How to Integrate CrowdStrike with Zscaler Internet Access


Users and applications are moving to the cloud and putting a strain on legacy “castle-and-moat” network security. Legacy security models weren’t designed for today’s environments and threats, and don’t provide adequate monitoring, protection, or scale in a cloud and mobile-first world: You can’t enforce perimeter-dependent security when cloud-based apps and data reside outside the “castle moat.”

The new cloud-first, remote-enabled, device-agnostic way of working, however, demands a new security model. CrowdStrike and Zscaler have partnered to enhance end-to-end visibility and automating detection and remediation using both platforms. CrowdStrike and Zscaler are cloud-native security services that provide uniform security enforcement for all users, applications, endpoints, no matter the location. Together they enable better user experience and security. Their integration reduces threat dwell time and enables security professionals to do more, faster.

This article demonstrates how to integrate ZIA with CrowdStrike to provide zero-day threat detection and endpoint data correlation for faster remediation.

To see how CrowdStrike integrates with Zscaler Private Access (ZPA), please refer to this blog.


Connecting ZIA and CrowdStrike APIs

ZIA delivers sandboxing services as part of a broader enterprise SASE architecture implementation.

Through API integration with CrowdStrike, a threat detected by the Zscaler sandbox is automatically correlated with CrowdStrike telemetry data. The Zscaler Sandbox report then shows any additional infected endpoints in your environment. Zscaler can also trigger a containment response from the CrowdStrike platform.

To begin integrating CrowdStrike with ZIA, make the API level connection between Zscaler and CrowdStrike:

1.  Login to the Zscaler portal.

zscaler login

2.  Select Administration, then Partner Integration.

zscaler ui

3.  On the Partner Integration page, select the CrowdStrike tab. You are required to enter CrowdStrike client information.

zscaler partner

4. Switch to the CrowdStrike portal. Login.

zscaler crowdstrike login

5.  Select API Clients and Keys.

zscaler cs api keys

6.  Create a new API client with specific API scopes by selecting Add New API Client.

zscaler cs add new api client

7.  Once the new client is created, copy the Client ID and Secret.

zscaler client ID

8.  To obtain the CrowdStrike Customer ID, select the User Details icon in the bottom left corner of the CrowdStrike portal.

zscaler customer id

9.  Copy the Customer ID.

zscaler copy cust id

10.  Return to the Zscaler portal and enter the Client ID, Secret, and Customer ID into the appropriate fields.

zscaler populate api

11.  Select Save. This verifies API connectivity between Zscaler and CrowdStrike.

zscaler verify

The Sandbox in Action

1.  From the client PC, download a file or executable from the Internet.

zscaler download

Since Zscaler sits inline and enforces all customer-configured security policies, Zscaler checks against its security engines to determine whether the file or executable is benign or malicious.

zscaler run

2.  If Zscaler’s security engines cannot obtain enough information to decide, then the file is detonated in the Zscaler cloud sandbox and the file verdict is derived from the actions it attempts in this isolated environment.

zscaler sandbox

While sandbox detonation is in progress, simultaneous download can be blocked or allowed as per customer policy. If the customer configured the latter, the file is allowed through and downloaded to the end host. Assuming the executable was a zero-day attack, since CrowdStrike hasn’t yet identified it as a malicious file, the file execution is allowed on the end host.

3.  To review the Zscaler Sandbox assessment, select the Analytics tab, and then choose Web Insights.

zscaler insights

4.  Apply Sandbox as a filter, then from the dropdown menu select Sent for Analysis.

5.  Switch to Logs at the top of the screen, then select Apply Filters.

zscaler filters

6.  In this example, the file was allowed per the applied policy, but it was sent to Zscaler’s Sandbox for further analysis and detonation.

zscaler allowed

7.  At the end of the event, select the View Sandbox Detail Report.

zscaler detail report

(Note, displayed columns can be adjusted in Web Insights. Make sure that MD5 is selected for display.)

8.  The Sandbox uses a scoring system to determine if files are malicious where anything above 60 is suspect. In this example, the file has a threat score of 86 and is malicious.

zscaler complete report

9.  To see which customer endpoints were affected, return to the Zscaler logs and choose View CrowdStrike Endpoint Hits.

zscaler endpoint hits

10.  CrowdStrike shows the malicious file was executed on three endpoints: one host downloaded the file via the Internet and the malware spread laterally to two other endpoints.

zscaler endpoint 3 hits

11.  To quarantine the endpoints, select Contain. This cuts off network access from that host. Once quarantined, the endpoint can only talk to CrowdStrike’s IP addresses or any other IPs specifically whitelisted by customer’s CrowdStrike policy settings.

zscaler contain endpoint

12.  The host’s status has changed to Contained.

zscaler host contained


Through just one UI screen, you can see which hosts are affected, view the timeline of the infections, and take containment action.

The integration of Zscaler and CrowdStrike enables the following benefits to improve security.

  • A fuller security picture using network visibility, threat detection, and advanced endpoint analytics.
  • Reduces advanced threat impact by combining inline SSL inspection, firewall, web proxy, cloud-sandboxing, CASB, and DLP protection with advanced endpoint protection and analytics.

More resources

Content provided by Jamie Chui and Rohan Upalekar of Zscaler

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial