Falcon Insight
The Falcon Insight adapter retrieves detection events that CrowdStrike has captured and assigned a severity: informational, low, medium, high, or critical. The risk mapping tells the Risk Engine how to convert these severities into one of AppGate’s three risk levels.
The following is an example mapping:
Low: No detection, informational, and low
Medium: Medium
High: High and critical
NOTE
This adapter requires valid CrowdStrike API client credentials, configured and managed from your CrowdStrike administration console. The API client must have read-only permission to the Alerts and Host API scopes.
CrowdStrike ZTA
The CrowdStrike ZTA service provides trust levels for end-user devices. Use the risk mapping to convert these trust levels into AppGate risk levels. For example, a CrowdStrike ZTA trust level of 80–100 represents high trust and maps to a low risk range.
NOTE
This adapter requires valid CrowdStrike API client credentials, configured and managed from your CrowdStrike administration console. The API client must have read-only permission to the Hosts and Zero Trust Assessment API scopes.
CrowdStrike Agent ID
ZTP includes a built-in algorithm to match data received from CrowdStrike to claims in AppGate ZTNA. To increase the probability of a match between these two datasets, use the unique CrowdStrike Agent ID value in a device claim. The Risk Engine can only calculate a risk level for an end-user when a match exists between these datasets. For more information, see Retrieving the CrowdStrike Agent ID.