SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

Integration Guide

For SpyCloud Compass + Crowdstrike Falcon EDR.

🛡️ CrowdStrike Falcon (EDR) — Integration Guide

Use SpyCloud’s post-infection identity evidence to identify malware-infected devices and the credentials/cookies/tokens attackers can exploit. Pair with Crowdstrike Falcon to isolate endpoints, reset/revoke risky artifacts, and reduce MTTR.

✅ Requirements

Licensing & Keys

  • SpyCloud Enterprise Protection license + API key
    • Request via Support in your SpyCloud Portal, then retrieve at portal.spycloud.com/api.
  • CrowdStrike Falcon with Prevent (or higher).
    • Create an API Client in Falcon Console → SupportAPI Clients and Keys.
    • Store Client ID/Secret securely (the secret is shown once).

Minimum Crowdstrike Falcon Scopes

PermissionWhy it’s needed
Read: DevicesRead device metadata for correlation
Read: Device QueriesSearch/filter devices by attributes
Write: Devices (Host Isolation)Contain/Release endpoints during response
Device ControlExecute device actions as required
Real-Time ResponseOptional: memory dump / forensic collection
🔒

Apply least privilege and review scopes on a regular cadence.

🔍 Matching Criteria (SpyCloud ↔ Crowdstrike Falcon)

SpyCloud correlates Crowdstrike Falcon device/user context to SpyCloud identity/device context using these pairs:

FalconSpyCloud
mac_addressmac_address
serial_numberserial_number
device_iddevice_iddevice_name
hostnamehostnameuser_hostname
device_namedevice_namedevice_id
  • If last_login_user indicates an updated device_id, the new ID is checked. Confidence may be marked low until corroborated.

📣 Notifications

  • Email alerts fire when new matches are detected.
  • Sender: [email protected] (display name “SpyCloud Connect”).
  • Each alert includes a CSV attachment with match details.

⏱️ Search Date Range

  • Default search window: last 24 hours of malware/log data tied to managed devices.
  • You can expand the window in the integration settings as needed.

🧰 Optional: Real-Time Response (RTR)

  • Initiate a remote memory dump from Falcon by providing Device ID and a valid file path on the endpoint.
  • You’ll receive an email when the dump completes.
⚠️

Ensure RTR permissions/policies allow the operation and target path.

🚀 Setup

  1. Accept the invitation

    • You’ll receive an email from SpyCloud with a unique code and registration link.
    • Complete account registration.

  2. Configure Crowdstrike Falcon access

    • Provide Client ID, Client Secret, and API URL in the SpyCloud configuration.
    • Set initial automation options (you can tune later).

  3. Verify & operate

    • Open the dashboard to review matches, configure actions, and manage users/alerts.

🧭 How It Works

Manual review (24-hour spotlight)

Use the integration view to review new malware-sourced records (last 24 hours) matched to your endpoints/users:

  • Download a combined report (SpyCloud + Crowdstrike Falcon fields)
  • Pull user/device details for investigation
  • Contain suspect endpoints (see Endpoint Containment below)
  • Optionally perform memory dump (RTR)

CSV export (what you’ll typically see)

Common fields (exact columns may vary):

  • From Falcon: hostname, os_version, external_ip, mac_address, last_seen, device_id, username
  • From SpyCloud/Compass: log_id, infected_machine_id, infected_path, infected_time, user_sys_domain, user_hostname, user_os
💡

Use these to tie identity artifacts (passwords, cookies, tokens) to a specific endpoint/user and owner.

🧯 Endpoint Containment

What containment does (Crowdstrike Falcon):

  • The device is isolated from internal resources to stop spread and data exfil.
  • It remains connected to CrowdStrike cloud for monitoring/remediation.
  • After remediation, release the device from containment (use the corresponding release action for the same API family).

Automation (recommended)

  • Enable policy-driven isolation when SpyCloud flags a Critical/High identity artifact (e.g., plaintext password, malware-sourced cookies/tokens).
  • Email or route a summary (e.g., to Slack/Jira) with the case link.

Manual path (alternative)

  • Analysts can manually isolate endpoints using the same API call, then track outcome/status in your case/ticket.

🔐 Security Details

  • API credentials are encrypted at rest (AES) and stored in hardened systems.
  • Configurable data visibility: restrict or mask specific fields in event payloads to align with policy.
  • Compliance posture: aligned to SOC 2 Type II and ISO/IEC 27001:2022 domains (security, availability, processing integrity, confidentiality).

Keep credentials rotated and scoped minimally; restrict payload fields to the minimum required for your IR workflow.

🙋 Support

  • Sign in to the SpyCloud Portal and use the Support widget for configuration help, scope adjustments, and best-practice guidance.
  • Include: environment (dev/prod), account ID, and a sample event/time window to speed triage.

Updated 2 months ago