Configure profiles and security incidents for the CrowdStrike Falcon Insight integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Configure your profile settings so that the profile triggers only under the conditions that you set.

    Before you begin

    Role required: sn_si.admin

    About this task

    Define the conditions that automatically trigger the CrowdStrike Falcon Insight capabilities that you selected for the profile. You can also select an alternate input field for the Configuration Item (CI) field. In this alternate field, you can set filtering conditions so that only those security incidents that are related to your triggering event automatically trigger the profile.
    Note:
    Navigate to the Profile Configuration page only after you enter the profile details. For more information, see Create a capability profile for the CrowdStrike Falcon Insight integration.

    Procedure

    1. In the Profile Configuration page, review and configure the following sections:

      Define Incident Criteria (Automation)

      Define the security incident conditions that automatically trigger the CrowdStrike Falcon Insight capabilities for the profile. If you don't select the Define Incident Criteria option, the capabilities are invoked manually from the security incident.

      1. Select the Define Incident Criteria option.
      2. To define the conditions, in the Filter Conditions section, select a field and its corresponding requirement.Aautomation condition.
      3. In the New Criteria field, enter the new criteria and then define the OR or the AND condition.Automation condition and adding a new criteria.

      Approvals

      To provide an extra level of control when you’re using the CrowdStrike Falcon Insight capabilities, select the Require Approval option. The approvals option in the profile configuration appears only for the Isolate Host and Remove Host Isolation capabilities.

      Note:
      The approval authority is assigned to the user with the sn_si.admin role. You can also reassign this approval authority to an approval group. For more information, see set up an approval group.
      Provide additional level of control using the approval option.

      Additional Configuration

      Select an alternate field on the security incident to display any matching CI data that you find while scanning your assets. By default, the integration uses the Configuration Item (CI) field on the security incident.

      1. Select the Define Alternative Field option.
      2. In the Alternate CI Trigger Field, select an input field.
        Note:
        For more information, see Understand how trigger conditions work with a configuration item for a profile.

      Tags

      To tag security incidents with the CrowdStrike Falcon Insight Capabilities- Initiated, and Capabilities-Completed, and Capabilities-Failed tags, select the Display Tags option. By default, this option is disabled for all profiles.
      Note:
      These tags are provided with the base system. You can create your own tags if required.

      Display tags in the security incident

    2. Click Done.