Scribd
Upload
206 views38 pages

CrowdStrike Falcon CMDB User Guide - 3.0.0

The Service Graph Connector for CrowdStrike v3.0.0+ is a guide for deploying, configuring, and using the connector to retrieve Falcon device and asset data from CrowdStrike APIs and map it into ServiceNow CMDB. It outlines requirements, major modifications, API call flows, and application layout, including modules for data sources, transformation, scheduled imports, and support. The document also emphasizes the importance of proper API credentials and configurations for successful integration.

Uploaded by

Siva Teja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
206 views38 pages

CrowdStrike Falcon CMDB User Guide - 3.0.0

The Service Graph Connector for CrowdStrike v3.0.0+ is a guide for deploying, configuring, and using the connector to retrieve Falcon device and asset data from CrowdStrike APIs and map it into ServiceNow CMDB. It outlines requirements, major modifications, API call flows, and application layout, including modules for data sources, transformation, scheduled imports, and support. The document also emphasizes the importance of proper API credentials and configurations for successful integration.

Uploaded by

Siva Teja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Service Graph Connector for

CrowdStrike
Installation and Configuration Guide v3.0.0+

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Table of Contents

Contents
Introduction .................................................................................................................................................... 4
Requirements ................................................................................................................................................. 5
Major Modifications ........................................................................................................................................ 5
Getting Started................................................................................................................................................ 6
API Endpoint(s), Filter(s) and Timestamp(s):...................................................................................................... 6
High Level API Call Flow ................................................................................................................................... 6
Application Layout .......................................................................................................................................... 7
Creating/Validating the API Credential Scope ................................................................................................... 8
Proxy Considerations ..................................................................................................................................... 10
ServiceNow Architecture................................................................................................................................ 10
Configuring the Application ............................................................................................................................ 11
Application Layout ........................................................................................................................................ 11
Data Sources .......................................................................................................................................................... 11
Robust Transformer ............................................................................................................................................... 13
Scheduled Import Section ...................................................................................................................................... 14
Setup ...................................................................................................................................................................... 14
Support................................................................................................................................................................... 14
Configuration ......................................................................................................................................................... 14
Integration Dashboard ........................................................................................................................................... 14
Configuring the Application to collect data ..................................................................................................... 15
Guided Setup.......................................................................................................................................................... 15
Add New Connection .............................................................................................................................................. 16
Configure the Scheduled Import ............................................................................................................................ 26
Usage ........................................................................................................................................................... 29
IntegrationHub ETL ....................................................................................................................................... 30
Recommendations ........................................................................................................................................ 32
Dedicated API Credential ............................................................................................................................... 32
Scheduled Job Interval .................................................................................................................................. 32
Troubleshooting ............................................................................................................................................ 33

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Configuring the Application to collect log data ............................................................................................... 33
Change Logging Level ............................................................................................................................................. 33
Review Log Data in ServiceNow ..................................................................................................................... 34
Examples of Troubleshooting Situations and Remediation Steps...................................................................... 34
Support......................................................................................................................................................... 35
Prior to Contacting CrowdStrike Support ........................................................................................................ 35
Contacting CrowdStrike Support .................................................................................................................... 36
Additional Resources ............................................................................................................................... 37

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Introduction
This guide covers the deployment, configuration and usage of the ServiceGraph Connector for
CrowdStrike for version 3.0.0 and up.

The Service Graph Connector for CrowdStrike allows CrowdStrike customers to retrieve Falcon
device data from the CrowdStrike Hosts API as well as asset data from CrowdStrike Exposure
Management APIs and map it into the ServiceNow CMDB.

To get more information about this API, please refer to the API documentation which can be found in
the CrowdStrike Falcon UI:
Hosts API: https://falcon.crowdstrike.com/support/documentation/84/host-and-host- group-
management-apis
Asset Management (Discover) API:
https://falcon.crowdstrike.com/documentation/page/a9df69ec/asset-management-apis
Falcon Discover IoT API: https://falcon.crowdstrike.com/documentation/page/cc599c1f/falcon-
discover-for-iot-apis
Application Security Posture Management API:
https://falcon.crowdstrike.com/documentation/category/a3f7512d/aspm

Multitenancy - This Application can have multiple independent inputs enabled at the same time, each
collecting data from different Falcon Instances. It also provides support for Falcon Flight Control
customers.

Important Notice
It’s important to keep in mind that a ‘device’ in CrowdStrike is identified by the sensor ID. This value is
referred to in different key values such as ‘Device ID’ and ‘AID’ (Agent ID). The purpose of the
Device/AID is to act as an unalterable unique identifier for the device within the CrowdStrike
environment and remains constant even when other identifiable characteristics such as IP address, MAC
Address and Hostnames are changed.

This application facilitates the ingestion records from the CrowdStrike API to Import Sets and includes a
sample mapping for a subset of fields and classes that are included as a default mapping for usage with
the Identity & Reconciliation Engine (IRE). Customizations to this mapping may be required based on
the current CMDB state and existing reconciliation rules present on your instance(s). Since these
attributes are variable based on your needs and specific deployment, CrowdStrike support is only
available to troubleshoot API connections to the CrowdStrike platform and encountered errors with
application scripting or logic. Mapping and reconciliation related questions are outside of the scope of
support. You are encouraged to open a support case following the included troubleshooting guide. As
needed CrowdStrike support may direct an additional case to be opened with ServiceNow based on the
encountered issues.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Requirements
The following are the requirements to leverage this technical add-on:
1. An active subscription to at least one of the below modules.
• Falcon Prevent/Falcon Insight: Required to ingest Device Details
• Falcon Discover/Exposure Management/Falcon Discover IoT: Required to ingest asset details
respectively.
• Falcon Application Security Posture Management: Required to ingest ASPM Deployments &
Services

2. A ServiceNow instance with the following requirements


• Integration Commons for CMDB
• ITOM Licensing
• ITOM Discovery License
• System Import Sets

3. A ServiceNow account with proper access to deploy and configure applications.

4. A properly scoped API credential or proper access to the CrowdStrike Falcon instance to create
one.

5. The base URL for the CrowdStrike Cloud environment that the Falcon instance resides in.

Major Modifications
The following are some of the major modifications made to this version of the add-on that differ from
previous versions:
1. Based on customer feedback the application now supports multiple profiles. These profiles
allow for ingest filtering and support unique timestamps per input.

2. Ingested Records now can be mapped from 4 APIs:

• Device Data
• Falcon Cloud Security Application Security Posture Management data
• Falcon Discover Application Data
• Falcon Discover Asset Management
• Falcon Discover IoT

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Getting Started
API Endpoint(s), Filter(s) and Timestamp(s):
Based on configured options, the Application will make API calls to some or all of the following
endpoints. Some API calls may leverage different filter fields depending on the selected options.

API Endpoint Filter fields(s)


/oauth2/token
/devices/queries/devices-scroll/v1 modified_timestamp

/devices/entities/devices/v2
/discover/queries/applications/v1 last_updated_timestamp
/discover/entities/applications/v1
/discover/queries/hosts/v1 last_seen_timestamp
/discover/entities/hosts/v1
/discover/queries/iot-hosts/v1 last_seen_timestamp
/discover/entities/iot-hosts/v1
/aspm-api-
gateway/api/v1/servicenow/services
/aspm-api-
gateway/api/v1/servicenow/deployment
s

The default event timestamp used by the Application is the ‘modified_timestamp’ and the
‘last_seen_timestamp’ based on the API in use. The configuration exposes 3 distinct timetamps which
are automatically updated after a successful integration run. The field selection and the value can be
found in the application logging when set to debug mode. Note the Timestamp will be reported in UTC.

High Level API Call Flow


The Service Graph Connector for CrowdStrike performs the same API calls at each time interval
that’s configured within the Scheduled Data Imports:

1. The Application will call the CrowdStrike API gateway with the configured credentials and
request an OAuth2 authentication token that is valid for 30 minutes.
2. If the API credentials are valid the API gateway will respond to the Application with an Oauth2 token.
3. The Application will use the OAuth2 token to call the configured API with the configured parameters.
4. The API will respond with whatever appropriate data matches the configured parameters.
Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Application Layout

The Service Graph Connector for CrowdStrike has 7 modules associated with it:
1. Data Sources – These Data Sources (one for each data type) are executed to collect
records from the CrowdStrike API into Import Sets
2. Robust Transformer – This module contains the definitions (one for each data type)
that are used to map incoming records from CrowdStrike to the defined CMDB
classes and fields.
3. Scheduled Import – This module contains the schedules (one for each data type) for which
records are imported and transformed. They are all inactive by default but can be configured to
run on a desired schedule.
4. Setup- Application guided Setup.
5. Support- Detail on getting in touch with CrowdStrike Support
6. Configurations- This module holds the configuration for ingestion. Including timestamps,
credential specification and filtering. It also controls what data points are ingested when
executing the data source or scheduled import.
7. Integration Dashboard- ServiceNow dashboards for monitoring ingest and ingestion related
errors.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Creating/Validating the API Credential Scope
Based on your subscribed modules when configuring the application you may selectively import
your desired data types from the supported APIs. While the Application can leverage an existing OAuth2
based API credential, it is recommended that a dedicated credential be created and used. This can be
accomplished by the following:
1. Access the CrowdStrike Falcon user interface (UI) with an account that is able to create API
clients and keys
2. Navigate to ‘Support’>’API Client and Keys’ page
3. Create a new API client by selecting ‘Add new API client’ in the OAuth2 API client’s area

4. Give the new API client a name and description (recommended) and under ‘API Scopes’
select:
• the ‘Hosts’ scope and the ‘Read’ capability
• the ‘Assets’ scope and the ‘Read' capability (optional)
• the ‘Falcon Discover IoT’ scope and the ‘Read' capability (optional)
• the ‘ASPM Read-Only’ scope and the ‘Read’ capability (optional)

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
5. Select ‘Add’ once completed and a window will appear with the Client ID, Secret and the Base
URL. NOTE: This is the only time the Secret will be visible – ensure it is recorded in a protected
location.

6. In addition, make note of the ‘BASE URL’ value in either the API client created window or the
‘OAuth2 API client’ area as this will be used to determine the CrowdStrike Cloud the instance is
in

7. Select ‘Done’ to close the window and finish creating the credential.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Proxy Considerations
The Service Graph Connector for CrowdStrike establishes a secure connection with the Falcon
cloud platform. In some environments network devices may impact the ability to establish and maintain
a secure connection and as such these devices should be taken into account and configuration
modifications should be done when necessary.

Ensure that the API URLs/IPs for the CrowdStrike Cloud environment(s) are accessible by the
ServiceNow Instance. For a complete list of URLs and IP address please reference CrowdStrike’s API
documentation.

The current base URLs for OAuth2 Authentication per cloud are:
US Commercial Cloud : https://api.crowdstrike.com
US Commercial Cloud 2 : https://api.us-2.crowdstrike.com
US GovCloud : https://api.laggar.gcw.crowdstrike.com
EU Cloud : https://api.eu-1.crowdstrike.com

ServiceNow Architecture
Identity and Reconciliation Engine: IRE is an underlying key component in Identification and
Reconciliation, providing a centralized framework to perform identification and reconciliation processes
across different data sources. IRE uses identification rules, reconciliation rules, and IRE data source rules
when processing incoming data before inserting that data to the CMDB. It is responsible for processing
incoming records from CrowdStrike and reconciling them with existing CMDB records.
https://docs.servicenow.com/bundle/vancouver-servicenow-platform/page/product/configuration-
management/concept/ire.html

Flow Designer: The Application collects data through a series of script includes and Actions. Flow
Designer facilitates the communication with the CrowdStrike API including authentication and
credential storage. https://docs.servicenow.com/bundle/sandiego-application-
development/page/administer/flow-designer/concept/flow-designer.html

IntegrationHub ETL: This tool provides a graphical interface for visualizing incoming records from
CrowdStrike and is used to update ETL transform maps. Existing mappings can be visualized and
updated as per your specific needs. https://docs.servicenow.com/bundle/vancouver-servicenow-
platform/page/product/configuration-management/concept/integrationhub-etl.html

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Configuring the Application

Application Layout

The Service Graph Connector for CrowdStrike has 7 modules associated with it.

Data Sources
6 Data sources are configured for each connection. When run, these data sources
facilitate the collection of records from the CrowdStrike API and storage into Import Sets.
Each Data Source has it’s own Robust Transformer assigned to in used in the mapping with
the IRE and can be updated using the Integration Hub ETL. If desired you can use the Related
Links on the data source to test the connection by using ‘Test Load 20 Records’.
1) Applications – Collects Application Detail from Falcon Discover
2) Deployments – Collects deployment details from ASPM
3) Devices - Collects detail on managed hosts and assets from Falcon Discover
4) Services – Collects service details from ASPM
5) Services Extra – Collects Service details from ASPM with Extras
6) Unmanaged – Collects Unmanaged Asset & IoT detail from Falcon Discover

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Robust Transformer
The Robust Transformer section contains 6 definitions:

• Application Details: Transformer for Application Data


• Deployments: Transformer for Deployments from ASPM
• Device Details: Transformer for Managed Hosts & Assets
• Services/Service Extra: Transformer Service detail from ASPM
• Unmanaged Assets:Transformer for Unmanaged Assets & IoT devices.
Definitions can be viewed and updated for each record. It is recommended a backup be created of
the original mapping to revert back as needed. More detail can be found at
https://docs.servicenow.com/bundle/tokyo-platform-administration/page/administer/import-
sets/concept/robust-import-set-transformers.html

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Scheduled Import Section
This module contains the schedules (one for each data type) for which records are imported and
transformed. They are all inactive by default but can be configured to run on a desired schedule. 6
records are created for each connection.

Opening the records you can choose to execute the import & transform by clicking ‘Execute Now’
in the Menu bar or by setting the record to Active and configuring a schedule.

Setup
This module contains the guided setup and is covered in the following section.
Support
This module contains detail on getting support from CrowdStrike.
Configuration
This module contains ingest configuration and is covered in the following section.
Integration Dashboard
This module shows Dashboards related to ingest status.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Configuring the Application to collect data
*NOTE* Before proceeding through the guided setup you will need to run the included “CrowdStrike CMDB
Fix Script” to create the needed data sources.
Guided Setup
Application configuration is accomplished through the Guided Setup Module. Open the module and click ‘Get
Started’ to begin

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Add New Connection
1. Update Data Source Permissions: For the sys_data_source table, visit the Application Access
tab and add permissions for "Can Create" and "Can Update"

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
2. Create New Connection: Use Flow Designer UI to add a new CrowdStrike Connection. Adding
a new Connection creates a new Data Source, OAuth Credential, and Scheduled Script
Execution. A default connection is provided with the application and new connections can be
created through the same process.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Fill in the following details:

Connection Name Descriptive Name for the Tenant


Connection URL The API Endpoint for the tenants cloud:
i. Us Commercial Endpoint: https://api.crowdstrike.com
ii. Us Commercial 2 Endpoint: https://api.us-
2.crowdstrike.com
iii. EU Cloud: https://api.eu-1.crowdstrike.com
iv. Falcon on GovCloud:
https://api.laggar.gcw.crowdstrike.com

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
OAuth Client ID As Generated in Falcon UI
OAuth Client Secret As Generated in Falcon UI
OAuth Token URl The API Endpoint for the tenants cloud:
i. Us Commercial Endpoint:
https://api.crowdstrike.com/oauth2/token
ii. Us Commercial 2 Endpoint: https://api.us-
2.crowdstrike.com/oauth2/token
iii. EU Cloud: https://api.eu-
1.crowdstrike.com/oauth2/token
iv. Falcon on GovCloud:
https://api.laggar.gcw.crowdstrike.com/oauth2/token

OAuth Entity Name Descriptive name for the OAuth Entity

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
3. Configure Import: You may now setup your filtering and desired data types. If a configuration
does not yet exist you may create one as needed. Seting the connetion profile to
x_crowd_cmdb.Service_Graph_Connector_for_CrowdStrike

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Active Marks this configuration for ingest
Description Uniquely Identifies this configuration
Connection Profile The Connection & Credential profile this configuration
uses
Logging Level Application Logging Level
Host Details Timestamp Timestamp used to ingest last updated records for
managed devices & assets
Host Details Filter FQL Filter Used to Filter Devices returned by the
CrowdStrike API. See the Additional Resources for links
containing reference to fields and query structure.
Get Application Details Marks Application Details for ingest
Application Timestamp Timestamp used to ingest last updated
Application Details Filter FQL Filter Used to filter applications returned by the
CrowdStrike API. See the Additional Resources for links
containing reference to fields and query structure.
Get Asset Details Marks Asset Details for ingest
Asset Details Filter FQL Filter used to filter managed assets returned by the
CrowdStrike API. See the Additional Resources for links
containing reference to fields and query structure.
Get IoT Hosts Marks IoT Details for ingest
IoT Data Filter FQL Filter used to filter managed IoT assets returned by
the CrowdStrike API. See the Additional Resources for
links containing reference to fields and query structure.
Get Unmanaged IoT Details Marks Unmanaged IoT Details for ingest
Unmanaged IoT Filter FQL Filter used to filter unmanaged IoT assets returned
by the CrowdStrike API. See the Additional Resources
for links containing reference to fields and query
structure.
Get Unmanaged Asset Details Marks Unmanaged Asset Details for ingest
Unmanaged Asset Filter FQL Filter used to filter unmanaged assets returned by
the CrowdStrike API. See the Additional Resources for
links containing reference to fields and query structure.
Unmanaged Timestamp Timestamp used to ingest last updated records for
unmanaged IoT devices & assets
Get Deployment Details Enable to ingest Deployments and Services for this
profile

Once setup as desired, you use the Update UI Action and return to the Guided setup.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
4. Load Test Data: You may now load test data to ensure that the configuration is able to
connect to the CrowdStrike API and load data to the import sets.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
You have now verified the connection for the Device Details Data Source, perform the same operation for the
remaining data sources.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Configure the Scheduled Import
Configuring the scheduled import allows you to specify the frequency at which the data source ingests records
from CrowdStrike and transforms them using the RTE. There are 3 scheduled imports created for each connection
corresponding to each supported data type (managed/unmanaged/application). From the Guided setup, choose
the “Configured the Scheduled Import” task after completing all tasks from the previous section.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Setting these records to active and choosing a schedule will ingest records from CrowdStrike and transform them
based on your needs. At each run, the end time of the previous run is used to gather records that have been
updated (in the case of applications and managed devices) or last seen (in the case of unmanaged devices).
Configure the additional scheduled imports as desired.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
You have now completed the setup process.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Usage
After your first Run you will see entries in the cmdb_ci table. You can view this by entering ‘cmdb_ci.list’ in the
Navigator.

Clicking one of these entries will show you the collected information. We will make one change to the Related List
of the Form. If you do not have this section as part of the ‘Server’ Class, edit the form to include ‘CI Relations’.

Next, Configure the Related Lists of the Form and add CrowdStrike Device Details by clicking the right arrow.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
You will now see Related CrowdStrike Device Details including Network Adapters and IPs

IntegrationHub ETL
IntegrationHub ETL uses RTE and IRE which work together to process and integrate data. Data is first imported
from a data source, and is then stored in temporary staging tables in Import Sets systems. Using the data in the
staging tables and the ETL transform map created by IntegrationHub ETL, RTE creates IRE payloads which are then
processed by IRE. IRE applies reconciliation processes to avoid potential problems such as duplicate CIs, ensuring
that the CMDB remains healthy, and then integrates the resulting data into the CMDB.

https://www.servicenow.com/community/cmdb-articles/integrationhub-etl-introduction/ta-p/2301028

This application facilitates the ingestion records from the CrowdStrike API to Import Sets and includes a sample
mapping for a subset of fields and classes that are included as a default mapping for usage with the Identity &
Reconciliation Engine (IRE). Customizations to this mapping may be required based on the current CMDB state and
existing reconciliation rules present on your instance(s). Since these attributes are variable based on your needs
and specific deployment, CrowdStrike support is only available to troubleshoot API connections to the CrowdStrike
platform and encountered errors with application scripting or logic. Mapping and reconciliation related questions
are outside of the scope of support. You are encouraged to open a support case following the included
troubleshooting guide. As needed CrowdStrike support may direct an additional case to be opened with
ServiceNow based on the encountered issues.

The IntegrationHub ETL allows you to visualize and update mappings as required for your environment. It provides
the facility to update fields from import sets, view currently mapped CMDB classes and fields. And create new
fields in the import sets as needed. The application is designed to import new fields from CrowdStrike as they are
made available from the APIs. Using the IHETL you can see new fields as they arrive and transform/map them as

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
desired.

A transform map is included by default for each data source. The following guide walks through viewing these
transform maps and updating them

https://www.servicenow.com/community/cmdb-articles/how-to-set-up-an-ih-etl-transform-map/ta-p/2301067

Store Link:
https://store.servicenow.com/sn_appstore_store.do#!/store/application/d43fe173dba23300c121f3c61d961958

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Recommendations
The following are general recommendations. They may not be optimal in all situations and
should be evaluated on an environment-by-environment basis.
Dedicated API Credential
The use of a dedicated API credential for this integration is recommended to prevent issues
should the credentials secret need to be regenerated and/or to ensure that the client is only scoped for
the specific API endpoints used.

Scheduled Job Interval


The interval setting for Scheduled Jobs should take into account the amount of data that the
data source could potentially process. Setting an interval to low may result in a collection being
interrupted and/or the data being collected having minimal changes. In most environments collection
interval over 1 hour is recommended for standard data sources. Depending on the use case and the
number of potential hosts involved, on-line inputs maybe slightly shorter.
The interval setting should also take into account the Timestamp field selection. The ‘last_seen’
value is not updated as often as the ‘modified_timestamp’ value and as such inputs based on that field
value should have a larger interval.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Troubleshooting
CrowdStrike only provides support for:
• Application code-based functionality errors
• API/Gateway based errors

Examples of issues that are outside the scope of CrowdStrike support:


• Proxy based issues
• Firewall based issues
• Network connectivity issues
• Authentication issues (based on misconfigured credentials)
• Class & Field Mapping
• ServiceNow environmental/configuration-based issues

Configuring the Application to collect log data


The Application logging level is set to ‘error by default and will only log a minimal amount of information.
To properly troubleshoot issues with the Application the logging level should be set to ‘debug’.

Change Logging Level


1. Navigate to the Configuration module and open a configuration record

2. Select the logging level from the drop-down menu:

3. Click ‘update’ to save the logging level.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Review Log Data in ServiceNow
1. Visit this link to review logging detail:
https://<<INSTANCE_NAME>>.service-
now.com/now/nav/ui/classic/params/target/syslog_app_scope_list.do%3Fsysparm_query%3Dsys_s
cope%253D4cf6fe341b3bcc103ade8622dd4bcb36%26sysparm_first_row%3D1%26sysparm_view%3
D

2. Visit this link to view HTTP Request Logging:


https://<<INSTANCE_NAME>>.service-
now.com/now/nav/ui/classic/params/target/sys_outbound_http_log_list.do%3Fsysparm_query%3
Dhostname%253Dapi.crowdstrike.com%26sysparm_first_row%3D1%26sysparm_view%3D
3. Review System Logs to determine if there’s any internal issues within ServiceNow that could be
causing issues with the proper collection and processing of data. If events related to a possible
issue are found please include export them in csv format and include them in any support
requests.

Examples of Troubleshooting Situations and Remediation Steps


1. It doesn’t look like any data is being collected:

1.1. Ensure that the credentials have been properly scoped for the API and have been properly
entered
1.2. Ensure that the timestamp selection is set so that the time window is large enough to include
the event timestamp. If the Application may be collecting events that are timestamped
outside the currently selected time window. You can use the “Pull All Records” UI Action to
reset the timestamps so that they pull data from “All Time”
1.3. Examine log data to determine if any API calls are getting 401 or 403 responses indicating a
potential issue with authentication, credential input
2. The data being collected does not look ‘complete’:

2.1. Review the configuration settings to ensure that the settings reflect that data collection requirements
2.2. Review the interval setting to ensure that there is enough time to collect the required data and
that data collections are not being interrupted
2.3. Ensure that you have setup mapping as desired using the IntegrationHub ETL
2.4. Review the Application logs and the internal ServiceNow logs for any errors that may have
impacted data collection
2.5. Validate that there is not an internal ServiceNow issue that could be delaying the indexing of data

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Support
This Application Is designed to help facilitate the collection of device data provided by the CrowdStrike
API(s). CrowdStrike provides support for the Application code functionality as it was designed.
Examples of instances that would fall outside of CrowdStrike’s support:
• Environment caused network connectivity issues.
• Issues related to certain ServiceNow configurations or internal ServiceNow connectivity issues.
• Modifying the Application configuration outside of what’s outlined in this documentation.
• Support requests without the appropriate data outlined below.
• Field mapping or custom data modification requests

Prior to Contacting CrowdStrike Support


1. Ensure that the OAuth2 credential has been scoped and entered correctly.
2. Ensure that the issue is not a network connectivity issue, if the API calls being made by the
Application cannot properly communicate with the CrowdStrike API those issues should be
resolved before contacting CrowdStrike support.
3. Set the Application log level to ‘DEBUG’.
4. Repeat and record the action(s) that are associated with the issue you are reporting.
5. Collect all appropriate log information.
a. Export the Application Logs in CSV Format
b. Export “Outbound HTTP Requests” logs related to the application.
c. Collect any relevant logs from ServiceNow’s internal log related to the Application and
the issue you’re reporting.
6. Record the following information about the ServiceNow system:
• ServiceNow version
• Application version
• If this was a new deployment/upgrade or if there was no change to the Application
• The approximate date(s) and time(s) of examples of when the specific issue(s) occurred.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Contacting CrowdStrike Support
1. Navigate to https://supportportal.crowdstrike.com/
2. Open a support ticket, provide the data collected in steps 6 above as well as any
modifications that have been made to the Application outside of the processed
outlined in this documentation

NOTE:
CrowdStrike technical support engineers (TSE) are required to evaluate ServiceNow integration
support requests. In addition, CrowdStrike TSE are required to perform troubleshooting workflows to
help identify potential issues and evaluate those issues for potential escalations to other teams. This
may include, but is not limited to, requesting additional information/data/logs and requesting results
from configuration modifications. The inability or unwillingness to supply the required/requested
information and/or make request modifications/actions may result in CrowdStrike not being able to
troubleshoot the reported issue and result in the inability to provide support for the reported issue.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
Additional Resources
Hosts API: https://falcon.crowdstrike.com/support/documentation/84/host-and-host- group-
management-apis
Asset Management (Discover) API: https://falcon.crowdstrike.com/documentation/page/a9df69ec/asset-
management-apis
Falcon Discover IoT API: https://falcon.crowdstrike.com/documentation/page/cc599c1f/falcon-discover-
for-iot-apis
Device FQL Filters: https://falcon.crowdstrike.com/documentation/page/c0b16f1b/host-and-host-group-
management-apis#qadd6f8f
Asset FQL Filters: https://falcon.crowdstrike.com/documentation/page/a9df69ec/asset-management-
apis#t0e123bd
Application FQL Filters: https://falcon.crowdstrike.com/documentation/page/a9df69ec/asset-
management-apis#l922514b
ASPM Documentation: https://falcon.crowdstrike.com/documentation/category/a3f7512d/aspm
FQL Reference: https://falcon.crowdstrike.com/documentation/page/d3c84a1b/falcon-query-language-fql

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.
About CrowdStrike

CrowdStrike® Inc. (Nasdaq: CRWD), a global cybersecurity leader, is redefining security for the
cloud era with an endpoint protection platform built from the ground up to stop breaches. The
CrowdStrike Falcon® platform’s single lightweight-agent architecture leverages cloud-scale
artificial intelligence (AI) and offers real-time protection and visibility across the enterprise,
preventing attacks on endpoints on or off the network. Powered by the proprietary CrowdStrike
Threat Graph®, CrowdStrike Falcon correlates over 3 trillion endpoint-related events per week in
real time from across the globe, fueling one of the world’s most advanced data platforms for
security.

There’s only one thing to remember about CrowdStrike: We stop breaches.

© 2024 CrowdStrike, Inc. All rights reserved.

Service Graph Connector for CrowdStrike v3.0.0+ © 2024 CrowdStrike, Inc. All rights reserved.

You might also like