Skip to main content

Integrations

  • Integrations
  • Illumio CrowdStrike Flow Ingestion Service (CFIS)

Illumio CrowdStrike Flow Ingestion Service (CFIS)

The Illumio CrowdStrike Flow Ingestion Service (CFIS) is a SaaS network security solution that combines CrowdStrike endpoint protection with the visualization tools available in the Illumio Platform, allowing organizations to visualize the events flowing between their CrowdStrike-protected endpoints. This real-time view of network interactions helps organizations make more informed security decisions and streamline policy management. It works by integrating the organization's CrowdStrike agents and Falcon Data Replicator (FDR) directly into their Illumio Platform to ingest Crowdstrike endpoint events.

Before you begin with CFIS

  • This solution only provides flow ingestion and visibility into your assets and flows. It doesn't support creating policy or applying policy to your firewall.

  • This solution doesn't support sending audit events and logs located in Azure block storage.

CFIS Procedure

Perform these steps to integrate your CrowdStrike setup with your Illumio Core PCE.

Step 1: Provide information to Illumio

Caution

Notifiy Illumio if you later change any of the CrowdStrike details you provide in this step so that they can update your implementation accordingly. Otherwise, the CFIS service may stop working. In that case, messages will appear in the appropriate logs.

Provide the following CrowdStrike and AWS information to Illumio customer support:

CrowdStrike information 

  • Read-only API credential access to your Crowdstrike setup (host group and device information)

  • Instruction for how to get the above information and in what format....

  • CrowdStrike CID and URL

AWS information 

  • URL of your AWS Simple Queue Service (SQS)

  • AWS region

  • AWS API ID and key

Step 2: Configure CrowdStrike for this solution

Perform the following steps to configure your CrowdStrike setup with the Illumio PCE.

  1. In your Crowdstrike setup, create a new Host Group or specify an existing Host Group for use in a later step. There are two options:

    • Option 1 (Default): Create a new Host Group and give it the default name Illumio Managed Hosts.

    • Option 2: Use an existing Host Group or create a new Host Group with a name of your choosing. Important: Make sure to provide the name of this Host Group to Illumio with the other information listed in STEP 1.

  2. Into the host group, add the hosts whose flow information you want to generate for ingestion by the Illumio PCE.

  3. Create a CrowdStrike Falcon Data Replicator (FDR) instance to forward the following types of events:

    • LocalIpAddressIP4

    • LocalIpAddressIP6

    • LocalIpAddressRemovedIP4

    • LocalIpAddressRemovedIP6

    • NetworkConnectIP4

    • NetworkConnectIP6

    • NetworkReceiveAcceptIP4

    • NetworkConnectAcceptIP6

Step 3: Visualize Event Flows in the Illumio PCE

The visualization tools available through the PCE Web Console reveal the traffic flows in your network and help you gain insights about your corporate assets. The visualization tools available with this solution include the Map, Traffic table, and the Mesh. For more information, see About Visualization Tools.

Troubleshooting

If you don't see Crowdstrike flows in Illumio, verify that:

  • Your network allows access to the Crowdstrike API endpoints.

  • Your Crowdstrike API credentials are valid.

  • The host group exists on Crowdstrike.

  • The credentials for access to the AWS Crowdstrike Falcon instance are valid.

  • There are events in AWS.