of policies.

CrowdStrike attributes

Rumble will enrich your assets with the following attributes, if the information is available:

bios_manufacturer
bios_version
build_number
cid
config_id_base
config_id_build
config_id_platform
detection_suppression_status
device_id
email
external_ip
first_login_timestamp
first_login_user
first_seen
group_hash
groups
host_hidden_status
hostname
instance_id
last_login_timestamp
last_login_user
last_seen
local_ip
mac_address
machine_domain
meta.version
modified_timestamp
notes
os_version
ou
platform_id
platform_name
pointer_size
product_type
product_type_desc
provision_status
reduced_functionality_mode
serial_number
service_pack_major
service_pack_minor
service_provider
service_provider_account_id
site_name
slow_changing_modified_timestamp
status
system_manufacturer
system_product_name
tags