CrowdStrike agent management (2019 SU3)

Many companies use CrowdStrike for endpoint protection. CrowdStrike has its own management console that you can use to manage your CrowdStrike environment.

Endpoint Manager gives you additional CrowdStrike agent insights with its CrowdStrike security activity view. This view helps you make sure the CrowdStrike agent is deployed to all devices Endpoint Manager has discovered and that the CrowdStrike agent is working correctly.

The CrowdStrike security activity view doesn't require an Endpoint Security license.

Here's a brief video introducing this new view.

CrowdStrike security activity view (3:52)

To access the CrowdStrike security activity view
  • Click Tools > Security and Compliance > Security Activity, then click CrowdStrike > Managed Devices.

Entering CrowdStrike credentials

Before using the CrowdStrike security activity view, you need to add your CrowdStrike Action Center credentials. If you haven't provided credentials, a red banner displays in the CrowdStrike > Managed Devices view telling you to do this.

These credentials let the Endpoint Manager console get managed host information directly from CrowdStrike. This data from CrowdStrike is cross-referenced with data gathered by the Endpoint Manager inventory scanner to get a complete picture of CrowdStrike agent status in your environment.

The Action Center prompts you for your CrowdStrike Client ID and Secret, which you can get from your CrowdStrike console. Once you've entered them, click Test connection to make sure the Endpoint Manager console can connect to CrowdStrike.

Endpoint Manager 2021.1 adds a new Select the tenant you want to connect to option in case you need to connect to a specific CrowdStrike tenant.

To open the CrowdStrike Action Center
  1. Click Tools > Security and Compliance > Security Activity.
  2. In the Security Activity window's toolbar, click the settings button and click CrowdStrike Action Center.

Viewing CrowdStrike agent status and activity

Each time you open the CrowdStrike security activity view, Endpoint Manager uses the CrowdStrike cloud API to retrieve inventory and configuration information. The view includes devices that CrowdStrike reports it is managing and devices that Endpoint Manager has discovered.

Use the Show, Device Status and Last seen toolbar filters to limit the view. The filters work as AND operators, so make sure you don't create a filter combination that unintentionally excludes devices you want to see.

  • The Show filter can include All devices, Ivanti managed devices and Ivanti unmanaged devices.
  • The Device status filter can be All, OK, or Action needed.
  • The Last seen filter lets you select a date. Any devices that haven't reported in to CrowdStrike after the date you select display in the view.

The view's columns indicate Device status and the Reason for that status. For example, the status might be "Action Needed" and the reason is "The device does not have a CrowdStrike agent installed."

A device is considered OK if both CrowdStrike and the inventory scanner report the CrowdStrike agent is present and the agent version reported by both sources matches.

The Version reported column shows the version CrowdStrike thinks is installed. The Version reported by Ivanti column shows the version the inventory scanner detected.

An Action needed status occurs when the inventory scanner doesn't detect the CrowdStrike agent or if another problem was detected.

Here are some ways we suggest using the CrowdStrike security activity view:

  • Use the Ivanti unmanaged filter and column to identify devices that you may want to manage with Endpoint Manager.
  • Use the Action needed filter and column to identify devices without a CrowdStrike agent or with an agent that doesn't appear to be working correctly or is misconfigured.
  • Use the Last seen filter and the CrowdStrike agent last seen column to identify devices with a CrowdStrike agent installed, but that haven't reported in to CrowdStrike. This can help you find CrowdStrike agent installations that aren't working correctly, perhaps because of a firewall issue or an agent installation issue.

Fixing devices with an "Action needed" status

If a device needs fixing, you can right-click it and see the same context menu you see when right-clicking a device in the main Network view. From this menu you can complete many management tasks, such as starting a remote control session or deploying software. Be aware that the context menu for devices without an Endpoint Manager agent is limited, since there's no agent to communicate with.

Redeploying the CrowdStrike agent software can fix many problems. If you want to do this, you'll first need to create a CrowdStrike agent installation package. Visit this Ivanti Community link for more information: https://forums.ivanti.com/s/article/How-to-deploy-CrowdStrike-with-Endpoint-Manager.

After you've created a CrowdStrike agent installation package, right-click the device you want and use the Create scheduled task option to deploy that distribution package.