Use Crowdstrike ZTA scores to restrict device access

Device posture attributes and conditions are currently in beta.
Device posture integrations are available for the Personal and Enterprise plans.

Crowdstrike Falcon Zero Trust Assessment calculates a numeric trust score (from 0 to 100) for each device that runs a Falcon agent. Using that score as part of access rules in Tailscale can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be achieved using Tailscale’s device posture features:

  • Crowdstrike Falcon posture integration, which synchronizes Zero Trust Assessment scores from Crowdstrike to device posture attributes in Tailscale.
  • Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Crowdstrike.
  • Posture conditions in access rules, which allows configuring access restrictions based on device attributes.

This document provides instructions on how to:

  • Enable Device Identity collection for your tailnet.
  • Configure Crowdstrike Falcon posture integration.

What is Crowdstrike Falcon posture integration?

Crowdstrike Falcon posture integration lets you connect your Tailscale network to Crowdstrike Falcon. It runs regularly and copies Falcon Zero Trust Assessment scores to device posture attributes.

When configured, it will regularly:

  • Fetch a list of hosts recorded in your Falcon account, and their ZTA scores.
  • Match Falcon hosts with corresponding devices in your tailnet, based on the serial numbers associated with a device.
  • Write the ZTA score of each device into the falcon:ztaScore Tailscale device posture attribute.

Prerequisites

Create Crowdstrike Falcon API credentials

Generate a Crowdstrike Falcon API client that will be used to fetch a list of hosts from Falcon along with their ZTA scores.

  1. In Falcon, open Support and resources and then API clients and keys.

  2. Click Create API client.

  3. Add a name. For the Hosts scope add Read, and for the Zero Trust scope add Read.

    Create API client: Client name: Tailscale integration. Scope 'Zero Trust Assessment - Read' is enabled.
  4. Click Create, then make sure to copy the displayed Client ID and Client Secret. These will be only displayed once.

Also make a note of the Base URL (for example, https://api.us-2.crowdstrike.com).

Configure Crowdstrike Falcon posture integration

Configure Tailscale to fetch the ZTA scores from Crowdstrike Falcon.

  1. Open the Device management page of the Tailscale admin console.

  2. Under the Device Posture section, click Connect next to the Crowdstrike Falcon integration.

  3. Select your Crowdstrike Cloud Region (the Base URL from the API client).

  4. Enter your Client ID and Client Secret.

    1. Configure a Crowdstrike OAuth client: Crowdstrike Cloud Region: US-2. Client ID and Client Secret are entered. 3. Enable device identity collection: Tailscale uses device identifiers such as serial number to link Falcon Hosts to Tailscale Machines. You already have Device Identity Collection enabled. Button: Connect to Crowdstrike Falcon.
  5. Click the Connect to Crowdstrike Falcon button.

View the integration status

Check that the integration has run successfully.

In the Device Posture section of the Device management page, configured integrations and their status will show under Integrations. The time of the most recent sync will display here. If an error occurs while synchronizing, it will display here.

Integrations: Crowdstrike Falcon: Last sync 1 minute ago, 1 devices matched of 21 devices with identities

Check node attributes

After you configure Crowdstrike Falcon posture integration, you can confirm that the Zero Trust Assessment score attribute is being written for your Tailscale nodes via the Machines page of the admin console.

  1. Open the Machines page of the Tailscale admin console.
  2. Select a machine you want to inspect.
  3. The attributes for the machine are in the Machine Details section. This should include the falcon:ztaScore attribute.
Attributes. falcon:ztaScore: 64. node:os: linux. node:osVersion: 5.19.0-46-generic. node:tsReleaseTrack: stable. node:tsVersion: 1.53.20.

You can also check node attributes via the API.

Adjust Tailscale access rules

Once Crowdstrike Falcon posture integration is configured and your devices have a device posture attribute that reflects their Falcon trust score, you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices that have a Crowdstrike ZTA score of 70 or higher, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": ["falcon:ztaScore >= 70"],
},
"acls": [
  {
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],
  },
]