Create a capability profile for the CrowdStrike Falcon Insight integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Create a profile and select the CrowdStrike Falcon Insight capabilities that you want the profile to run.

    Before you begin

    Role required: sn_si.admin

    About this task

    Consider why you want to create a profile before you add CrowdStrike Falcon Insight capabilities to it. The following table lists the capabilities that you must add to a profile when you want the profile to perform certain queries or actions.

    You can create a single profile that runs queries for system details, lists logged-in users, fetches running services, fetches running processes, fetches network statistics, isolates the host, and removes the isolated host. Alternatively, you can create multiple profiles, each with its own single capability.
    Note:
    Isolate host, remove isolation, and get file capabilities can’t be merged with any other capabilities while creating a profile.
    Table 1. Profile types and required CrowdStrike Falcon Insight capabilities
    Profile purpose CrowdStrike capabilities
    Gather host details and logged-in users
    • Get Host Details
    • Get Logged On Users
    Fetch the network statistics, processes, and services running for a host
    • Get Network Statistics
    • Get Running Processes
    • Get Running Services
    Isolate a host Isolate Host
    Remove isolation for a host Remove Isolation
    Obtain a file from a host endpoint Get File

    Procedure

    1. Navigate to All > CrowdStrike Falcon Insight Integration > CrowdStrike Capability Profiles.
    2. Click New.
    3. On the form, fill in the fields.
      Field Description
      Name Name for the new capability profile.

      This name helps you to identify the profile type and is also the default name for the security tag that is associated with this profile.
      Active Indicates if the profile is active or not.

      When the profile is active, it automatically triggers when a security incident is created that matches the filtering conditions that you’ve specified in the configuration.
      Description Unique description for the capability profile.
      Source Name of the server. You can only view previously configured servers from the list.
      Order

      Flow priority. The value for this field indicates the order that flows are executed when two or more profiles share triggering conditions.

      The flow with the lowest number has the highest priority. To set the order of operation, enter a value. For example, 100, 200, 300, 400.

      Default: 100
      CrowdStrike Falcon Insight Capabilities Capabilities of the CrowdStrike Falcon Insight profile.

      Select the capabilities that you want for this profile from the Available to the Selectedcolumn.

      The following example shows a complete form for a profile with the Get System Details capability.

      Falcon Insight Profile Details.
    4. Click Next.

    What to do next

    Now you canconfigure your profile. Ensure that you have reviewed the concepts for configuring profiles and trigger conditions before you configure the profile.