Summary
In order for the Check Point MDR team to monitor your logs from your CrowdStrike Falcon environment, we will require an API Client and Secret with the proper permissions defined.
If you need any assistance with this procedure, please open a ticket in the MDR Customer portal under "MDR Support" or if you are currently onboarding reply to your welcome email, and we will schedule a time to assist.
Note: We will need these three items filled in on the MDR customer portal profile page when adding the integration also ensure the procedure outlined below is completed before adding:
• Client URL - (it should be)
• Client ID
• Client Secret
Procedure
Creating the Client ID and Client Secret
1. Sign into the CrowdStrike Portal - with administrator permissions
2. Navigate to Support -> API Client and Keys
3. Select Add new API client
4. Enter the Client Name I.E. Check Point MDR
5. Enable the following permissions
Alerts Read/Write
Detections Read/Write
Hosts Read/Write
Actors Read
Indicators Read
Reports Read
Sandbox Read
Incidents Read/Write
IOC's Read/Write
On-Demand Scans Read/Write
Quick Scan Read/Write
6. Click Add - Take note of the Client ID and Client Secret (the secret is only shown once)
Remediation
Proceed to the Infinity Portal and head to the MDR Profile tab. Under Remediation Excluded Hosts, you will need to enter an IP Address. If you do not have a host to exclude, please use a default address, such as 1.1.1.1 (There will need to be at least one entry before the system allows you to configure Remediation.)
- In the integration you will see an option at the bottom called "Remediation". Click on the Blue Configure button to begin the setup process.
- Next, select your desired Isolation/Remediation option: Do not perform remediations, Requires approval, Always approve. Hit Save at the bottom complete this process.
Note: Please contact MDR Support by creating a ticket in your MDR Portal if you would like to schedule a test to verify your Remediation (Host Isolation).