Data Manager - Falcon Adapter

Assets Data Manager for Jira Service Management Cloud is currently rolling out in Open Beta and will be available to all Premium + Enterprise sites by end of October 2024.

Introduction

Falcon is a tool produced by CrowdStrike. It is an Endpoint Detection and Response (EDR) software. It monitors the devices on which it’s installed to look for signs of malicious activity and help to lock down the threats.

Falcon Adapter uses an API connection to bring data into Assets Data Manager.

How do I connect this tool to Assets Data Manager?

This task requires Data Manager Adapters admin permissions to complete. See how permissions and roles work in Data Manager.

Follow this procedure to connect this tool to Assets Data Manager using the custom-built Adapter:

Gather all of the information listed in the Data Manager Fields section, such as the Name, Object class, Data Source Name, and Data Source Type.
Gather all of the information in the Falcon Fields section - this may require consultation with the subject matter expert (SME) for Falcon.
Within Data Manager:
1. Create a new job by selecting the Adaptor that matches your tool.
2. Configure all of the required fields with the appropriate information.
Within Falcon:
1. Follow all of the steps listed in the Authentication and Authorization section, below, to properly configure Authentication and Authorization.
2. Review the information in the API Call section, below to understand the call.
3. Review the information in the Fields Retrieved section, below.

Each time this job is run, the data your have selected will be brought into Data Manager using the configured Adapter and become raw data.

Data Manager Fields

You will need to specify the following information from Assets Data Manager:

Name - the name of the connection, visible as the job name in Adapters.
Object Class - the name of the Object Class you want to the data to be loaded into.
Data Source Name - the type of data being created; which is usually the tool name, e.g AD, Qualys etc. Note: This can be the same as Name.
Data Source Type - what type of data is the tool providing? For example, Assets, CMDB, user location and more.

Falcon Fields

You will need to specify the following information from Falcon:

API URL: the API URL to access the Crowdstrike source.
Client ID: the Client ID created when the account is set-up through Crowdstrike.
Client Secret: the secret string created when the account is set-up through Crowdstrike.
API Limit: sets the page size of API results. The Api Limit field allows the enforcement of the amount of request/quantity of data (or records) to be consumed by the Data Manager and transferred to the back-end staging database.

By default, the API limit is set to 5000. However if the source is heavily populated with data, the best practice is to limit the rate to 1000. This API limit can be adjusted between 1 and 5000 until results are returning successfully.

Authentication and Authorization

Create API clients to grant various levels of API access for different purposes.
From the API Clients and Keys page, click Add new API client in the OAuth2 API Clients table.
Provide details to define your API client: Client Name(required), Description (optional), API scopes.
Click Add to save the API client and generate the client ID and secret.

API Call

The API call for Falcon is: Device.Read.All.

The Adapters Client directly calls the API to retrieve a list of resources (Devices).
1. API: {api-url}/devices/queries/devices-scroll/v1?limit={apiLimit}
2. Method: GET
3. Response: A list of:
  Meta (query_time, pagination, powered_by, trace_id), resources (a list of strings), errors
It then uses the resources (device IDs) to call the API and retrieve device information.
1. API: {api-url}/devices/entities/devices/v2
2. Method: POST
3. Response: See the Fields Retrieve section below.

Fields Retrieved

The following fields are retrieved:

DeviceId
Cid
AgentLoadFlags
AgentLocalTime
AgentVersion
BiosManufacturer
BiosVersion
ConfigIdBase
ConfigIdBuild
ConfigIdPlatform
CpuSignature
ExternalIp
MacAddress
InstanceId
ServiceProvider
ServiceProviderAccountId
Hostname
FirstSeen
LastSeen
LocalIp
MajorVersion
MinorVersion
OsVersion
PlatformId
PlatformName
ReducedFunctionalityMode
PreventionPolicyId
PreventionApplied
PreventionSettingsHash
PreventionAssignedDate
PreventionAppliedDate
SensorUpdatePolicyId
SensorUpdateApplied
SensorUpdateSettingsHash
SensorUpdateAssignedDate
SensorUpdateAppliedDat
SensorUpdateUninstallProtection
DeviceControlPolicyId
DeviceControlApplied
DeviceControlAssignedDat
DeviceControlAppliedDate
GlobalConfigPolicyId
GlobalConfigApplied
GlobalConfigSettingsHash
GlobalConfigAssignedDate
GlobalConfigAppliedDat
RemoteResponsePolicyId
RemoteResponseApplied
RemoteResponseSettingsHash
RemoteResponseAssignedDate
RemoteResponseAppliedDate
AirlockPolicyId
AirlockApplie
AirlockSettingsHash
AirlockAssignedDate
AirlockAppliedDate
AirlockVersion
FirewallPolicyId
FirewallApplied
FirewallAssignedDate
FirewallAppliedDate
FirewallRuleSetId
Groups
GroupHash
ProductTypeDesc
SerialNumber
Status
SystemManufacturer
SystemProductName
Tags
ModifiedTimestamp
QueryTim
PoweredBy
TraceId
Version
VersionString
ZoneGroup
KernelVersion
ChassisType
ChassisTypeDesc
ConnectionIp
DefaultGatewayIp
ConnectionMacAddress
LinuxSensorMode
DeploymentType
ProvisionStatus
BuildNumber
OsBuild
Ous
ManagedAppsAirlockPolicyId
ManagedAppsAirlockApplied
ManagedAppsAirlockSettingsHash
ManagedAppsAirlockAssignedDate
ManagedAppsAirlockAppliedDate
ManagedAppsAirlockVersion
ProductType
ServicePackMinor
PointerSize
SiteName
OsProductName
LastReboot
MachineDomain
ServicePackMajor
DetectionSuppressionStatus

Was this helpful?

It wasn't accurate

It wasn't clear

It wasn't relevant

Still need help?

The Atlassian Community is here for you.

Ask the Community