Integrate CrowdStrike Endpoint Security Solution with Identity Security Cloud

Use Case

In numerous modern work environments, there’s a prevalent trend of employees carrying out their tasks remotely, often from the comfort of their homes. In such setups, it’s not uncommon for situations to arise where an employee’s association with the organization ceases, whether due to termination, resignation, or other reasons, while they are still in possession of company-provided hardware, such as laptops or personal computers (PCs).

The need arises to ensure the security and integrity of the organization’s digital infrastructure, including safeguarding sensitive data and protecting against potential security breaches or unauthorized access. Therefore, upon an employee’s termination, it becomes imperative to take swift and decisive action to isolate and secure the endpoints, effectively quarantining them from the organization’s network and resources.

This process involves implementing protocols and procedures to remotely disable access to the company’s systems and networks from the terminated employee’s device. It may include revoking access credentials, remotely wiping sensitive data, installing security patches or updates, and physically retrieving the hardware if necessary.

By quarantining these endpoints, organizations mitigate the risk of unauthorized access, data theft, or malicious activities that could potentially harm the organization’s operations, reputation, and overall security posture. Additionally, it ensures compliance with regulatory requirements regarding data protection and privacy.

In summary, the scenario underscores the importance of having robust endpoint management and security protocols in place to effectively manage the transition of employees, particularly in remote work settings, and to safeguard the organization’s digital assets and sensitive information.

Endpoint Security Solution

What is an Endpoint?

An endpoint is any physical device that can be connected to a network, including computers, laptops, mobile phones, tablets and servers. The list of endpoints continues to grow to include many non-traditional items, such as printers, cameras, appliances, smart watches, health trackers, navigation systems and any other device that can be connected to the internet.

How Will it Work?

This solution utliizes CrowdStrike EDR (endpoint detection and response). Once the CrowdStrike source is configured in Identity Security Cloud, we can retrieve users’ hostnames, which are essentially their devices (endpoints). When ISC triggers a leaver event, it activates a workflow. This workflow uses the CrowdStrike API to quarantine the user’s laptop, PC, or workstation.

Implementation Steps

Onboard CrowdStrike source

  1. Log into ISC as admin
  2. Navigate to Connections > Sources
  3. Click Create New
  4. Select Web Services as the source type and click Configure

Base Configuration:

Connection Settings:

HTTP Operations:

  1. Click Test Connection to test the connectivity between ISC and CrowdStrike.
  2. Aggregate user account data including hostnames (laptop/PC endpoint).
  3. Create an Identity attribute to store the value of the hostname from the CrowdStrike source.

Create workflow

  1. Begin with Identity Attributes Changed trigger which will trigger when cloudLifecycleState changes to inactive.

  2. Add action Get Identity to get the user details.

  3. Add Wait action to wait an hour until the lifecycle leaver event completes.

  4. Add Form action referencing a previously created form called managerApproval with which the manager/security team can approve or deny the request to quarantine the user’s workstation. (Documentation on creating Forms can be found here).

  5. Once the form has been completed by the manager/security team, use the Compare String operator to determine the next step based on the form response.

  6. If the manager/security team approves the request
    a. Call HTTP Request action
    b. Pass the hostname to the CrowdStrike API request POST https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain
    c. By calling this API with action_name=contain, the user’s endpoint will be quarantined.

Workflow

Here is the workflow JSON file. Upload it to your tenant, and after changing the form reference to the managerApproval form created in your tenant and adding your own CrowdStrike API credentials, you will be good to go for testing CrowdStrike EDR integration with ISC.

PrasadEDR20240821.json (3.2 KB)

{
	"name": "Prasad - EDR ",
	"description": "Some organizations may want to quarantine the organizational workstation (laptop/PC) after the Identity life cycle event such as user termination or immediate termination.\n\nIn that case, if the organization is using CrowdStrike for EDR then we can easily integrate it with SailPoint ISC.",
	"definition": {
		"start": "Get Identity",
		"steps": {
			"Compare Strings": {
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "HTTP Request",
						"variableA.$": "$.form.formData.managerApproval",
						"variableB": "Approved"
					}
				],
				"defaultStep": "End Step - Success",
				"description": "Manager Approval",
				"displayName": "",
				"type": "choice"
			},
			"End Step - Success": {
				"displayName": "",
				"type": "success"
			},
			"End Step - Success 1": {
				"description": "Endpoint has been quarantined.",
				"displayName": "",
				"type": "success"
			},
			"Form": {
				"actionId": "sp:forms",
				"attributes": {
					"deadline": "1h",
					"formDefinitionId": "5313592b-d118-41c2-8947-e474fa3ed3f6",
					"inputForForm_managerId.$": "$.getIdentity.managerRef.id",
					"notificationBody": "Do you want to quarantine the endpoint of {{$.getIdentity.attributes.displayName}} ?",
					"notificationSubject": "Approval Required for : Quarantining Endpoint ",
					"recipient.$": "$.getIdentity.managerRef.id",
					"reminder": "1h",
					"reminderBody": "Waiting for approval to quarantine the endpoint of {{$.getIdentity.attributes.hostids}} ."
				},
				"description": "Manager Approval",
				"displayName": "",
				"nextStep": "Compare Strings",
				"type": "action",
				"versionNumber": 1
			},
			"Get Identity": {
				"actionId": "sp:get-identity",
				"attributes": {
					"id.$": "$.trigger.identity.id"
				},
				"description": "Get users Identity",
				"displayName": "",
				"nextStep": "Wait",
				"type": "action",
				"versionNumber": 2
			},
			"HTTP Request": {
				"actionId": "sp:http",
				"attributes": {
					"authenticationType": "OAuth",
					"jsonRequestBody": {
						"ids": "{{$.getIdentity.attributes.hostids}}"
					},
					"method": "post",
					"oAuthClientId": "Test",
					"oAuthClientSecret": "$.secrets.4777363c-47b9-4310-9e09-9855c93bbcc8",
					"oAuthCredentialLocation": "oAuthInHeader",
					"oAuthTokenUrl": "https://api.crowdstrike.com/",
					"requestContentType": "json",
					"url": "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain"
				},
				"description": "Quarantine the users laptop or PC.",
				"displayName": "",
				"nextStep": "End Step - Success 1",
				"type": "action",
				"versionNumber": 2
			},
			"Wait": {
				"actionId": "sp:sleep",
				"attributes": {
					"duration": "1h",
					"type": "waitFor"
				},
				"description": "Wait for the 1 hour after the account has been deactivated.",
				"displayName": "",
				"nextStep": "Form",
				"type": "action",
				"versionNumber": 1
			}
		}
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"attributeToFilter": "cloudLifecycleState",
			"description": "CloudLifeCycle state change from Active to Inactive",
			"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\" && @.newValue == \"inactive\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}

References

  1. What is EDR? Endpoint Detection & Response Defined

  2. CrowdStrike Tech Hub: In-Depth Demos, Videos, and Trainings

  3. CrowdStrike Hosts service collection

3 Likes

Great job, Prasad! Keep up the excellent work.

Thanks @sagar_kamalakar !!