CrowdStrike is an industry-leading, threat intelligence engine that provides cloud workload/ endpoint security and cyber attack response services. Integrating CrowdStrike’s malware detection services with Prisma Cloud DSPM’s data security capabilities grants you an optimal understanding of any known malware types that might exist in your cloud storage, as well as the ability to pinpoint the exact location of each malware.

Integrating CrowdStrike with Prisma Cloud DSPM applies to two main use cases:

• User-Generated Content Protection - many organizations rely on user-generated content (UGC) for their business logic. When users upload content into an application, it is usually stored in a cloud storage behind the scenes. If malware is uploaded to this storage, the automated procedures handling the UGC may allow for lateral movement within the organization, thus infecting the organization further with the updated malware.
• Cloud Backup Posture - as part of the ongoing cloud migration, organizations these days regularly store data - that was previously hosted on-premises - in cloud storages. While this enables easy access and backup, malware that previously existed in the on-premises storage may travel to the cloud as part of the migration process, leading to new security risks.

Integration

Prerequisites

To successfully perform this integration, you need to:

• Ensure you have a Prisma Cloud DSPM account as well as a CrowdStrike account.
• Create an OAuth2-based API client in the CrowdStrike falcon management console. Verify that you have Indicators Read permissions.   See this guide for detailed instructions.
  Once you create a CrowdStrike API client, you will receive a client ID and a client secret (token) that will be used in the integration process.

Integrating via the Prisma Cloud DSPM Console

1. In Prisma Cloud DSPM, go to Preferences > Integrations.
2. Under Malware Detection, Select CrowdStrike and click Connect.
   
3. Enter your CrowdStrike Client ID and Client Secret.
4. Click Connect.
   

NOTE: Prisma Cloud DSPM allows for only one CrowdStrike integration at a time. If you already have an existing CrowdStrike integration, connecting a new one will delete the old integration.

You should start seeing Malware results from Prisma Cloud DSPM within 24 hours after creating this CrowdStrike integration. Prisma Cloud DSPM will use an API OAuth token to detect malware in your cloud storage, using the CrowdStrike threat intelligence platform.

Viewing Malware Results

You can find malware information received from CrowdStike in the following locations within Prisma Cloud DSPM:

• The Inventory page - assets with malware are marked with a red bug icon under the Risks column, next to a number indicating the number of malicious files found. You can quickly access these results by applying the Malicious Files filter, as demonstrated in the image below.
  
• If you go to the Asset Page of such an asset from the Inventory page, you will see Malware found in storage asset warning under Risks.
  
• The Risks page - you can find a dedicated malware risk within the general risk overview.