The CrowdStrike connector lets you use CrowdStrike improve authentication security in your PingOne DaVinci flow.
CrowdStrike protects the people, processes and technologies that drive modern enterprise. A single agent solution to stop breaches, ransomware, and cyber attacks—powered by world-class security expertise and deep industry experience.
You can use the CrowdStrike connector to:
- Check whether an IP address is associated with a managed device in CrowdStrike
- Get a list of CrowdStrike devices associated a username or IP address
- Get a list of CrowdStrike Incidents associated a username or IP address
- Get the CrowdStrike scores from multiple incidents
- Get the CrowdStrike Zero Trust Assessment scores for a managed device
- Get the CrowdScore from a single environment
- Quarantine a managed device
- Lift the quarantine on a managed device
Setup
Resources
For information and setup help, see the following documentation:
- CrowdStrike documentation
- DaVinci documentation
Requirements
To use the connector, you'll need:
- A CrowdStrike license
Setting up CrowdStrike
Follow the steps in Creating an API client.
- Select the following API scopes:
Scope Permissions Hosts
Read, Write
Falcon Discover
Read
Incidents
Read
Zero Trust Assessment
Read
- Record your client ID and secret. You'll use them in the connector configuration.
Setting up the CrowdStrike connector configuration
In DaVinci, add a CrowdStrike connection. For help, see Adding a connection.
Connector configuration
CrowdStrike Base URL
Client ID
Client Secret
Using the connector in a flow
Getting device details
The Get Device Details capability allows you to get detailed information about one or more devices.
In the Device IDs field, you can click {} and select the deviceIds variable from a Get Devices from Logins node.
Quarantining devices
You can quarantine a device by applying CrowdStrike Network Containment on the device ID with the Set Containment on Devices capability.
When you determine a device is safe, you can remove the quarantine with the Lift Containment on Devices capability.
In the Device IDs field, you can click {} and select the deviceIds variable from a Get Devices from Logins node.
Getting incident scores
The Get Incident Scores capability lets you get scores for one or more CrowdStrike incidents.
In the Incident IDs field, you can click {} and select the incidentIds variable from a Get Incidents from Logins node.
Capabilities
- Check Device Management Status
-
Use an IP address to check whether a device is managed by CrowdStrike.
Properties - Get Devices from Logins
-
Get a list of device IDs from CrowdStrike Logins that match a username, email address, or IP address.
Properties - Get Device Details
-
Get device details from a list of devices.
Properties - Get Incidents by IP
-
Use an IP address to get a list of incidents associated with the device.
Properties - Get Incidents from Logins
-
Get a list of incidents from CrowdStrike Logins that match a username, email address, or IP address.
Properties - Get Incident Scores
-
Get the maximum incident score from a list of incident IDs.
Properties - Get Zero Trust Assessment Scores from Devices
-
Use a list of device IDs to get the most recent Zero Trust Assessment scores.
Properties - Get Environment CrowdScore
-
Get the most recent CrowdScore for the CrowdStrike environment.
Output Schema - Set Containment on Devices
-
Apply CrowdStrike Network Containment on the Device IDs.
Properties - Lift Containment on Devices
-
Remove CrowdStrike Network Containment on the Device IDs.
Properties