Skip to main content

Connect CrowdStrike to Anzenna

This guide walks you through integrating Anzenna with CrowdStrike Falcon to enable comprehensive endpoint security monitoring, device management, and optional remediation capabilities.

Prerequisites

  • CrowdStrike Falcon administrator access

  • Anzenna account with integration permissions

  • Ability to create API clients in CrowdStrike

Overview

The integration enables:

  • Real-time alerts and detections monitoring
  • Device inventory and status tracking
  • Host group and policy management

  • Optional: Remote remediation capabilities via Real Time Response

  • NGSIEM log forwarding

Step-by-Step Instructions

Part 1: Initiate Connection

  1. Log into Anzenna at

    app.anzenna.ai

  2. Navigate to Settings > Integrations

  3. Find the CrowdStrike integration card

  4. Click Connect to CrowdStrike

    You'll be redirected to CrowdStrike Falcon login

Part 2: Create API Client in CrowdStrike

  1. Log into your CrowdStrike Falcon console

  2. Click the Menu icon (☰)

  3. Navigate to Support and resources

  4. Select API clients and keys

  5. Click Create API client

  6. Enter the client name:

    Anzenna

Part 3: Configure API Permissions

ScopePermissionPurpose
AlertsReadMonitor security alerts
DetectionsReadAccess detection events
HostsReadView device inventory
Device Control PoliciesReadCheck policy configurations
Host GroupsReadMonitor device groupings
User ManagementReadUser attribution
NGSIEMRead/WriteLog forwarding

  1. Select each permission from the scopes list above

Part 4: Optional Remediation Permissions

  1. If you want Anzenna to perform automated remediations:

  2. Add Hosts permission: Write (in addition to Read)

  3. Add Host Groups permission: Write (in addition to Read)

Part 5: Enable Real Time Response

  1. Find Real Time Response in the scopes list

  2. Grant Read access

  3. Grant Write access

  4. Find Real Time Response (admin) in the scopes list

  5. Grant Write access for probe capabilities

Real Time Response

RTR capabilities allow Anzenna to execute remote commands and scripts on endpoints for investigation and remediation.

Part 6: Save and Copy Credentials

  1. Click Save to create the API client

  2. Copy the Client ID immediately

  3. Paste the Client ID into the Anzenna integration form

  4. Return to CrowdStrike

  5. Copy the Client Secret (you won't be able to see it again)

  6. Paste the Client Secret into Anzenna's secret field

  7. In Anzenna, click Save to establish the connection

Part 7: Configure Device Control Policies

  1. In CrowdStrike, navigate to Configuration > Device Control

  2. Select your Windows policy

  3. Enable Enhanced file metadata detection

    This provides visibility into potential exfiltration activities

  4. Select your Mac policy

  5. Enable Enhanced file metadata detection

  6. Click Save for both policies

Part 8: Configure Response Policies

Enable Real Time Response for all operating systems:

For Mac Policy

  1. Navigate to Host setup and management > Response policies

  2. Select your Mac policy

  3. Enable Real Time Response

  4. Enable Custom Scripts

  5. Enable Put, Run, Put-and-run commands

  6. Click Save

For Windows Policy

  1. Select your Windows policy

  2. Enable Real Time Response

  3. Enable Custom Scripts

  4. Enable Put, Run, Put-and-run commands

  5. Click Save

For Linux Policy

  1. Select your Linux policy

  2. Enable Real Time Response

  3. Enable Custom Scripts

  4. Enable Put, Run, Put-and-run commands

  5. Click Save

Verification

After completing setup, verify the integration:

  1. Return to Anzenna > Integrations

  2. Confirm CrowdStrike shows as Connected

  3. Navigate to Anzenna's Endpoints dashboard

  4. Verify devices from CrowdStrike are appearing

  5. Check that recent alerts and detections are visible

You're All Set!

The CrowdStrike integration is now active across all operating systems in your environment.

What Data is Collected

Security Events

  • Real-time detections
  • Security alerts
  • Threat intelligence indicators
  • Incident details

Device Information

  • Endpoint inventory
  • OS versions and patch levels
  • Installed software
  • Network information
  • Device health status

Policy Data

  • Device control policies
  • Prevention policies
  • Response policies
  • Host group assignments

User Data

  • User logins
  • Account information
  • Activity attribution

Remediation Capabilities

With write permissions enabled, Anzenna can:

  • Isolate endpoints - Network isolation for containment

  • Execute scripts - Run remediation scripts via RTR

  • Collect forensic data - Gather evidence from endpoints

  • Modify host groups - Dynamic device management

  • Kill processes - Terminate malicious processes

  • Delete files - Remove threats

Troubleshooting

Connection Fails

"Invalid credentials" error:

  • Verify Client ID was copied correctly
  • Ensure Client Secret is complete
  • Check API client is enabled in CrowdStrike
  • Confirm client wasn't deleted/revoked

Missing Data

No devices showing in Anzenna:

  • Wait 15-30 minutes for initial sync
  • Verify Hosts Read permission is granted

  • Check that devices are online in CrowdStrike

  • Ensure API client has access to your cloud environment

Remediation Not Working

Cannot execute remote actions:

  • Verify Real Time Response is enabled in policies

  • Check both Read and Write permissions are granted

  • Ensure RTR admin access is enabled
  • Verify custom scripts option is enabled

Permission Errors

API returns 403 Forbidden:

  • Review all granted scopes match requirements

  • Regenerate API credentials if needed
  • Check that NGSIEM read/write is enabled
  • Verify user management read permission

Security Considerations

  • API credentials - Store securely, don't share

  • Least privilege - Only enable remediations if needed

  • Audit logging - All actions logged in both systems

  • Credential rotation - Rotate API keys annually

  • Scope review - Audit permissions quarterly

Best Practices

  1. Test remediation - Start with read-only, add write later

  2. Monitor initial sync - Watch for any errors during first sync

  3. Set up alerts - Configure Anzenna alerts for critical detections

  4. Document setup - Save API client details securely

  5. Regular reviews - Audit integration health monthly

  6. Update policies - Keep device control policies current

  7. Train team - Ensure SOC knows integration capabilities

Integration Maintenance

Monitoring Health

  • Anzenna integration status indicator
  • Last successful sync timestamp
  • Error logs if any issues occur

Credential Expiration

CrowdStrike API clients don't expire by default, but:

  • Implement annual credential rotation
  • Monitor for API client deletion
  • Set up alerts for connection failures

Updating Permissions

  1. Edit the API client in CrowdStrike
  2. Modify scope permissions
  3. No reconnection needed in Anzenna
  4. Changes take effect immediately

Need help? Contact

Anzenna Support

for assistance.