TrainingSupportCommunity

Configure Device Posture integrations

On the Device Posture Integrations page, you can configure the third-party integrations.

Integrate with CrowdStrike

With the CrowdStrike integration, you get access to additional signals that you can use to monitor corporate devices and allow or deny application access. CrowdStrike offers Falcon cybersecurity software for endpoint devices.
With the EAA-Crowdstrike integration, you can use Device Posture to calculate the status of the CrowdStrike Agent (CrowdStrike Falcon sensor) running on the user's device. The Agent's status can be reported as healthy if the CrowdStrike Agent is running on the device and communicating regularly with the CrowdStrike server or unhealthy if the Agent is inactive. The CrowdStrike Agent status is included in the Device Posture security evaluation.

CrowdStrike data that you can monitor in the Integration tab of the Device Details report:

CrowdStrike SignalDescription
AID (Agent ID)Identifies each installation of a Falcon sensor. If the sensor is updated or reinstalled, the host gets a new AID. For this reason, a single host can have multiple AID values over time. Agent ID is also called a Sensor ID.
CID (Customer ID)Identifies your company's account with CrowdStrike.
AID/CID StatusDisplays a status based on the validity of the AID and CID in the CrowdStrike cloud. If AID and CID are valid this signal returns a valid value, otherwise, its value is invalid.
VersionReports the current version of the CrowdStrike Falcon sensor installed on a device.
Agent StatusDisplays the health status of the CrowdStrike Falcon sensor. If the sensor communicates regularly to the CrowdStrike cloud, the status is set as healthy. Otherwise, the status is indicated as unhealthy.
Last ContactIndicates the time that the CrowdStrike cloud last received contact from the Falcon sensor on a given device. The time indicated corresponds to the local time zone of ​Akamai Control Center​ user. Device Posture uses the value of the Last Contact signal to calculate the status of the CrowdStrike Agent Status.

📘

This integration requires that user devices are running the EAA Client and the CrowdStrike Falcon endpoint protection software. It also requires access credentials to the CrowdStrike administrator portal.

Additionally, in order for the anti-malware detection feature to detect CrowdStrike as an anti-malware product, Crowdstrike Prevention Policy should have Quarantine & Security Center Registration enabled. To enable this setting go to, Prevention Policies > Your Policy Name > Next Gen Antivirus > Type: Quarantine in the CrowdStrike portal.

Prerequisites:

  • Access credentials to your CrowdStrike administrator portal.

  • Install EAA Client on the user desktop macOS and Windows devices.

  • Install and run the CrowdStrike Falcon Sensor on user devices. The Falcon sensor must be properly associated with the customer account used to access and configure the CrowdStrike portal mentioned above.

  • Authentication to the CrowdStrike API requires a Client ID and Client Secret. You can generate these credentials from the CrowdStrike portal.

  • CrowdStrike integration is only supported for desktop (Windows and macOS) devices.

  • In order for the integration to work correctly on macOS, the CrowdStrike Falcon utility and OS sysctl utility must be installed and accessible. See CrowdStrike documentation for further details.

To integrate with CrowdStrike:

  1. Configure CrowdStrike cloud to allow API access via ​Akamai Control Center​.

  2. Configure ​Akamai Control Center​ for CrowdStrike integration.

Configure CrowdStrike cloud to allow API access via ​Akamai Control Center​

Complete this procedure in the CrowdStrike portal to obtain your CrowdStrike Client ID and Client Secret.

  1. Log in to the CrowdStrike portal.

  2. Select Support > API Clients and Keys.
    The API Key page appears.

  3. In API Clients, click Add new API Client.
    The Add new API client dialog appears.

  4. In Add new API client:

    1. In Client Name enter a unique name for the API client.

    2. In Description enter a description for the API client (optional).

    3. In API Scopes select Hosts (Read and Write) permissions.

  5. Click Add.
    The API client create dialog appears.

  6. From the API client create dialog, copy Client ID and Client Secret values.

    📘

    Copy the Client Secret now as you won't be able to retrieve its value later.

  7. Click Done.

Configure ​Akamai Control Center​ for CrowdStrike integration

Complete this procedure in ​Akamai Control Center​ to integrate with the CrowdStrike cloud and get access to signals reported by the Falcon client.

  1. In the EAA Management Portal navigation menu, select System > Device Posture.

  2. On the Device Posture page, click Integrations.

  3. Scroll down to CrowdStrike and fill in the following fields:

FieldDescription
EnabledSelect Enabled to use CrowdStrike signals in tiers and tags.

If the CrowdStrike integration is not enabled, the CrowdStrike Status Healthy signal is not displayed neither in tiers nor in tags criteria. The agent status also does not appear in the inventory reports including filter criteria and device details.

Base URLEnter your organization-specific Base URL

In most cases you can use the cloud environment US-1's URL http://api.crowdstrike.com

Other cloud environments and their corresponding base URLs are the following:

  • US-GOV: api.laggar.gcw.crowdstrike.com

  • EU-1: api.eu-1.crowdstrike.com

  • US-2: api.us-2.crowdstrike.com

If none of these work, consult CrowdStrike for your Base URL.

Client ID and Client SecretEnter the Client ID and Client Secret.

To get your Client ID and Client Secret, go to Support > API Clients and Keys > OAuth2 API Clients > Add new API Client in the CrowdStrike portal.

  1. Click Test Credentials to ensure the values are correct. A confirmation message appears if credentials' values are successfully tested.

Next steps:
After you configured the CrowdStrike integration, you can:

  • Use the CrowdStrike Status Healthy to configure risk tiers and tags. See Configure tiers and tags for more information.

  • Use the CrowdStrike Healthy criterion to filter inventory reports for healthy and unhealthy devices. See Create an inventory report for more information.

  • View the Integration section of the Device Details report to check the CrowdStrike information.

Integrate with VMware Carbon Black

With VMware Carbon Black integration you can monitor endpoint activity data and block potential threats.

With this integration, you can use Device Posture to calculate the Carbon Black client status running on the user's device. The Carbon Black client status can be reported as healthy if the Carbon Black client running on the device is communicating regularly with the Carbon Black server, or unhealthy if the client is inactive. Additionally, Device Posture can verify if the user's device is assigned to a specific Carbon Black policy. Both of those signals are included in the Device Posture security posture evaluation.

The following is the list of Carbon Black data that you can monitor in the Integration tab of the Device Details report:

Carbon Black SignalDescription
Policy NameThe name of the policy assigned to the device.
StatusThe status sent by the VMware Carbon Black server.
VersionThe current version of the VMware Carbon Black software installed on the device.
Last ContactThe date and time of the last contact with the VMware Carbon Black server in your local time zone.

Note: Device Posture uses the value of the Last Contact signal to calculate the status of the Carbon Black client.

Prerequisites:

  • User devices must install and run the VMware Carbon Black agent. Only the Carbon Black Defense product is supported.

  • Authentication to the VMware Carbon Black API requires an API Secret Key and the API ID. You can generate the API Secret Key and API ID from the VMware Carbon Black Defense console.

  • VMware Carbon Black rules are only supported for desktop (Windows and macOS) devices.

To integrate with VMware Carbon Black:

  1. Configure VMWare Carbon Black cloud with a Custom Access Level.

  2. Configure Akamai Control Center for VMware Carbon Black integration.

Configure VMware Carbon Black cloud with a Custom Access Level

Complete this procedure to obtain your Carbon Black API ID and API Secret Key.

  1. Log in to the Carbon Black Dashboard. You can find your Dashboard URL at the VMware Carbon Black community page.

  2. In Settings > API Access click Access Levels.

  3. Click Add Access Level.

  4. On the Add Access Level page:

    1. Enter Access Level name and description

    2. Scroll down the Access Level table and set Read permission type as General information for a Device category.

  5. Click Save.

  6. In Settings > API Access click API Keys.

  7. Click Add API Key.

  8. In the Add API Key dialog:

    1. Enter a unique API Key name.

    2. In Access Level type select Custom.

    3. In Custom Access Level select the Access Level that you previously created.

  9. Click Save.

  10. The API Credentials dialog that appears contains your API ID and API Secret Key. Copy this data and use it in the following step. See Carbon Black documentation to learn more.

Configure ​Akamai Control Center​ for VMware Carbon Black Integration

Complete this procedure in ​Akamai Control Center​ to integrate with VMware Carbon Black API ID and API Secret Key that you obtained in the previous step of configuration.

  1. In the EAA Management Portal navigation menu, select System > Device Posture.

  2. Go to VMware Carbon Black and fill in the following fields:

FieldDescription
EnabledSelect Enabled to use VMware Carbon Black signals in tiers and tags.

Note: If this field is not selected, VMware Carbon Black criteria do not display on the UI pages where you define tiers and tags or generate reports.

API HostnameSelect the URL for the API Hostname.

Your Portal Hostname is based on your region when you configured your VMware Carbon Black account.

API Secret Key and API IDEnter your API ID and API Secret Key used to access the API.

To get values of those credentials, go to Settings > API Access > API Keys in the VMware Carbon Black Cloud console.

ORG KeyEnter the ORG Key that can be found in the VMware Carbon Black console under Settings > API Access > API Keys in the VMware Carbon Black Cloud console.

  1. Click Test Credentials to ensure the values are correct.

  2. Click Save to save the information.

Next steps:
After completing these steps, use the following criteria when defining tiers/tags and when generating reports:

  • Use VMware Carbon Black Policy and VMware Carbon Black Status Healthy to define tiers and tags, and to generate inventory reports. See Configure tiers and tags and Create an inventory report for further details.

  • View the Integration section of the Device Details report to check the Carbon Black information.

Updated over 1 year ago