General Setup Details
CrowdStrike Falcon sensor installation is conducted via the standard Glean deploy process. The customer need not worry about having to perform the installation, nor does the customer need to make any changes to the Glean deployment. The customer will need to provide Glean with some details to have CrowdStrike Falcon deployed properly. Please see the requirements section.Some Glean workloads utilize the Google Container Optimized OS (COOS) outside of Kubernetes. At this time, CrowdStrike does not support standalone (i.e. non-Kubernetes) COOS instances. As such, we are unable to support CrowdStrike on those instances.
Setup Details
For stand-alone Compute Engine instances, Glean simply installs the Falcon agent. For K8s, Glean leverages the Falcon Operator to install the Node Sensor and the Kubernetes Admission Controller.Requirements
Licensing
CrowdStrike is not hosted by Glean; CrowdStrike is hosted by the customer and Glean hooks in to the customer’s CrowdStrike licenses. For customers to leverage CrowdStrike Falcon sensors to monitor their Glean deployment, there are one of 2 licensing options that customers must possess:- Option 1: For CrowdStrike’s most comprehensive security capabilities, customers will need both CNAPP and CNAPP with Containers
- Option 2: For just runtime protection, customers will need both Cloud Runtime Security and Cloud Runtime Security with Containers
Pricing
Because this is reporting back to the customer’s CrowdStrike tenant, the customer is responsible for all billing related matters.Customer Instructions
Glean requires that the customer perform the following steps:- Perform the steps required to add the Glean GCP project to your Falcon console for monitoring. Follow the CrowdStrike documentation for how to do this.
- You will need CrowdStrike credentials that will be used by the Falcon sensors to communicate back to CrowdStrike. These credentials are composed of the following elements:
- Client ID
- Client Secret
- After you obtain the credentials, grant the following permissions:
Falcon Images DownloadInstallation Tokens-ReadandWriteSensor Download
- You will also need the Customer ID (CID Checksum). To obtain the Customer ID (CID Checksum), in the Falcon console, go to the CrowdStrike Sensor download page. The CID checksum should be at the top of the page. Click “Copy your Customer ID checksum to the clipboard.” This will be needed when constructing the secret.
- Create the Secrets Manager entry (more on this below)
- Provide details to Glean (more on this below)
Google Secret Manager Requirements
You will need to create a secret in the same project as the Glean deployment. We recommend that you create a secret that is encrypted with the Google-managed encryption keys (default).The Secret Contents
The secret that is created needs to be a JSON string that looks like this:- The CrowdStrike Falcon Client Secret for
FALCON_CLIENT_SECRET - The Customer ID for
CUSTOMER_ID
Provide Glean with Details
After you have completed all the customer steps above, then last step is to provide the desired CrowdStrike deployment details to Glean. The following details need to be sent over:- The Client ID for the credentials.
- Name of the secret you just created
- An optional comma-separated list of Tags that you would like to have applied to CrowdStrike deployments.
- An optional “version decrement” for EC2 instances. By default, this value is set to 0. This sets the Falcon version to deploy minus the decrement (i.e. you can have the Falcon release that is 2 versions old to be deployed). See the CrowdStrike documentation for details.
- An optional kubernetes Falcon auto update strategy. By default, this is set to
normal, but this can also be set toofforforce. See the CrowdStrike documentation for details. - An optional kubernetes Falcon update policy string. This is the name of the Falcon Linux sensor update policy (configured in the Falcon UI). When set, this policy determines which Falcon sensor version to install. This is unset by default. See the CrowdStrike documentation for details.