CrowdStrike API resources collector

[ 1 Service description ] [ 2 Data source description ] [ 3 Vendor setup ] [ 4 Devo collector features ] [ 5 Run the collector ]

Service description

Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.

Today’s sophisticated attackers are going “beyond malware” to breach organizations, increasingly relying on exploits, zero days, and hard-to-detect methods such as credential theft and tools that are already part of the victim’s environment or operating system, such as PowerShell. CrowdStrike Falcon responds to those challenges with a powerful yet lightweight solution that unifies next-generation antivirus (NGAV), endpoint detection and response (EDR), cyber threat intelligence,managed threat hunting capabilities, and security hygiene — all contained in a tiny, single, lightweight sensor that is cloud-managed and delivered.

Data source description

Data source	Hosts	Incidents	Vulnerabilities	Behaviors
Devo data table	`edr.crowdstrike.falconstreaming.agents`	`edr.crowdstrike.falconstreaming.incidents`	`edr.crowdstrike.falconstreaming.vulnerabilities`	`edr.crowdstrike.falconstreaming.behaviors`
Service	`hosts`	`incidents`	`vulnerabilities`	`behaviors`
Endpoint	https://developer.crowdstrike.com/crowdstrike/reference/querydevicesbyfilter-1 https://developer.crowdstrike.com/crowdstrike/reference/getdevicedetails-1	https://developer.crowdstrike.com/crowdstrike/reference/queryincidents-1 https://developer.crowdstrike.com/crowdstrike/reference/getincidents-1	https://developer.crowdstrike.com/crowdstrike/reference/queryvulnerabilities https://developer.crowdstrike.com/crowdstrike/reference/getvulnerabilities	https://developer.crowdstrike.com/crowdstrike/reference/querybehaviors-1 https://developer.crowdstrike.com/crowdstrike/reference/getbehaviors-1
Description	Hosts are endpoints that run the Falcon sensor. You can get information and details about these agents.	Incidents are events that occur in an organization that can represent a cybersecurity threat or an attack.	Vulnerabilities are known security risks in an operating system, application, hardware, firmware, or other parts of a computing stack.	Behaviors are patterns of data transmissions in a network that are out of the norm, used to detect anomalies before cyber attacks occur.

Vendor setup

In order to configure the Devo | CrowdStrike API Resources collector, you need to create an API client that will be used to authenticate API requests.

After getting your Crowdstrike Falcon Cloud credentials, log into the CrowdStrike Falcon Cloud dashboard.
Click the three dots in the left menu bar.
Click Api Clients and Keys. This will open a page to create an API client.
Click Add API Client at the top right corner. Enter a CLIENT NAME and DESCRIPTION.
Then, enable the API scopes for your new API client. Click the required Read permissions for each scope and click ADD to create the client.
Finally, copy the Client ID and Client Secret shown on the next screen. You will need these values to configure the collector.

Devo collector features

Feature	Details

Feature

Details

Allow parallel downloading (multipod)

Not allowed

Running environments

Cloud collector, on-premise

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).