NinjaOne Integrations: Enable CrowdStrike

Topic

NinjaOne integrates with CrowdStrike Falcon (FalconInsight XDR and Falcon Prevent), an integrated cloud-based endpoint detection and response (EDR) and endpoint protection platform (EPP) solution.

Environment

NinjaOne Integrations

Description

Disclaimer: CrowdStrike was designed as a complete antivirus replacement. NinjaOne does not recommend using it with other endpoint detection and response vendors.

NinjaOne does not uninstall the antivirus from devices if you turn off CrowdStrike in NinjaOne.

NinjaOne utilizes the generally available version of the CrowdStrike Falcon Sensor cached installer, as it is known to be compatible with devices. The NinjaOne CrowdStrike integration follows CrowdStrikeFalcon sensor policies so that the Falcon sensor will be upgraded or downgraded after installation, depending on your CrowdStrike settings.

The CrowdStrike integration is policy-driven from within NinjaOne when enabled. NinjaOne maps organizations automatically to CrowdStrike Dynamic Host Groups (groups of standard devices) based on Falcon Grouping tags.

The policy triggers the NinjaOne remote monitoring management (RMM) agent to detect the existing installation of the CrowdStrike Sensor on the endpoint and automatically perform the installation if the sensor is not present. If a device already has CrowdStrike installed before you enable the integration, the NinjaOne agent can read the existing agent ID.

Select a category to learn more:

Support
Prerequisites
Main Features
Enable the CrowdStrike Integration
Map NinjaOne Organizations to CrowdStrike Host Groups
Configure API Scopes for Multi-tenancy
Additional Resources

Support

Falcon Sensor 7.19.18910 on Microsoft Windows and Apple macOS.

Prerequisites

Consider the following notes before enabling the integration:

Integration with NinjaOne requires an existing CrowdStrike Falcon license.
Ability to generate Application Programming Interface (API) tokens in the CrowdStrike Falcon console.
Access to CrowdStrike applications: Falcon Prevent and Falcon Insight XDR (extended detection and response).
CrowdStrike parent account (NinjaOne does not currently monitor inherited accounts in CrowdStrike Flight Control for organizations).
If your CrowdStrike instance requires the allowlisting of Internet Protocol (IP) addresses, refer to NinjaOne Global Allowlist (Whitelist) Information.

Main Features

The CrowdStrike integration in NinjaOne provides the following benefits.

CrowdStrike Sensor activity logs display on the Organization and Device Dashboards. When the API client scope is missing, an event log returns in Activities on the dashboard.
Manage CrowdStrike multi-tenant client authentication or host groups.
Review device details and the health section for threats, viruses, and installation issues. When CrowdStrike detects a device threat, NinjaOne displays an alert immediately. By clicking on the alert in NinjaOne, the technician can navigate to that device in the CrowdStrike console for investigation and remediation.

Enable the CrowdStrike Integration

To enable the CrowdStrike integration in the NinjaOne console, perform the following steps:

Navigate to Administration → Apps and click Add Apps. Select CrowdStrike from the list of available third-party apps.

Figure 1: Add third-party apps in NinjaOne

The application settings page displays.

Click Enable.
The application setup modal displays.
Thoroughly read the terms outlining the migration process in the CrowdStrike Setup modal, and then select the checkbox at the bottom of the page to enable the Accept button.
Navigate to https://falcon.{domain}.crowdstrike.com/support/api-clients-and-keys (base URL will differ based on geo-location or cloud license) and select an API client or create a new one. You can reset your client secret from this page if you have forgotten it. Enter the required details to confirm your API client and then provision your API scopes:

Each API client is assigned one or more API scopes. Scopes are permissions that specify the endpoints and methods an API client can access. When creating an API client, choose from Read and Write actions that you can execute on different groups of API endpoints. The scopes you set are applied to access tokens generated by the API client credentials, and access is granted only to those endpoints authorized for use.
API clients have one or more API scopes. Scopes allow access to specific CrowdStrike APIs and describe the actions that an API client can perform. Use scopes to fine-tune the permissions of your API clients. OAuth 2.0 access tokens scope to the resources configured in the API client.
If an API Client does not have the minimum permissions scoped to it, the integration may not be functional. At a minimum, ensure you provision the following scopes to the API Client. These scope permissions are necessary for the integration to be successful.

Scopes required on version 7.0:

Scope	Requirement
Alerts	Read
Hosts	Read/Write
Host Groups	Read/Write
Sensor Download	Read

Click Enable.

Your CrowdStrike status should now show as enabled and connected, and you can check whether the authentication credentials used are valid by clicking the Edit button in the Settings widget.

Figure 2: CrowdStrike integration status in NinjaOne

Map NinjaOne Organizations to CrowdStrike Host Groups

Removing an organization in NinjaOne also removes the CrowdStrike host group. Changing the organization name in NinjaOne updates the host group's name in CrowdStrike.

The "mapping" process associates NinjaOne organizations with CrowdStrike Host Management Groups, ensuring the proper device group or policies are set and reporting in NinjaOne. This process is automated and performed without user or administrator interaction.

When you enable the CrowdStrike integration in NinjaOne, Host Management Groups are automatically created in CrowdStrike for every existing NinjaOne organization as soon as you enable the CrowdStrike integration. Creating a Host Group in CrowdStrike does not require enabling it in the policy or deploying the CrowdStrike antivirus. These new Dynamic Group Hosts reflect the organization name used in NinjaOne and are seamlessly updated when NinjaOne organizations are created or deleted.

Because NinjaOne maps each organization to a newly created CrowdStrike dynamic Host Group (which is managed by NinjaOne), the mapping eliminates potential issues with naming inconsistencies between the two products.

NinjaOne tags any device with the NinjaOne agent and a CrowdStrike Sensor installed with a Falcon Grouping Tag (unique identifier) in the NinjaOne organization. Tagging allows activities and threats to be properly associated with the corresponding CrowdStrike Host Group.

Configure API Scopes for Multi-tenancy

If you are using multi-tenancy in NinjaOne, you must set up new scopes for the API client. To learn more, refer to NinjaOne and CrowdStrike: Multi-tenancy Integration.

Additional Resources

Refer to the following resources to learn more about the NinjaOne integration with CrowdStrike: