Introduction to the CrowdStrike Falcon Automation Synchronization PowerPack

Download this manual as a PDF file

This section describes how you can configure and use the CrowdStrike Falcon Automation Synchronization PowerPack with the PowerFlow platform to integrate SL1 events and CrowdStrike detections.

After the 2.1.0 platform release, the Integration Service was rebranded as SL1 PowerFlow, and the Automation Builder was rebranded as SL1 PowerFlow builder.

The label "SyncPack" is used in place of "SyncPack" in the PowerFlow user interface.

What is the CrowdStrike Falcon Automation Synchronization PowerPack ?

The CrowdStrike Falcon Automation includes a configuration object, applications, and steps that bidirectionally sync jobs, pipeline jobs, and node status between CrowdStrike and SL1.

Prerequisites for this SyncPack

This SyncPack requires the following:

  • SL1PowerFlow platform version: 2.3.0 or later
  • CrowdStrike SyncPack version 100 or later
  • SL1 version: 11.1.0 or later. For details on upgrading SL1, see the appropriate SL1 Release Notes.
  • The following dependencies are included in the SyncPack:
  • SL1_Notifications>=1.0.2
  • base_steps_syncpack>=1.3.2
  • Administrator access to both SL1 and CrowdStrike
  • CrowdStrike administrator access to the Administration Portal
  • CrowdStrike administrator access to the GUI Portal

The following table lists the port access required by PowerFlow and this SyncPack:

Source IP PowerFlow Destination PowerFlow Source Port Destination Port Requirement
PowerFlow SL1 API Any TCP 443 SL1 API Access
PowerFlow CrowdStrike REST API Any TCP 443 CrowdStrike REST API Access

ScienceLogic highly recommends that you disable all firewall session-limiting policies as the firewalls will drop HTTPS requests resulting in data loss.

Contents of the SyncPack

This section lists the contents of the CrowdStrike Falcon Automation Synchronization PowerPack.

PowerFlow Applications

  • Fetch Detections from CrowdStrike and Send Alert to SL1. This application acquires tokens and New Detections from CrowdStrike and creates alerts for SL1.
  • Clear Detection from Cache. This application acquires and saves event details to send to SL1.

For more information about how to configure these applications, see Configuring Applications for the CrowdStrike Falcon Automation Synchronization PowerPack.

Configuration Object

  • CrowdStrike Sample Configuration. This configuration object can be used as a template after the SyncPack is installed on the PowerFlow system.

Steps

The following steps are included in this SyncPack:

  • Fetch Detections and Generate Payloads for SL1
  • Fetch New Detections from CrowdStrike
  • Get Alerted Detections from Cache
  • Get Each Detection and Create SL1 Alerts
  • Get Event Details and Clear Detections ID

Installing the SyncPack

A SyncPack file has the .whl file extension type. You can download the SyncPack file from the ScienceLogic Support site.

Downloading the SyncPack

To locate and download the SyncPack:

  1. Go to the ScienceLogic Support Site.
  2. Click the Product Downloads tab and select PowerPack.
  3. In the Search PowerPacks field, search for the SyncPack and select it from the search results. The Release Version page appears.
  4. On the PowerPack Versions tab, click the name of the SyncPack version that you want to install. The Release File Details page appears.
  5. Click the Download File button or click the name of the .zip file containing the .whl file for this SyncPack to start downloading the file.

After you download a SyncPack, you can import it to your PowerFlow system using the PowerFlow user interface.

Importing the SyncPack

To import a SyncPack in the PowerFlow user interface:

  1. On the SyncPacks page () of the PowerFlow user interface, click Import SyncPack. The Import SyncPack page appears.
  2. Click Browse and select the .whl file for the SyncPack you want to install. You can also drag and drop a .whl file to the Import SyncPack page.
  3. Click Import. PowerFlow registers and uploads the SyncPack. The SyncPack is added to the SyncPacks page.
  4. You will need to activate and install the SyncPack in PowerFlow. For more information, see Activating and Installing a Synchronization PowerPack.

You cannot edit the content package in a SyncPack published by ScienceLogic. You must make a copy of a ScienceLogic SyncPack and save your changes to the new SyncPack to prevent overwriting any information in the original SyncPack when upgrading.

Installing the SyncPack

To activate and install a SyncPack in the PowerFlow user interface:

  1. On the SyncPacks page of the PowerFlow user interface, click the Actions button () for the SyncPack you want to install and select Activate & Install. The Activate & Install SyncPack modal appears.

    If you try to activate and install a SyncPack that is already activated and installed, you can choose to "force" installation across all the nodes in the PowerFlow system.

    If you do not see the PowerPack that you want to install, click the Filter icon () on the SyncPacks page and select Toggle Inactive SyncPacks to see a list of the imported PowerPacks.

  1. Click Yes to confirm the activation and installation. When the SyncPack is activated, the SyncPacks page displays a green check mark icon () for that SyncPack. If the activation or installation failed, then a red exclamation mark icon () appears.
  2. For more information about the activation and installation process, click the check mark icon () or the exclamation mark icon () in the Activated column for that SyncPack. For a successful installation, the "Activate & Install SyncPack" application appears, and you can view the Step Log for the steps. For a failed installation, the Error Logs window appears.
  3. If you have other versions of the same SyncPack on your PowerFlow system, you can click the Actions button () for that SyncPack and select Change active version to activate a different version other than the version that is currently running.