sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-05-02 15:26:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add EDR and Offboarding docs (#217)

Browse Source
This commit is contained in:
Misha Bragin
2024-08-15 15:33:47 +02:00
committed by GitHub
parent ac8049ac22
commit 8ab2d6e79f
13 changed files with 161 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
src/pages/how-to/endpoint-detection-and-response.mdx
View File

@@ -1,4 +1,6 @@
# Endpoint detection and response (EDR)
# Endpoint Detection and Response (EDR)
![Endpoint Detection and Response](/docs-static/img/how-to-guides/endpoint-detection-and-response/edr-integrations.png)
Endpoint Detection and Response (EDR) is a cybersecurity technology designed to help organizations detect, investigate,
and respond to threats on endpoint devices. An endpoint is any device that is connected to a network, such as laptops,
@@ -12,82 +14,15 @@ NetBird integrates with major EDR platforms to restrict network access only to d
With the integration enabled, NetBird synchronizes the list of devices managed by the EDR platform via the API and
checks the presence of the EDR agent on the device, blocking access to the network if the agent is not installed.
In addition to the aforementioned features, the system also has the capability to check the Zero Trust Assessment (ZTA) score of the hosts.
The system can limit network access based on this ZTA score. For instance, if a device has a ZTA score below the set threshold, it may be deemed too risky and thus, denied access to the network.
NetBird doesn't apply the EDR checks to all devices in the network. Instead, you can select specific groups of devices for
the checks to apply.
This document offers instructions and best practices for setting up NetBird with different EDR platforms.
<Note>
This feature is only available in the cloud version of NetBird.
</Note>
## CrowdStrike
## Supported EDR Platforms
Before you start creating and configuring a CrowdStrike integration, ensure that you have the following:
- A CrowdStrike account with the permissions to create and manage API keys. If you don't have the required permissions, ask your CrowdStrike administrator to grant them to you.
NetBird integrates with the following EDR platforms:
### Step 1: Create a CrowdStrike API key
- Navigate to the [API clients and keys](https://falcon.eu-1.crowdstrike.com/api-clients-and-keys/) page
- Click `Create API client` at the top, right corner
- Set Hosts - Read permission
- Set Zero Trust Assessment - Read permission
- Click `Create`
- Copy the credentials. You will need these credentials when configuring an integration in NetBird.
### Step 2: Configure a CrowdStrike integration in NetBird
- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
- Click `Connect CrowdStrike` to start the configuration wizard
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
</p>
- First, select the region of your CrowdStrike account
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-region.png" alt="crowdstrike-region" className="imagewrapper"/>
</p>
- Then enter the client ID and secret key you created in [Step 1](#step-1-create-a-crowd-strike-api-key) and click `Continue`
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-credentials.png" alt="crowdstrike-credentials" className="imagewrapper"/>
</p>
- Select groups you want to apply the integration to
- If you would like to apply a ZTA threshold, then enable the [Zero Trust Assessment Score](https://www.crowdstrike.com/blog/tech-center/securing-private-applications-with-crowdstrike-zero-trust-assessment-and-aws-verified-access/) and set the desired limit, and click `Connect`.
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-groups-zta.png" alt="crowdstrike-groups-zta" className="imagewrapper"/>
</p>
<Note>
The EDR check will apply only to machines in the selected groups and will require a running CrowdStrike agent.
</Note>
<Note>
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
</Note>
- Peers that have the CrowdStrike agent installed will be granted access to the network. Peers without the agent will appear
with a `Approval required` mark in the peers list and won't be able to access the network until the agent is installed.
<p>
<img src="/docs-static/img/how-to-guides/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
</p>
- Optional. You can experiment and see how the integration works by hiding hosts in the CrowdStrike Host management console:
- Navigate to the [Host management](https://falcon.crowdstrike.com/host-management/hosts) page in the CrowdStrike console
- Select a host you want to hide
- Click `Actions` and then `Hide`
- The host will be moved to Trash (you can restore it later)
- After about a minute, the peer will be disconnected from the network and marked as `Approval required` in the NetBird dashboard.
- To restore the host in CrowdStrike, navigate to the Trash and click `Restore`
<Note>
NetBird synchronizes the list of devices managed by the EDR platform via the API about every minute.
The changes might not be visible immediately.
</Note>
<Note>
If you install the CrowdStrike agent on a peer after it joined the network, you will need to disconnect and reconnect
this peer for the `Approval required` mark to disappear.
</Note>
* [CrowdStrike Falcon](/how-to/crowdstrike-edr)