Are there any SRA associated billing requirements needed to use the plugin?

• There are no SRA associated billing requirements. Clients only pay Azure fees for the App Service it uses in the client tenant. It’s about $50 a month.

Is there a technical reason why a container was leveraged over a standard OpenAPI plugin?

• A container was leveraged because we are not just brokering API calls but combining collections of them in simplified ways that align with common SOC needs. We’ve also included features to provide custom health check scoring and recommendations analysis for configuration hardening. All of this required the full control of an application service.

Does SRA or any other 3rd parties have access to user prompts, responses, or other information sent through the container?

• No. It has no call-home capabilities. SRA encourages users to allow-list all inbound and outbound connections for security purposes, and the only outbound connection you’ll need to allow is to the Crowdstrike API servers.

If customers have a need for custom plugin development or new features for CrowPilot, is that a service that SRA can provide?

• Yes! We love to build cool stuff for our clients. Please reach out anytime to CrowPilot@sra.io or your regular contact at SRA to discuss.

Can I have a pin and stickers?

• Yes! Just send us your address and shipping info.

Do you have a quick security checklist I can refer to for deployment?

• Key Security Considerations
  • Consider allow-listing IP addresses for accessing Crowdstrike API, and include those being used by CrowPilot App Service.
  • Utilize the inbound and outbound network restriction features to ensure only Security Copilot can access CrowPilot, and that CrowPilot can only access the Crowdstrike API service.
  • Create a new Crowdstrike API key and set least privileges so it has only the access it needs for its functionality and nothing more.
  • The service is set to auto-update from the latest SRA CrowPilot build. You can disable this by clicking ‘Deployment Center’ and then changing continuous deployment to ‘off’. In this case, you’ll need to manually pull new updates when we release new features.

1. From your CrowdStrike console, open up the menu in the upper right corner and click Support and resources followed by API clients and keys.

2. In the  upper right, click Create API Client.

3. A new dialog box will appear. Give the API Client a name and description, the provide the following permissions for full usability of the CrowPilot plugin (refer to the CrowdStrike API Permissions table at the end of this guide, if you would like to limit some functionality of the CrowPilot plugin).

• Custom IOA Rules – Read
• Device Control Policies – Read
• Firewall Management – Read
• Hosts – Read and Write
• Host Groups – Read and Write
• Incidents – Read
• IOA Exclusions – Read
• IOC Management – Read and Write
• Machine Learning Exclusions – Read
• Prevention Policies – Read
• On Demand Scan – Read and Write
• Response Policies – Read
• Sensor Update Policies – Read
• Zero Trust Assessment – Read

4. Click Done when completed filling out all permissions.

5. A new window will appear with the Client ID, Secret and Base URL. Make sure to record each of those, as they will be needed when deploying the app from Azure Marketplace

Note: if you restrict access to your CrowdStrike instance by IP address, you will need to review the App Service that was deployed from the Azure Marketplace and add those IPs to your IP Allow List allowing them to access the API (see CrowdStrike’s instructions here.)

1. Follow the link here to SRA’s Azure Marketplace Catalog.

2. Click on Get it now as seen below

3. Click Continue in the new pane that appears

4. A new page will be displayed. Click Create to start the App Service creation process.

5. On this new page in the Basics tab, select the Subscription and Region, and either select an empty Resource Group, or create a new one. Click Next once the highlighted boxes are filled out.

6. In the CrowPilot Settings tab, as seen below, fill out each entry and click Next when done.

• Subscription – Select the subscription that will house the CrowPilot App Service
• Resource Group – Select or create a new resource group to house the CrowPilot App Service
• Site Name – use the default “crowpilot” or modify as desired to give a name to the App Service. Ensure if you change the name, note it for potential use later
• Asp Sku – We recommend using the B1 App Service Plan Sku. This will cost roughly $50/month (check rates based on your Region).
• Crowdstrike Base Url – Enter in the CrowdStrike Base Url recorded when the API key was created (the default ‘api.crowdstrike.com’ will be used if not modified to match your CrowdStrike instance, and thus the plugin may not work)
• Crowdstrike Client Id – Enter in the Crowdstrike Client Id that was recorded when creating the Crowdstrike API key.
• Crowdstrike Client Secret – Enter in the Crowdstrike Client Secret that was recorded when creating the Crowdstrike API key.
• Crowpilot Api Key – Enter in a unique and randomized set of characters. This will be used as the authentication key by the App Service. No calls to the App Service will be accepted without this Key, so ensure it is a long and random set of characters.

7. You will be brought to the Review + Create tab to review all of your settings before deployment. If all the information is accurate, click Create at the bottom of the screen.

8. A Deployment window will open and you will be able to watch the Deployment’s progress. Wait for deployment to complete, and click Go to resource group as seen below.

9. Click on the App Service you created (If you kept the default it will be called ‘CrowPilot’)

10. The App Service Window will open. You will need to copy the Default domain as highlighted below. Copy the entire URL. This will be used later when we configure the plugin within Microsoft’s Security Copilot.

11. Save that domain, and the CrowPilot API key you generated in step 6. Continue to the next section.

1. Navigate to securitycopilot.microsoft.com.

2. In the chat input box, click on the Sources icon as seen below

3. Scroll down to the bottom of this new window to the Custom section and click the Upload Plugin button.

4. The Add a plugin window appears. Here, choose whether to add the functionality to anyone in your organization or just yourself, then click on the Security Copilot plugin button as seen below.

5. New options will appear in the window. Click the slider labeled Upload as a link.

6. The Upload file section will be replaced with a text box and a drop down as seen below:

7. For the File type select .yaml.

8. For the link copy and paste: https://raw.githubusercontent.com/SecurityRiskAdvisors/azure-security-tools/refs/heads/main/CrowPilot/plugin.yaml

9. The plugin will now be added, but not yet configured:

10. You should not automatically be taken back to the Manage sources section. Scroll back down to Custom click the Setup button next to CrowPilot for CrowdStrike by SRA.

11. The window below will now appear. You will need the URL of the App Service, and the API key setup in the CrowPilot from Azure Marketplace section above. (Note: when entering the URL, make sure you include the ‘https://’ as copying directly out of Azure will not include that portion of the URL.)

12. Once the information is entered, click Save in the bottom right and CrowPilot is ready to go (Note, if you have IP restrictions on your CrowdStrike console you will need to continue to the Allowing CrowPilot to Connect to CrowdStrike section below)

Note: This step is only required if you limit access to your CrowdStrike console based on IP addresses.

1. In the Azure portal, navigate to the newly created App Service called “CrowPilot”, or the name you designated during the deployment phase if modified.

2. From the Overview section, scroll to the bottom of the page in the right pane to see Networking, as seen below.

3. Record the IP addresses in the Outbound IP addresses and the Additional Outbound IP addresses

4. With the IP addresses from step 3, follow CrowdStrike’s documentation provided here to add these IPs to a new IP Group. (Note: Ensure that the once created you turn the IP Group on, as it will be off by default).