Troubleshooting Guide

Overview

This document provides a list of common issues that you may encounter with the Crowdstrike integration.

Common Issues and Resolutions

❓ The CrowdStrike integration activation is failing

Activation may fail due to invalid credentials used to communicate with the CrowdStrike Falcon platform.. Ensure both the Account Credentials (to make API calls) and FDR Credentials (for collecting Network Telemetry) are valid and have the appropriate permissions:

• Account Credentials: Validate ClientId, Secret, and Region in the CrowdStrike Console at:
  Support and resources > Resources and tools > API clients and keys

tip

Refer to the CrowdStrike OAuth2 Based APIs documentation for details about API credentials.

• FDR Credentials: Validate ClientId, Secret, Storage Region, and Notification URL at:
  Support and resources > Resources and tools > Falcon Data Replicator

tip

Refer to the Falcon Data Replicator documentation for details about FDR credentials.

---

❓ CrowdStrike Host Groups did not get imported

Host Groups should be imported within 5 minutes of activation. If not:

1. Check the Host Group Sync Work Request in Xshield:
   Monitoring → System Tasks

   • If Status = In Progress: Wait (can take up to 10 minutes).
   • If Status = Cancelled: Review the task logs.
   • If Status = Completed and Host Groups are still missing: verify their existence in the CrowdStrike Console.

2. Ensure Host Groups exist in CrowdStrike:
   Host Groups Management

---

❓ CrowdStrike Hosts are not imported into Xshield as Assets

Host import should complete within 5 minutes of the start of the sync operation. If Xshield Assets are not visible:

1. Check the Hosts Sync Work Request in Xshield:
   Monitoring → System Tasks

   • If Status = In Progress: Wait (can take up to 10 minutes).
   • If Status = Cancelled: Review the task logs.
   • If Status = Completed but no assets show up: ensure Host Groups contain active hosts.

2. Verify in the CrowdStrike Console that the activated Host Groups have active members:
   Host Management

---

❓ Firewall Host Groups (Segments) from Xshield are not getting created as Host Groups on the CrowdStrike platform

When a Segment is created in Xshield:

1. A new Host Group (format: CT_{SEGMENT NAME}_{ID}) should be created in CrowdStrike.

2. Hosts matching the segment criteria (on Xshield) should be added to this group (on CrowdStrike).

3. Check Firewall Host Group Membership Sync Work Request in Xshield:
   Monitoring → System Tasks

   • If Status = In Progress: Wait (up to 10 minutes).
   • If Status = Cancelled: Review System Task logs.
   • If Status = Completed but hosts are not visible in CrowdStrike:
     • Raise a support ticket with us

4. Confirm the host group is created and populated in CrowdStrike:
   Firewall Host Groups

---

❓ The Firewall Policy did not syncing from Xshield to CrowdStrike?

When a Xshield Segment is assigned a set of Policy Templates, they are translated into a Firewall Policy and a set of Rule Groups on the CrowdStrike platform.

1. A policy (CT_{SEGMENT NAME}_{ID}) is created in CrowdStrike with two Rule Groups (inbound and outbound).

2. Rules are added based on the selected template.

3. Check Firewall Policy Sync Work Request in Xshield:
   Monitoring → System Tasks

   • If Status = In Progress: Wait up to 2 minutes.
   • If Status = Cancelled: Review System Task logs.
   • If Status = Completed but policy is not visible:
     • Raise a support ticket with us

4. Verify the policy in CrowdStrike: Firewall Policies

Click the policy and navigate to the Rules Summary tab to see all configured rules:

To verify if the policy is applied to agents, check the Last Updated and Applied Hosts columns in CrowdStrike