Eyeglass Solutions Publication

CrowdStrike Fusion SOAR Integration

Home

Overview

CrowdStrike Fusion SOAR is the Security Orchestration, Automation, and Response (SOAR) platform integrated into the CrowdStrike ecosystem. It is designed to help security teams streamline and automate their workflows, manage incident response, and integrate various security tools to improve efficiency and reduce response times.

Customers using CrowdStrike Fusion SOAR can now leverage a native integration that delivers Cyberstorage Incident Response natively into Fusion SOAR. See Crowdstrike integration landing page

NOTE: This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts

Limitations

None

Solution Overview

Superna Data Security Edition Zero Trust API is used to receive workflows and playbook requests through application integrations from the FUSION Foundry application builder interface within Crowdstrike. Once an application and integration are published and released a workflow can be created and leveraged across all incidents with an on demand Workflow action.

Video Demo

Typical Use Cases

The Superna Cyberstorage Incident Response application provides industry first capabilities to SOC Managers and analysts to protect data directly during Incident response process without needing any direct access or knowledge of storage systems.
Incident Examples
1. User account is phished
  1. Run Snapshot and user lockout workflows
2. Suspected host breach by an attacker
  1. run snapshot workflow to protect data and provide a roll back point from an immutable snapshot
3. Large DDOS attack on external firewall
  1. Protect data with snapshot workflow
4. Employee termination
  1. Disabling an AD account is not enough, running user block action guarantees that user account cannot login to modify , delete or take corporate data

Cyberstorage Incident Response - Capabilities

Zero trust CrowdStrike application, integration and workflows to extend offensive data protection as an action to respond to any incident within Crowdstrike.
Superna Data Security Edition Integrations enable the following Cyberstorage Incident Response Actions.
1. Cyberstorage IR - Critical Data Snapshot API as defensive response to any incident within Next-Gen SIEM. This creates immutable snapshots on critical data on all NAS devices protected by Superna.
2. Cyberstorage IR - User Data Block - Allows SecOPS to block a user and leverages approval workflow to route request to approve a user lockout
3. Cyberstorage IR - User Data Restore - Allows SecOPS to restore a users data access and leverages approval workflow to route request to approve or deny a user restore by the SecOPS manager

What is CrowdStrike Fusion SOAR?

Reduce Response Times: Automates actions like isolating endpoints, notifying stakeholders, and updating tickets, reducing the time it takes to respond to threats.
Improve Consistency: Ensures responses follow predefined workflows, reducing the risk of human error.
Scale Operations: Enables small teams to handle a larger volume of alerts and incidents by automating repetitive tasks.
Integrate Disparate Tools: Connects your entire security stack, allowing seamless data sharing and action coordination.

Integration Architecture

Solution Configuration in CrowdStrike Fusion SOAR and Data Security Edition

Prerequisites

Installed Security Edition
Eyeglass OS appliance version 15.5
1. cat /etc/os-release
License key for the Zero Trust API
CrowdStrike Fusion SOAR application entitlement
NOTE: Falcon Sensor host in a host group with remote execution permissions assigned. The host group hosts need to be able to reach the Eyeglass Zero trust endpoint over TCP port 443 from the Host group hosts.

Configuration Steps on Eyeglass Virtual Machine

Create an API token to use the Zero Trust API
Login as admin
Open the Integrations Icon
1. Create a token from the API token tab
3. Create a name for the token example Fusion SOAR
4. Copy and record the api token for the steps below
5. Record the Eyeglass VM IP address for the steps below.
6. Done

CrowdStrike FUSION SOAR on premise API proxy Configuration

To issue API calls that can reach on premise infrastructure requires a Falcon sensor host within a host group.
1. Follow host group documentation here. Name the host group APIProxy so it is easily identified when assigning this host group to the application definition.
2. Grant remote execution permissions to this host.

Configuration in CrowdStrike Fusion SOAR - Superna Cybestorage Incident Response Application

Download the Superna app for Crowdstrike FUSION from here.
Login to the Foundry interface
1. Click Import app and browse to the file downloaded above.
4. Make sure to deploy, release and install the application to make use of the built in Workflows. During installation of the application configuration information needs to be input based on steps below.
  1. Edit the application host field to enter the IP address of the eyeglass vm where the Zero trust endpoint is located.
  2. Enter the api key created from the steps above and add to the configuration
  3. enter email addresses for approvers and deny receipt list.
  4. Click the checkbox for trust any Certificate and select the Host group created for API proxies with on premise device. In the example below, the host group was called APIproxy and included a falcon sensor host that had IP reachability to the Eyeglass VM.
  5. Example screenshots
Make sure the application is deployed, released status, follow application deployment steps in Crowdstrike documentation.

How to use Cyberstorage Incident Response Application Workflows

Execute the workflows from Next-Gen SIEM SOAR Workflows, 2 of the workflows have approval via email configuration.