The following instructions are for configuring a native ingest of telemetry and detections from CrowdStrike into Secureworks® Taegis™ XDR using Falcon Data Replicator (FDR).
Customers who wish to integrate their CrowdStrike endpoints into Taegis™ XDR will need to purchase the standard Falcon Data Replicator (FDR) from CrowdStrike. Customers will need to contact their CrowdStrike account representative for the pricing details about FDR.
Data Provided from Integration ⫘
Set Up FDR and Gather Information ⫘
- Use the CrowdStrike documentation to set up your FDR feed and create credentials for the feed.
Make sure both Primary and Secondary events are added to the Standard FDR.
- Record the following items you'll need to set up the CrowdStrike integration in Taegis™ XDR:
- CID — The ID for your CrowdStrike customer account
- AWS Region — The name of the AWS region where your FDR's SQS queue resides
- AWS Access Key ID (Client ID) — The AWS Access Key ID (Client ID) for your FDR resources
- AWS Secret Access Key (Secret) — The AWS Secret Access Key (Secret) for your FDR resources
- AWS SQS URL — The AWS SQS URL associated with your FDR
- AWS S3 Identifier — The AWS S3 identifier associated with your FDR
Set Up CrowdStrike ⫘
- From the Secureworks® Taegis™ XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
- Choose Set Up CrowdStrike.
Set up CrowdStrike
- Provide a name for the integration, and then input the information gathered from the FDR console in the previous section.
- Select Add when complete to validate the integration. The Cloud API Integrations page displays with the successfully added CrowdStrike integration listed.