Aller au contenu principal

CrowdStrike Falcon Integration

Integrate Noxys with CrowdStrike Falcon to correlate AI interaction events with endpoint detection and response data.

Overview

This integration enables:

  • AI platform visibility within CrowdStrike Falcon
  • Event correlation between AI and endpoint activities
  • Custom detection rules for AI-related threats
  • Automated response playbooks for policy violations
  • Risk scoring combining AI and endpoint data

Data Flow:

AI Interaction → Noxys API → CrowdStrike API → Falcon Console → Incidents & Detection

Prerequisites

  • CrowdStrike Falcon with API access
  • CrowdStrike admin credentials
  • Noxys admin role
  • OAuth 2.0 API credentials (API keys)

Step 1: Create CrowdStrike API Credentials

Register Noxys in CrowdStrike to enable API access.

  1. CrowdStrike Falcon ConsoleIntegrationsAPI Clients & Keys
  2. Click Create New API Client
  3. Configure:
    • Client name: Noxys AI Firewall
    • Description: "Integration for AI interaction data"
  4. Assign API Scopes:
    • incidents_write — Create and update incidents
    • ioc_write — Create IOCs (Indicators of Compromise)
    • detection_write — Create custom detections
    • host_read — Read host information
  5. Click Create
  6. Copy Client ID and Client Secret (shown once)

Step 2: Enable in Noxys

Configure CrowdStrike API integration in Noxys.

  1. Noxys Admin PanelIntegrationsCrowdStrike Falcon
  2. Click Enable Integration
  3. Configure:
FieldValue
Client IDFrom step 1
Client SecretFrom step 1
RegionUS1, US2, EU1, etc. (match your Falcon region)
  1. Click Test Connection
    • Should show: "✓ Successfully connected to CrowdStrike Falcon"
  2. Click Save

Step 3: Configure Event Forwarding

Select events to forward to CrowdStrike.

  1. SettingsEvent Forwarding
  2. Enable:
    • interaction.policy_violated — Policy violations
    • interaction.high_risk — High-risk interactions
    • alert.severity_critical — Critical alerts
  3. Click Save

Step 4: Create IOC Indicators

Define Indicators of Compromise for AI threats.

  1. CrowdStrike FalconIntelligenceIndicators
  2. Create indicator for suspicious platforms:
Value: perplexity
Type: Domain
Source: Noxys
Severity: High
Action: Block
Description: Unvetted AI platform with sensitive data exposure
  1. Repeat for risky platforms:
    • deepseek
    • grok
    • claude.ai (if unapproved)

Step 5: Create Custom Detection Rules

Build detection rules based on Noxys events.

Rule 1: Blocked PII on Unauthorized Platform

  1. CrowdStrike FalconHost AssuranceCustom Detections
  2. Click Create Detection Rule
  3. Configure:

Trigger:

event_type == "interaction.policy_violated"
AND platform_id IN ["perplexity", "deepseek", "grok"]
AND classification_count > 0
AND action == "block"

Severity: High

Name: "Blocked sensitive data on unauthorized AI platform"

Response:

  • Create incident
  • Send alert to SOC
  1. Enable

Rule 2: High Volume of Violations from User

event_type == "interaction.policy_violated"
| stats count by user_id
| where count > 10 in last 1 hour
→ Severity: Medium
→ Create incident for user

Rule 3: Credit Card / Financial Data Exposure

event_type == "interaction.high_risk"
AND classification_type IN ["CREDIT_CARD", "IBAN", "SSN"]
AND risk_score > 0.8
→ Severity: Critical
→ Auto-isolate host (if configured)

Step 6: Create Incidents

Noxys automatically creates incidents in CrowdStrike.

  1. CrowdStrike FalconIncidents
  2. Filter by Source: Noxys
  3. See incidents like:
    • "Policy violation: Block PII on ChatGPT"
    • "High-risk interaction: Restricted data detected"

Each incident contains:

  • Detection time: When policy was triggered
  • Severity: Based on risk score and action
  • User: Who triggered the interaction
  • Platform: Which AI service
  • Classification: PII types detected
  • Host: Device running the interaction

Step 7: Create Response Actions

Set up automated response playbooks.

  1. CrowdStrike FalconResponse actions
  2. Create playbook for high-risk violations:

Trigger: Incident severity = Critical

Actions:

  1. Isolate host (optional)

  2. Create ticket in IT ticketing system

  3. Send alert to security team

  4. Block process on endpoint (if unsafe to continue)

  5. Enable playbook

Step 8: Monitor Incidents

Track Noxys-related incidents in Falcon.

  1. Incidents dashboard
  2. Create saved search:
    • Source: Noxys
    • Severity: High, Critical
  3. Monitor daily for trends
  4. Review incidents for:
    • Repeated offenders
    • Vulnerable platforms
    • Data exposure patterns

Advanced: Behavioral Analytics

Enable CrowdStrike Falcon's behavioral analytics for AI threat detection.

  1. FalconSettingsDetection & prevention
  2. Enable:
    • ✓ Machine learning detection
    • ✓ Behavioral analytics
  3. Let Falcon correlate:
    • AI interaction patterns
    • Endpoint process execution
    • Network activity
  4. Falcon automatically creates high-fidelity alerts

Troubleshooting

Events Not Creating Incidents

  1. Verify integration is Enabled
    • SettingsIntegrationsCrowdStrike
  2. Check event forwarding is configured
    • SettingsEvent Forwarding
  3. Verify API credentials are correct
    • Test Connection button should work
  4. Check CrowdStrike scopes allow incident creation
    • Verify incidents_write scope is granted
  5. Review CrowdStrike API logs:
    • FalconIntegrationsAPI activity

Incidents Not Detected

  1. Verify custom detection rules are Enabled
  2. Test rule with manual test incident
  3. Check rule logic:
    • Run query in Falcon to verify syntax
    • Test with sample event
  4. Verify rule severity threshold is appropriate

High Latency

  1. Check API rate limits:
    • CrowdStrike may throttle requests
    • Implement exponential backoff in Noxys
  2. Optimize event volume:
    • Only forward critical events
    • Filter out noisy events

Integration with Response Playbooks

CrowdStrike Response playbooks can use Noxys data.

Example Playbook: Credential Exposure Response

Trigger: Noxys event with classification=EMAIL or SSN

Playbook Steps:
1. Check if user has MFA enabled
2. Force password reset
3. Clear sessions
4. Send notification to user
5. Create ticket for security team
6. Monitor user for 24 hours
  1. CrowdStrike FalconResponsePlaybooks
  2. Create playbook using Noxys event data
  3. Automate response workflow

Compliance & Audit

Monitor integration health:

  1. CrowdStrike FalconIntegrationsActivity
  2. Review:
    • API call success rate
    • Errors encountered
    • Data volume
  3. Export logs for compliance audit

Cost Considerations

  • CrowdStrike Falcon: License required (typically $50-200/device/year)
  • Noxys CrowdStrike integration: Included, no additional cost
  • API calls: Included in Falcon subscription (fair use limits apply)

Best Practices

  1. Forward only critical events:

    • Focus on policy_violated and high_risk
    • Skip routine interaction.created events

  2. Create targeted detection rules:

    • One rule per threat type
    • Test with historical data first
    • Monitor for false positives

  3. Use incident categorization:

    • Tag incidents by platform (ChatGPT, Claude, etc.)
    • Tag by data type (PII, financial, etc.)
    • Simplifies filtering and reporting

  4. Set up alerting:

    • Alert on critical incidents immediately
    • Daily summary of high-severity incidents
    • Weekly trends report

  5. Monitor playbook effectiveness:

    • Track manual vs. automated responses
    • Measure MTTR (Mean Time To Respond)
    • Optimize playbooks based on metrics

Disabling Integration

If you need to disable CrowdStrike integration:

  1. IntegrationsCrowdStrike FalconDisable
  2. No more incidents are created
  3. Existing incidents remain in CrowdStrike
  4. Data is not deleted

To re-enable:

  1. Follow configuration steps again
  2. Verify API credentials are still valid
  3. Events resume flowing to CrowdStrike

Support & Resources