CrowdStrike Connector - PingOne DaVinci - PingOne Services - PingOne Cloud Platform

Page created: 9 Jun 2022 |

Page updated: 13 Dec 2022

| 6 min read

PingOne DaVinci Product PingOne Cloud Platform PingOne PingOne Services Home Page Doc Tools

The CrowdStrike connector lets you use CrowdStrike improve authentication security in your PingOne DaVinci flow.

CrowdStrike protects the people, processes and technologies that drive modern enterprise. A single agent solution to stop breaches, ransomware, and cyber attacks—powered by world-class security expertise and deep industry experience.

You can use the CrowdStrike connector to:

Check whether an IP address is associated with a managed device in CrowdStrike
Get a list of CrowdStrike devices associated a username or IP address
Get a list of CrowdStrike Incidents associated a username or IP address
Get the CrowdStrike scores from multiple incidents
Get the CrowdStrike Zero Trust Assessment scores for a managed device
Get the CrowdScore from a single environment
Quarantine a managed device
Lift the quarantine on a managed device

Setup

Resources

For information and setup help, see the following documentation:

CrowdStrike documentation
- CrowdStrike OAuth2-Based APIs
DaVinci documentation
- Adding a connection
- Importing a flow from the Flow Library

Requirements

To use the connector, you'll need:

A CrowdStrike license

Setting up CrowdStrike

Follow the steps in Creating an API client.

Select the following API scopes:

Scope	Permissions
Hosts	Read, Write
Falcon Discover	Read
Incidents	Read
Zero Trust Assessment	Read

Record your client ID and secret. You'll use them in the connector configuration.

Setting up the CrowdStrike connector configuration

In DaVinci, add a CrowdStrike connection. For help, see Adding a connection.

Connector configuration

CrowdStrike Base URL

The base URL for your CrowdStrike environment.

Client ID

The client ID you created in Setting up CrowdStrike.

Client Secret

The client secret you created in Setting up CrowdStrike.

Using the connector in a flow

Getting device details

The Get Device Details capability allows you to get detailed information about one or more devices.

In the Device IDs field, you can click {} and select the deviceIds variable from a Get Devices from Logins node.

Quarantining devices

You can quarantine a device by applying CrowdStrike Network Containment on the device ID with the Set Containment on Devices capability.

When you determine a device is safe, you can remove the quarantine with the Lift Containment on Devices capability.

In the Device IDs field, you can click {} and select the deviceIds variable from a Get Devices from Logins node.

Getting incident scores

The Get Incident Scores capability lets you get scores for one or more CrowdStrike incidents.

In the Incident IDs field, you can click {} and select the incidentIds variable from a Get Incidents from Logins node.

Capabilities

Check Device Management Status

Use an IP address to check whether a device is managed by CrowdStrike.

Properties

IP textField

The user's IP address

Username textField

The username associated with the device.

Last Seen Number of Days textField

The number of days to search back in time for a managed device.

Default:

Input Schema

default object

ip string required: The IP address of the device
username string: The username associated with the device
lastSeenDays number required: The number of days to search back in time for a managed device

Output Schema

output object

rawResponse object
statusCode number
deviceManaged boolean
foundLoginMatch boolean

Get Devices from Logins

Get a list of device IDs from CrowdStrike Logins that match a username, email address, or IP address.

Properties

Username textField

The username associated with the device.

Email textField

The email of the user associated with the device.

IP textField

The user's IP address

Search Back Number of Days textField

The number of days to search back in time for a login

Default:

Input Schema

default object

username string: The username associated with the device
email string: The email of the user associated with the device
ip string: The user's IP address
searchLoginDays number required: The number of days to search back in time for a login

Output Schema

output object

rawResponse object
statusCode number
deviceIds array

Get Device Details

Get device details from a list of devices.

Properties

Device IDs textField required: List of Device IDs (JSON Array formatted)

Input Schema

default object

deviceIds string required: List of Device IDs (JSON Array formatted)

Output Schema

output object

rawResponse object
statusCode number
devices array

Get Incidents by IP

Use an IP address to get a list of incidents associated with the device.

Properties

IP textField

The user's IP address

Last Seen Number of Days textField

The number of days to search back in time for a managed device.

Default:

Input Schema

default object

ip string required: The IP address of the device
lastSeenDays number required: The number of days to search back in time for a managed device

Output Schema

output object

rawResponse object
statusCode number
incidentsOnDevice boolean
incidentIds array

Get Incidents from Logins

Get a list of incidents from CrowdStrike Logins that match a username, email address, or IP address.

Properties

Username textField

The username associated with the device.

Email textField

The email of the user associated with the device.

IP textField

The user's IP address

Search Back Number of Days textField

The number of days to search back in time for a login

Default:

Input Schema

default object

username string: The username associated with the device
email string: The email of the user associated with the device
ip string: The user's IP address
searchLoginDays string required: The number of days to search back in time for a login

Output Schema

output object

rawResponse object
statusCode number
loginsWithIncidents boolean
incidentIds array

Get Incident Scores

Get the maximum incident score from a list of incident IDs.

Properties

Incident IDs textField: List of Incident IDs (JSON Array formatted)

Input Schema

default object

incidentIds string required: List of Incident IDs

Output Schema

output object

rawResponse object
statusCode number
maxIncidentScore number
incidents array

Get Zero Trust Assessment Scores from Devices

Use a list of device IDs to get the most recent Zero Trust Assessment scores.

Properties

Device IDs textField required: List of Device IDs (JSON Array formatted)

Input Schema

default object

deviceIds string required: List of Device IDs

Output Schema

output object

rawResponse object
statusCode number
maxOverallScore number: Maximum Overall Score from Devices
maxOSScore number: Maximum Operating System Score from Devices

Get Environment CrowdScore

Get the most recent CrowdScore for the CrowdStrike environment.

Output Schema

output object

rawResponse object
statusCode number
score number
adjustedScore number

Set Containment on Devices

Apply CrowdStrike Network Containment on the Device IDs.

Properties

Device IDs textField required: List of Device IDs (JSON Array formatted)

Input Schema

default object

deviceIds string required: List of Device IDs

Output Schema

output object

rawResponse object
statusCode number

Lift Containment on Devices

Remove CrowdStrike Network Containment on the Device IDs.

Properties

Device IDs textField required: List of Device IDs (JSON Array formatted)

Input Schema

default object

deviceIds string required: List of Device IDs

Output Schema

output object

rawResponse object
statusCode number