To obtain information from CrowdStrike, Banyan relies upon a service to service communication with the Banyan App relaying the unique identifier of their Falcon Host within the CrowdStrike tenant.
Considering there are many moving parts to enabling the CrowdStrike Trust Integration this article breaks down critical steps to determining the issue at hand.
Issue with API Credentials
During the initial setup of CrowdStrike Trust Integration, Banyan requires a successful test connection to add the integration. If the API credentials are unable to successfully pass the following can be attempted:
Check your CrowdStrike API Cloud Environment
- Banyan only support US-1 Cloud Environment
- https://falcon.crowdstrike.com/documentation/46/crowdstrike-oauth2-based-apis
Attempt Swagger API Authorization
- Try to authorize the swagger API documentation with the ClientID and Client Secret from CrowdStrike
- https://assets.falcon.crowdstrike.com/support/api/swagger.html
- Select Authorize
- Enter client_id and client_secret for oauth token
Check API Scopes
- Banyan requires read only for all API Scopes
- To check CrowdStrike API Scopes, within the CrowdStrike Falcon Admin Center
- Select Support and Resources
- Under Resources and Tools, select API clients and keys
- Select the Client Name of the API key you are integrating and scroll to view the scopes
Issue with Obtaining a CrowdStrike Factor
There are two points within Banyan that could lead to a factor not being reported. There could be a sync issue or there could be a identifier collection issue. Let's look at each independently
Check Banyan App Unique ID Collection
Please check Banyan documentation for the required version to support CrowdStrike Integration
CrowdStrike's unique identifier for hosts is known as Agent ID (AID). To mirror the Banyan app in collecting the AID, the following commands can be run locally on the machine:
- For MacOS
- devices running sensor 6.x or higher:
- /Applications/Falcon.app/Contents/Resources/falconctl stats | grep agent
- devices running a sensor between version 5.36 and 6.x:
- /Library/CS/falconctl stats | grep agent
- devices running sensor < 5.36 (~3%):
- sysctl cs.sensorid
- devices running sensor 6.x or higher:
- For Linux
- sudo /opt/CrowdStrike/falconctl -g –aid
- For Windows
- Run powershell with the following command:
- (((reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default') -match 'AG ') -split 'REG_BINARY')[-1].ToLower().Trim()
- Run powershell with the following command:
If the command returns null, then the machine does not have CrowdStrike running.
Check Unique ID Returns Data in the CrowdStrike API
To check if a device's AID is successfully in the same environment that the API Key used to integrate with Banyan, do the following:
- Go To Swagger page for CrowdStrike US-1 API Environment
- Authorize the swagger page with the API client id and client secret used within Banyan
- Select Authorize
- Enter client_id and client_secret for oauth token
- Scroll to the endpoint
/devices/entities/devices/v1
- Select 'Try it out' and enter the AID received from the device in the earlier step
If the API returns anything but 200 OK with device information, then the machine is not registered to the CrowdStrike environment linked used in Banyan
Check Unique ID Returns Data for Corresponding Factors
Each factor Banyan integrates with corresponds with an API used within CrowdStrike. All the API endpoints are documented in the CrowdStrike section of Banyan's documentation.
For each factor, do the following:
- Go To Swagger page for CrowdStrike US-1 API Environment
- Authorize the swagger page with the API client id and client secret used within Banyan
- Select Authorize
- Enter client_id and client_secret for oauth token
- Scroll to the endpoint noted in the Banyan documentation for the specific factor
- Select 'Try it out' and enter the AID received from the device in the earlier step
- Note: the AID should be trimmed, dashes removed, and lower case due to inconsistencies with CrowdStrike's API
If the endpoint noted does not return the expected value detailed in Banyan Documentation please review with your CrowdStrike administrator to ensure the device is reporting correctly. Open a Banyan Support ticket after validation, if the result is the same.
Verify that the CrowdStrike API used for the integration has the proper scope defined
Even if Banyan console reports that the test connection to Crowdstrike is successful, there's a possibility that the API client used does not have the appropriate permissions. Banyan recommends granting Read access to all available API Scopes. This ensures the API client used for the integration supports current and future device factors supported by Banyan.
Issue with Batch Syncing
Banyan attempts to sync details about devices with CrowdStrike every twenty minutes to stay current with CrowdStrike data about the linked devices. Batch syncing follows the exact workflow as represented above for individual devices with the only difference is calling multiple AID's within the same API calls. To obtain the full details of the Sync, go to the following in the Banyan Console
- Select Settings > Trust Integrations
- Select the corresponding CrowdStrike implementation
- Select sync log
- Select the download icon in the top right corner to download the sync log
Review the information and follow the steps above to confirm any errors identified in the sync log.
If any issue cannot be solved by reviewing the steps above, open a Banyan Support ticket.
Comments
0 comments
Please sign in to leave a comment.