Skip to main content
All CollectionsHRM
Crowdstrike Integration with Right-Hand
Crowdstrike Integration with Right-Hand
K
Written by Karthek S
Updated over 2 months ago

Table of Contents

  1. Preparing for integration: Crowdstrike+RH HRM

  2. Integrating with RH HRM Portal

  3. Configuring the mapping attributes

  4. Events supported with Crowdstrike Integration

You can now integrate Right-hand Human Risk Management Platform with Crowdstrike. This integration will enable you to send nudges to your employees via a communication channel of your choice based on the security incidents that they might have caused.

The key benefits of the integration are:

  • Provide micro-learnings in the form of messages to your employees for security incidents caused by human behavior.

  • Identify your organization’s risk based on human behavior-caused incidents.

  • Identify employees that are attacked most and provide them with targeted trainings and simulations.

Preparing for integration: Crowdstrike+RH HRM

Before you can set up this integration in your Right-hand app, you will need to create an OAuth client and assign it the appropriate credentials. Right Hand’s Human Risk Platform will use these credentials to access data from the CrowdStrike system. We use the detects API provided by Crowdstrike to find out the events that map to any user behavior.

To create an OAuth client, follow the steps below:

  1. Log in to your CrowdStrike Falcon console and navigate to Support and resources > Resources and tools > API Clients and Keys.

  2. In the API client and Secrets window, click Add new API Client.

  3. Create a new client by selecting the check box next to the following API Scopes:

    • Detections

    • Hosts

    • Incidents

  4. Locate the Client ID and Client Secret. Make sure to copy both of these items and save them somewhere that you can easily access later. You will need both of these items to set up the integration in your RH HRM App.

Integrating with RH HRM Portal (Guidance will be provided during the On-boarding session for the following steps).

  1. Log into your RH Cyberready portal and navigate to the HRM → Settings section as indicated below:

  2. Click on Crowdstrike Widget → Configure and the following Modal will appear.

  3. In the Modal above, use the API URL from the dropdown.

    If your Crowdstrike instance is being hosted in USGOV1 region, please inform us prior.

    1. Add the client ID and Secret that you have copied in an earlier step to this space in the designated places.

  4. Click on Save and Authorize.

  5. Navigate to the second tab: Detection rules as indicated below.

  6. Select the events that you would like to enable for sending the nudges to users.

Configuring the mapping attributes

The user's profile can be mapped to Right-Hand's HRM by using the following attributes:

  • Host name

  • Mac address

  • Username

Example:

Email

User attribute

[email protected]

39.62.195.1

[email protected]

JohnDX9-1706-AssetID

[email protected]

Jondo

  1. Hostname refers to the user's server address.

  2. The Mac address is the unique address for each machine.

  3. The username is the machine's user name.

To map the user attributes, please follow the below steps:

  1. Please navigate to Human Risk Management > Settings > User attribution.


  2. Then click the link indicated in the screenshot below to download the sample CSV template.

  3. Please enter the user's information such as the Hostname, Mac address, or the User name with the email address in the CSV template and upload it by clicking on the upload icon.

  4. After the CSV is successfully uploaded, please navigate to List of Mapping to view the user's Mapped Values.

Events supported by Right-hand Cybersecurity

When you integrate your crowdstrike instance with Right-hand HRM platform we start to receive logs from your falcon detection API. With the alerts we get various attributes. Some of the attributes are Scenario, Objective, Tactic and Technique. When all these attributes have values as mentioned detection rule section below, we classify the event.

  1. Adware found in employee device

  2. Malicious Document detected in employee’s device

  3. Employee Compromised by a Command and Control server

  4. Ransomware detected in employee’s device

  5. Phishing attack on employee

  6. Employee Credential Theft

  7. Malware detected in employee’s device

  8. Suspicious Remote access activity detected on user’s device

  9. Employee unintentionally Downloaded a malicious Java Program

  10. Employee unintentionally Downloaded a malicious program via browser

  11. Employee unintentionally Downloaded a malicious program

  12. Malicious tool delivered

  13. Data theft detected via bluetooth or cellular medium

Adware found in employee device

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Suspicious Activity

Malware

Adware

Falcon Detection Method

Blocked Hash

Machine Learning

Adware/PUP

Falcon Detection Method

Known Malware

Machine Learning

Adware/PUP

Falcon Detection Method

Known Malware

Malware

Adware

Falcon Detection Method

Malicious Document detected in employee’s device

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Malicious Document

Post-Exploit

Command-Line Interface

Falcon Detection Method

Malicious Document

Post-Exploit

Malicious Tool Delivery

Falcon Detection Method

Malicious Document

Execution

Command-Line Interface

Follow through

Malicious Document

Execution

Exploitation for Client Execution

Follow through

Malicious Document

Execution

Scripting

Follow through

Malicious Document

Execution

Third-party Software

Follow through

Malicious Document

Defense Evasion

Exploitation for Defense Evasion

Keep access

Malicious Document

Persistence

Launch Daemon

Keep access

Malicious Document

Persistence

Registry Run Keys / Start Folder

Keep access

Employee Compromised by a Command and Control server

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

User Compromise

Command and Control

Remote Access Tools

Contact controlled systems

Ransomware detected in employee’s device

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Known Malware

Malware

Ransomware

Falcon Detection Method

Suspicious Activity

Malware

Ransomware

Falcon Detection Method

Activity Prevented

Malware

Ransomware

Falcon Detection Method

Phishing attack on employee

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Suspicious Activity

Initial Access

Spearphishing Attachment

Gain access

Employee Credential Theft

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Known Malware

Credential Access

Exploitation for Credential Access

Gain access

Credential Theft

Post-Exploit

Malicious Tool Execution

Falcon Detection Method

Credential Theft

Credential Access

Credential Dumping

Gain access

Credential Theft

Credential Access

Credentials in Files

Gain access

Credential Theft

Credential Access

Credentials in Registry

Gain access

Credential Theft

Credential Access

Securityd Memory

Gain access

Malware detected in employee’s device

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Blocked Hash

Custom Intelligence

Indicator of Compromise

Falcon Detection Method

Suspicious Remote access activity detected on user’s device

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Suspicious Activity

Command and Control

Remote Access Tools

Contact controlled systems

Suspicious Activity

Lateral Movement

Remote Desktop Protocol

Explore

Suspicious Activity

Lateral Movement

Remote File Copy

Explore

Suspicious Activity

Lateral Movement

Remote Services

Explore

Employee unintentionally Downloaded a malicious Java Program

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Drive by Download

Exploit

Java Exploit

Falcon Detection Method

Employee unintentionally Downloaded a malicious program via browser

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Drive by Download

Post-Exploit

Browser Exploit

Falcon Detection Method

Employee unintentionally Downloaded a malicious program

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Drive by Download

Post-Exploit

Command-Line Interface

Falcon Detection Method

Malicious tool delivered

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Drive by Download

Post-Exploit

Malicious Tool Delivery

Falcon Detection Method

Data theft detected via bluetooth or cellular medium

When we receive logs from Crowdstrike, we look at the following scenarios, objectives and tactics to classify the event

Scenario

Objective

Tactic

Technique

Data Theft

Exfiltration

Exfiltration Over Other Network Medium

Follow through

Did this answer your question?