Configure Device Posture integrations

On the Device Posture Integrations page, you can configure the third-party integrations.

You can configure up to 12 entities for CrowdStrike or VMWare Carbon Black signals. Each entity can be a newly acquired company or sub-organization of the parent organization. Configuring entities allows the parent organization to use the acquired company's credentials, and use the device posture signals for device posture reports for all users including the acquired company, till the acquired company is integrated into the parent organization.

ūüöß

Important Note

Device posture integration has been tested with VMware Carbon Black signals for a single entity. However, you may be able to use up to 12 entities. If you have any issues, contact Akamai Support for assistance. However, Device posture integration has fully tested to support up to 12 entities for CrowdStrike signals.

Integrate with CrowdStrike

With the CrowdStrike integration, you get access to additional signals that you can use to monitor corporate devices and allow or deny application access. CrowdStrike offers Falcon cybersecurity software for endpoint devices.
With the EAA-Crowdstrike integration, you can use Device Posture to calculate the status of the CrowdStrike Agent (CrowdStrike Falcon sensor) running on the user's device. The Agent's status can be reported as healthy if the CrowdStrike Agent is running on the device and communicating regularly with the CrowdStrike server, or unhealthy if the Agent is inactive. The CrowdStrike Agent status is included in the Device Posture security evaluation.

CrowdStrike data that you can monitor in the Integration tab of the Device Details report:

CrowdStrike SignalDescription
AID (Agent ID)Identifies each installation of a Falcon sensor. If the sensor is updated or reinstalled, the host gets a new AID. For this reason, a single host can have multiple AID values over time. Agent ID is also called a Sensor ID.
CID (Customer ID)Identifies your company's account with CrowdStrike.
AID/CID StatusDisplays a status based on the validity of the AID and CID in the CrowdStrike cloud. If AID and CID are valid this signal returns a valid value, otherwise, its value is invalid.
VersionReports the current version of the CrowdStrike Falcon sensor installed on a device.
Agent StatusDisplays the health status of the CrowdStrike Falcon sensor. If the sensor communicates regularly to the CrowdStrike cloud, the status is set as healthy. Otherwise, the status is indicated as unhealthy.
Last ContactIndicates the time that the CrowdStrike cloud last received contact from the Falcon sensor on a given device. The time indicated corresponds to the local time zone of ‚ÄčAkamai Control Center‚Äč user. Device Posture uses the value of the Last Contact signal to calculate the status of the CrowdStrike Agent Status.

ūüďė

This integration requires that user devices are running the EAA Client and the CrowdStrike Falcon endpoint protection software. It also requires access credentials to the CrowdStrike administrator portal.

Additionally, in order for the anti-malware detection feature to detect CrowdStrike as an anti-malware product, Crowdstrike Prevention Policy should have Quarantine & Security Center Registration enabled. To enable this setting go to, Prevention Policies > Your Policy Name > Next Gen Antivirus > Type: Quarantine in the CrowdStrike portal.

Prerequisites:

  • Access credentials to your CrowdStrike administrator portal.

  • Install EAA Client on the user desktop macOS and Windows devices.

  • Install and run the CrowdStrike Falcon Sensor on user devices. The Falcon sensor must be properly associated with the customer account used to access and configure the CrowdStrike portal mentioned above.

  • Authentication to the CrowdStrike API requires a Client ID and Client Secret. You can generate these credentials from the CrowdStrike portal.

  • CrowdStrike integration is only supported for desktop (Windows and macOS) devices.

  • In order for the integration to work correctly on macOS, the CrowdStrike Falcon utility and OS sysctl utility must be installed and accessible. See CrowdStrike documentation for further details.

To integrate with CrowdStrike:

  1. Configure CrowdStrike cloud to allow API access via ‚ÄčAkamai Control Center‚Äč.

  2. Configure ‚ÄčAkamai Control Center‚Äč for CrowdStrike integration.

Configure CrowdStrike cloud to allow API access via ‚ÄčAkamai Control Center‚Äč

Complete this procedure in the CrowdStrike portal to obtain your CrowdStrike Client ID and Client Secret for each sub-organization or entity.

  1. Log in to the CrowdStrike portal.

  2. Select Support and resources > Resources and tools > API Clients and Keys.
    The API Key page appears.

crowdstrike nav for API keyscrowdstrike nav for API keys

  1. In API Clients, click Add new API Client.
    The Add new API client dialog appears.

  2. In Add new API client:

    a. In Client Name enter a unique name for the API client.

    b. In Description enter a description for the API client (optional).

  3. Akamai needs to be able to check the host by batch, enable Hosts, and Sensor Download using the Crowdstrike API.

    a. In API Scopes set Hosts with Read and Write permissions.

    b. In API Scopes set Sensor Downloads with Read permissions.

API scopes hosts permissionsAPI scopes hosts permissions

API scopes sensor downloads permissionsAPI scopes sensor downloads permissions

  1. Click Add.
    The API client create dialog appears.

  2. From the API client created window copy CLIENT ID and SECRET values.

    ūüďė

    Copy the SECRET now as you won't be able to retrieve its value later.

  3. Click Done.

ūüďė

Note

Akamai recommends that the Read permission for Sensor Downloads for existing and new credentials be enabled on the CrowdStrike Portal. If the Read permission for Sensor Downloads for existing and new credentials on the CrowdStrike Portal is not enabled and if one or more credentials expire, the devices belonging to those specific CrowdStrike integrations will have stale data in the Integrations tab in inventory reports. If the device was successfully reporting status to Crowdstrike before the credentials expired, EAA will mark it as healthy for up to 50 minutes after the last time EAA saw that the device reported to Crowdstrike (40 minutes for Crowdstrike and 10 minutes for EAA).

Configure ‚ÄčAkamai Control Center‚Äč for CrowdStrike integration

Complete this procedure in ‚ÄčAkamai Control Center‚Äč to integrate with the CrowdStrike cloud and get access to signals reported by the Falcon client. You can add one or more entities, up to 12 entities

  1. In the Enterprise Center navigation menu, select Application Access > Device Posture > Integrations.

  2. Click the Add Entity to add a new tenant.

  3. Select CrowdStrike and fill in the following fields:

FieldDescription
EnabledSelect Enabled to use CrowdStrike signals in tiers and tags.

If the CrowdStrike integration is not enabled, the CrowdStrike Status Healthy signal is not displayed neither in tiers nor in tags criteria. The agent status also does not appear in the inventory reports including filter criteria and device details.

Base URLEnter your entity-specific Base URL
Client ID and Client SecretEnter the CLIENT ID and SECRET.

To get your values, go to Support and resources > Resources and tools > API Clients and Keys > OAuth2 API Clients > Add new API Client from the entity or sub-organization.

  1. Click Test Credentials to ensure the values are correct. A confirmation message appears if credentials' values are successfully tested.

  2. Click Save.

  3. To add more entities, repeat steps 2 to 4, till all of the sub-organizations are added to the parent organization.

Next steps:
After you configured the CrowdStrike integration, you can:

  • Use the CrowdStrike Status Healthy to configure risk tiers and tags. See Configure tiers and tags for more information.

  • Use the CrowdStrike Healthy criterion to filter inventory reports for healthy and unhealthy devices. See Create an inventory report for more information.

  • View the Integration section of the Device Details report to check the CrowdStrike information.

Integrate with VMware Carbon Black

With VMware Carbon Black integration you can monitor endpoint activity data and block potential threats.

With this integration, you can use Device Posture to calculate the Carbon Black client status running on the user's device. The Carbon Black client status can be reported as healthy if the Carbon Black client running on the device is communicating regularly with the Carbon Black server, or unhealthy if the client is inactive. Additionally, Device Posture can verify if the user's device is assigned to a specific Carbon Black policy. Both of those signals are included in the Device Posture security posture evaluation.

The following is the list of Carbon Black data that you can monitor in the Integration tab of the Device Details report:

Carbon Black SignalDescription
Policy NameThe name of the policy assigned to the device.
StatusThe status sent by the VMware Carbon Black server.
VersionThe current version of the VMware Carbon Black software installed on the device.
Last ContactThe date and time of the last contact with the VMware Carbon Black server in your local time zone.

Note: Device Posture uses the value of the Last Contact signal to calculate the status of the Carbon Black client.

Prerequisites:

  • User devices must install and run the VMware Carbon Black agent. Only the Carbon Black Defense product is supported.

  • Authentication to the VMware Carbon Black API requires an API Secret Key and the API ID. You can generate the API Secret Key and API ID from the VMware Carbon Black Defense console.

  • VMware Carbon Black rules are only supported for desktop (Windows and macOS) devices.

To integrate with VMware Carbon Black:

  1. Configure VMWare Carbon Black cloud with a Custom Access Level.

  2. Configure Akamai Control Center for VMware Carbon Black integration.

Configure VMware Carbon Black cloud with a Custom Access Level

Complete this procedure to obtain your Carbon Black API ID and API Secret Key for each entity or sub-organization.

  1. Log in to the Carbon Black Dashboard. You can find your Dashboard URL at the VMware Carbon Black community page.

  2. In Settings > API Access click Access Levels.

  3. Click Add Access Level.

  4. On the Add Access Level page:

    1. Enter Access Level name and description

    2. Scroll down the Access Level table and set Read permission type as General information for a Device category.

  5. Click Save.

  6. In Settings > API Access click API Keys.

  7. Click Add API Key.

  8. In the Add API Key dialog:

    1. Enter a unique API Key name.

    2. In Access Level type select Custom.

    3. In Custom Access Level select the Access Level that you previously created.

  9. Click Save.

  10. The API Credentials dialog that appears contains your API ID and API Secret Key. Copy this data and use it in the following step. See Carbon Black documentation to learn more.

ūüďė

Note

If one or more of the Carbon Black credentials expire, the devices belonging to those specific Carbon Black integrations will have stale data in the Integrations tab in inventory reports. If the device was successfully reporting status to Carbon Black before the credentials expired, EAA will mark it as healthy for up to 20 minutes after the last time EAA saw that the device reported to Carbon Black (up to 10 minutes each for Carbon Black and EAA).

Configure ‚ÄčAkamai Control Center‚Äč for VMware Carbon Black Integration

Complete this procedure in ‚ÄčAkamai Control Center‚Äč to integrate with VMware Carbon Black API ID and API Secret Key that you obtained in the previous step of configuration for each entity or sub-organization. You can add one or more entities up to 12 entities.

ūüďė

Note

Device posture integration has been tested with VMware Carbon Black signals for a single entity. However, you may be able to use up to 12 entities. If you have any issues, contact Akamai Support for assistance.

  1. In the Enterprise Center navigation menu, select Application Access > Device Posture > Integrations.

  2. Go to VMware Carbon Black and fill in the following fields:

FieldDescription
EnabledSelect Enabled to use VMware Carbon Black signals in tiers and tags.

Note: If this field is not selected, VMware Carbon Black criteria do not display on the UI pages where you define tiers and tags or generate reports.

API HostnameSelect the URL for the API Hostname.

Your Portal Hostname is based on your region, when you configured your VMware Carbon Black account.

API Secret Key and API IDEnter your API ID and API Secret Key used to access the API.

To get values of those credentials, go to Settings > API Access > API Keys in the VMware Carbon Black Cloud console.

ORG KeyEnter the ORG Key that can be found in the VMware Carbon Black console under Settings > API Access > API Keys in the VMware Carbon Black Cloud console.
  1. Click Test Credentials to ensure the values are correct.

  2. Click Save to save the information.

  3. To add more entities, repeat steps 2 to 4, till all of the sub-organizations are added to the parent organization.

Next steps:
After completing these steps, use the following criteria when defining tiers/tags and when generating reports:

  • Use VMware Carbon Black Policy and VMware Carbon Black Status Healthy to define tiers and tags, and to generate inventory reports. See Configure tiers and tags and Create an inventory report for further details.

  • View the Integration section of the Device Details report to check the Carbon Black information.