Skip to main content
Version: 10.7.1

HYPR and CrowdStrike IdP Policy Configuration

Policy Management Overview

Learn how to create a standard policy for CrowdStrike, specifically for the Identity Protection Risk Score. Multiple policies can be defined for different use cases or scenarios.

Manage Adapt risk policies using standard administrative operations via the HYPR Control Center.

Overview

This guide covers integrating CrowdStrike Falcon's Identity Protection Risk Score into the HYPR Adapt access decision process. HYPR Adapt evaluates the score against your risk policy to determine whether a user is granted access, required to use phishing-resistant authentication, undergo identity verification, or denied access.

On this page

Integration workflow

  • IdP authentication: The user initiates login with their Identity Provider (IdP).
  • HYPR Adapt policy check: The IdP queries HYPR Adapt for authentication requirements.
  • Risk score retrieval: HYPR Adapt retrieves the Identity Protection Risk Score from CrowdStrike Falcon.
  • Policy enforcement: Based on the risk score, HYPR Adapt applies security measures such as:
    • Seamless SSO
    • MFA enforcement
    • Identity re-verification
    • Access denial
  • Access decision: If policy conditions are met, the user gains access to enterprise applications.

These evaluations apply both when users authenticate via your IdP (for example, logging in to Okta) and when they sign in to web applications that rely on the same IdP policy. For web login scenarios, HYPR uses the user's email-based username to look up CrowdStrike Identity Protection events and scores. Ensure that, in Active Directory, each Windows username has an associated email address that matches the username used for web login. In your HYPR tenant, assign this IdP policy to the rpApp that is linked to Okta so that when the user logs in to Okta, HYPR Adapt evaluates the policy.

CrowdStrike webhook setup

Complete the CrowdStrike Falcon setup before configuring the policy in Control Center.

HYPR prerequisites

  • Your HYPR deployment must expose the CrowdStrike inbound webhook endpoint used by Control Center.
  • Confirm with your HYPR representative that the feature flag ENABLE_ADAPT_CROWDSTRIKE_INTEGRATION is enabled for your tenant.
  • Confirm with your HYPR representative that Control Center is configured for CrowdStrike webhook signature verification and that you have the required webhook signing secret.

Create a CrowdStrike API client (for Identity Protection reads)

In CrowdStrike Falcon, create an OAuth2 API client and enable:

  • Read scope for Identity Protection Assessment, Identity Protection Entities, and Zero Trust Assessment
  • Write scope for Identity Protection GraphQL

You’ll use the client ID/secret and tenant information when configuring the HYPR Adapt policy.

Configure the CrowdStrike webhook client

In CrowdStrike Falcon, configure a webhook client that targets Control Center.

  1. Go to CrowdStrike Store → All Apps.

  2. Open the Webhook application.

  3. Select Configure → Add Configuration and set:

    • Webhook URL:

      {baseURLForCC}/rp/integrations/adapt/webhookclient/crowdstrike/eventshook

    • Signature header name:

      x-cs-primary-signature

    • Secret: set this to the webhook signing secret provided by HYPR for your tenant

  4. Save the configuration. Keep the Webhook name handy—you’ll select it in the workflow step.

Create the Identity Protection workflow (Fusion SOAR)

  1. Go to Fusion SOAR → Workflows.

  2. Select Create Workflow (top right), then select Create workflow from scratch.

  3. Select Event as the workflow trigger.

  4. Configure the event trigger for Identity Protection (for example: Alert → Identity Detection), then select Next.

  5. Add an Action step. Search for context, then choose Get user identity context.

  6. Add a Condition step and configure it so that the webhook is only called when the risk criteria you care about is met (for example, when the event indicates elevated risk).

  7. On the TRUE branch, add an Action step and choose Call webhook.

  8. Configure the webhook call:

    • Select the Webhook name you created earlier.
    • Leave the default format as JSON.
    • Include the Identity Protection attributes required for evaluation (risk score/severity plus the user/device identifiers needed to correlate the event).

  9. Select Next, then select Finish.

  10. In the final confirmation window, ensure Workflow status is set to ON so events are sent immediately.

Policy setup in HYPR Control Center

To get started, first you must create a policy.

  1. At the top right of the Risk Policies list, select Add New Policy.

  2. Complete the Add New Risk Policy dialog fields as follows:

    FieldValue
    Policy TypeCustom Policy
    Policy TemplatesWorkstation Unlock
    Policy Name(Provide a name.)
    Policy Description(Provide a description.)

Your policy now appears in the Risk Policies list.

Form Configuration

As part of creating a policy, you must define the variables that will be used for the policy. For CrowdStrike, we must create an AgentID field, URL field, Client field, Secret field, and Customer ID field. Keep in mind, the form names, such as crowdstrikeURL, will be used as variables in the policy.

Once the form is populated, click Save.

Configuration

With the form configured, you can now define the values that will be used as part of the policy.

  1. Event Search Window is blank.

  2. For HYPR's User-Agent for CrowdStrike API calls, the only acceptable value is HYPR_Strike_1.0.

  3. Enter the CrowdStrike Tenant URL.

  4. Provide your OAuth2 CrowdStrike API Client and CrowdStrike API Secret.

  5. Add your CrowdStrike Customer ID.

  6. When you are satisfied with the values in these fields, click Save Configuration.

  7. Ensure your CrowdStrike API client has the required Identity Protection read/write permissions. For the CrowdStrike-side setup steps, see CrowdStrike Falcon setup (prerequisite).

Policy Code

Within the Policy Code tab, you will be able to modify and test the policy to your desired outcome.

To test a policy:

  1. Request the policy from HYPR to get started.

  2. Provide a user at the top right.

  3. Add a date range to receive data for the user to test. You will see the data populate the area labeled Input.

  4. Click Evaluate. The results will be displayed at the bottom right, labeled Evaluation Result.

  5. Once the policy meets your requirements click Save.