CrowdStrike Falcon License Compliance on ServiceNow SAM

Srinivas Ramanu
ServiceNow Employee
ServiceNow Employee
‎09-01-2022 11:28 PM

CrowdStrike Falcon End Point Protection, is a popular enterprise grade security platform offered by CrowdStrike ,that helps organization with a centralized management system through which security administrators can monitor, protect, and investigate vulnerabilities across all endpoints, including computers, mobile devices, servers and connected devices.

The Solution unifies the technologies required to successfully stop breaches, including true next-gen antivirus and endpoint detection and response (EDR), managed threat hunting, and threat intelligence automation, delivered via a single lightweight agent.

CrowdStrike Falcon Architecture

find_real_file.png

ServiceNow already offers an integration with CrowdStrike Falcon, for security related use cases through the Sec Ops Product . You can read them here.

In addition, ServiceNow SAM offers an integration with CrowdStrike through the SaaS License Management Integration. More on this here.

The Outcomes from this feature are as follows:

 

  1. Determine the License compliance for CrowdStrike Falcon End Point Protection Products viz. Falcon Pro, Falcon Enterprise etc.
  2. Showcase weekly and average number of active sensors deployed, which provides more context to SAM Managers
  3. Provide Remediation Actions for customers to become compliant

 

Licensing Model used by CrowdStrike

 License usage is based on an average of peak usage of active sensors. Specifically, CrowdStrike takes the count of all unique Host IDs in a 7-day period, do that for the prior 4 weeks, and take the average.

Active Sensors are those that are registered with the CrowdStrike Cloud, each device where the agent registers with the CS cloud is marked active. 

Example as below:

find_real_file.png

Solution Architecture of CrowdStrike and ServiceNow SAM Integration

find_real_file.png

On ServiceNow SAM

 

Using the SaaS License Integration, SAM Manager can determine the License compliance of CrowdStrike Falcon End Point Solutions. In addition, they can determine the Average Sensor Count and List of Active Sensors to get more context om how Licenses were calculated.

Lastly, based on purchased rights and Licenses required- automatic Remediation Actions are generated for SAM Managers to act on the same.

SAM Workspace showcasing CrowdStrike License Compliance

find_real_file.png'

List of Active Sensors shown on ServiceNow SAM

find_real_file.png

 

Preview file
106 KB
Preview file
151 KB
Preview file
292 KB
Preview file
157 KB
Preview file
206 KB
0 Helpfuls
  • 5,366 Views
2 Comments