Skip to main content

Lab Setup for CrowdStrike Integration

Basic Lab Setup

Please refer to the basic Xshield Lab setup guide for the base setup.

Basic Lab Environment Setup

Pre-requisites

  1. Azure tenant with subscription to create virtual machines, resource groups and security groups
  2. CrowdStrike API credentials and CrowdStrike FDR credentials to register the virtual machines in CrowdStrike

Deploying CrowdStrike Lab

In this lab setup, we will deploy a CrowdStrike environment to demonstrate the integration between Xshield and CrowdStrike. The setup will create 2 virtual machines (VMs) in your Azure tenant and install CrowdStrike agents on them. the VMs will be configured to generate traffic on specific ports to simulate real-world scenarios. (The number of VMs can be configured in the crowdstrike_lab.yaml, the traffic and ports are configurable in the crowdstrike_lab_traffic.yaml files in the /etc/colortokens/config/lab_data on the lab VM)

Follow the below steps to get started with the lab setup:

Steps to deploy CrowdStrike Lab Environment

  1. Generate API keys on Crowdstrike:

Generate API credentials from the CrowdStrike UI with the below permissions:

  • Read: Installation Tokens, Sensor Download, Sensor Update Policies, Firewall Management, Host groups, Hosts
  • Write: Sensor Update Policies, Firewall Management, Host Groups, Hosts

Follow Generating API Credentials on CrowdStrike UI for instructions to generate API credentials.

  1. Generate FDR Credentials on CrowdStrike: Follow Generating FDR Credentials on CrowdStrike UI for instructions.
important

The Crowdstrike API and FDR credentials will be used in the next steps to deploy the lab environment, please note them down

  1. Authenticate with your Azure tenant:
  • On the Lab machine, run az login and follow the prompts to authenticate with your Azure tenant
  • The CLI will display the existing tenants and subscriptions, select the subscription and tenant you want to use
important

Note down the subscription and tenant id, this will be used in the next step

  1. Edit the terraform file: Navigate to the /etc/colortokens/lab/crowdstrike/azurevms directory and update the terraform.tfvars.json file with azure values. You will have to perform this with sudo permissions. (The values will be used to create the virtual machines in your Azure tenant using a terraform script)
sudo vim terraform.tfvars.json
{
  "subscription_id": "<Enter your subscription_id>",
  "resource_group_name": "<New or existing resource_group_name>",
  "location": "<location of the resource_group>",
  "vnet_name": "<Enter vnet_name>",
  "subnet_name": "<Enter subnet_name>",
  "security_group_name": "<Enter security_group_name>",
  "vm_size": "Standard_B2s",
  "admin_username": "<Enter admin_username for the VMs>",
  "admin_password": "<Enter admin_password for the VMs>",
  "os_disk_size_gb": 128,
  "owner_email": "<Enter owner_email>"
}
  1. Deploy the Crowdstrike lab environment using Xshield Lab
tip

Before deploying the lab environment, you may customize the lab by editing the crowdstrike_lab.yaml and crowdstrike_lab_traffic.yaml files in the /etc/colortokens/lab/crowdstrike directory.

  • Make sure you are in the directory with the xshield_lab.py script.
  • Run the following commands to activate the python virtual environment and launch xshield lab tool
  • If the python virtual environment is already activated during the installation steps then just launch the xshield lab tool
cd lab/
source .venv/bin/activate
python3 xshield_lab.py

You'll see the below menu:

Welcome to the Xshield Lab Environment setup tool.


Please select an option:
1. Create Lab Environment for Server Segmentation
2. Create Lab Environment for Container Segmentation
3. Create Lab Environment for Gatekeeper
4. Create Lab Environment for User Segmentation
5. Create Lab Environment for CrowdStrike Integration
6. Create Lab Environment for Cloud Segmentation (Beta)
7. Customize Lab Environment
8. Remove Lab Environment
9. Remove Docker Images
10. Exit
  1. Select 5. Create Lab Environment for CrowdStrike Integration

You will be prompted for CrowdStrike API and FDR credentials, Enter the relevant values

clientId: <Enter CrowdStrike API client ID>
clientSecret: <Enter CrowdStrike API client secret>
region: <Enter CrowdStrike API region>
accessKey: <Enter CrowdStrike FDR client ID>
secretKey: <Enter CrowdStrike FDR client secret>
sqsURI: <Enter CrowdStrike FDR SQS URI>
location: <Enter CrowdStrike FDR location>

Final Outcome

Once the steps are completed successfully, the below actions are executed by the Xshield lab tool:

  • Brings up windows server VMs in azure based on the crowdstrike_lab_traffic.yaml file with the respective ports opened
  • Installs crowdstrike agent with the credentials that you have provided
  • Opens the ports and starts traffic between the VMs based on the crowdstrike_lab_traffic.yaml file
  • Creates a hostgroup in CrowdStrike called CrowdStrikeDemoLab
  • Adds the windows VMs as a part of crowdstirke hostgroup called CrowdStrikeDemoLab

Virtual Machines will be deployed in your Azure tenant and you are provided with the IP addresses of the VMs. These VMs will be registered in CrowdStrike and Host group will be created in CrowdStrike platform with the name CrowdStrikeDemoLab

Remove the lab environment

To remove the lab environment, follow the below steps:

  1. In the lab VM run the Xshield lab tool
python3 xshield_lab.py
  1. Select 8. Remove Lab Environment to remove the following:
  2. Virtual machines from your Azure tenant
  3. Unregister Crowdstrike host from the CrowdStrike hostgroup
  4. Hostgroup from CrowdStrike platform
  5. Deactivate CrowdStrike Integration in the Xshield tenant

You would need to manually remove the resource group and network security group from the Azure portal