CrowdStrike
integrations endpoints vmware crowdstrike edr
The following instructions are for configuring a native ingest of telemetry and detections from CrowdStrike into Secureworks® Taegis™ XDR using Falcon Data Replicator (FDR).
Note
Customers who wish to integrate their CrowdStrike endpoints into XDR will need to purchase the standard Falcon Data Replicator (FDR) from CrowdStrike. Customers will need to contact their CrowdStrike account representative for the pricing details about FDR.
Data Provided from Integration ⫘
Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | Generic | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CrowdStrike | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Supported CrowdStrike Events
Taegis Event Type | CrowdStrike Event Types |
---|---|
Auth | ActiveDirectoryAccountCreated ActiveDirectoryAccountDisabled ActiveDirectoryAccountEnabled ActiveDirectoryAccountLocked ActiveDirectoryAccountPasswordUpdate ActiveDirectoryAuthentication ActiveDirectoryAuthenticationFailure ActiveDirectoryIncomingDceRpcEpmRequest ActiveDirectoryIncomingDceRpcRequest ActiveDirectoryIncomingLdapSearchRequest ActiveDirectoryIncomingPsExecExecution2 ActiveDirectoryInteractiveDomainLogon ActiveDirectoryServiceAccessRequest ActiveDirectoryServiceAccessRequestFailure EventLogCleared UserAccountAddedToGroup UserAccountCreated UserAccountDeleted UserIdentity UserLogoff UserLogon UserLogonFailed UserLogonFailed2 |
DNS | DnsRequest SuspiciousDnsRequest |
File Modification | FileCreateInfo FileDeleteInfo FileOpenInfo FileRenameInfo |
Generic | RemovableDiskModuleLoadAttempt RemovableMediaVolumeMounted |
HTTP | HttpRequestDetect |
Thread Injection | BrowserInjectedThread DocumentProgramInjectedThread InjectedThread InjectedThreadFromUnsignedModule JavaInjectedThread |
Management | WmiCreateProcess WmiFilterConsumerBindingEtw WmiProviderRegistrationEtw |
Netflow | NetworkCloseIP4 NetworkCloseIP6 NetworkConnectIP4 NetworkConnectIP6 NetworkListenIP4 NetworkListenIP6 NetworkReceiveAcceptIP4 NetworkReceiveAcceptIP6 |
Persistence | AsepFileChange AsepFileChangeDetectInfo AsepFileChangeScanInfo AsepKeyUpdate AsepValueUpdate CreateService ScheduledTaskDeleted ScheduledTaskModified ScheduledTaskRegistered |
Process | ProcessBlocked ProcessRollup2 SyntheticProcessRollup2 |
Registry | RegGenericValueUpdate RegSystemConfigValueUpdate RegistryOperationBlocked RegistryOperationDetectInfo |
Scriptblock | CommandHistory ScriptControlBlocked ScriptControlDetectInfo ScriptControlScanTelemetry |
Third Party Alert | DetectionSummaryEvent IDPDetectionSummaryEvent |
Note
DNS, Netflow, and Process Taegis events are extracted from DetectionSummaryEvent events.
Set Up FDR and Gather Information ⫘
Please note that we've developed this guide to assist with integrating XDR with CrowdStrike FDR based on our current understanding of the CrowdStrike software, but can't offer a guarantee due to potential changes made by CrowdStrike. We advise you to use the official CrowdStrike documentation to set up your FDR feed and create necessary credentials for the integration. Please consider our instructions as a helping hand to be followed at your discretion as we aim to ease this process for you.
- Open Falcon Data Replicator under Support and Resources, or use search within Falcon to locate the feature.
Open FDR from Navigation
Open FDR from Search
- From Create Feed, enter a feed name, select Customize your FDR feed, and then choose Next.
Create Feed
- On the Primary Events tab, select all the event types and then choose + Add selected events.
Select all Event Types
- On the Secondary Events tab, select all available options.
Select All Secondary Events Options
Important
Make sure both Primary and Secondary events are added to the Feed configuration.
- On the Partitions tab, select both partition types.
Select Both Partition Types
- Save the feed credentials presented for your records as this screen is only shown once.
Save Feed Credentials
Important
Save the authentication information FDR provides as it is never displayed again.
- You will need following items to set up the CrowdStrike integration in XDR:
- CID — The ID for your CrowdStrike customer account (Client ID)
- AWS Region — The name of the AWS region where your FDR's SQS queue resides (Storage region)
- AWS Access Key ID (Client ID) — The AWS Access Key ID (Client ID) for your FDR resources
- AWS Secret Access Key (Secret) — The AWS Secret Access Key (Secret) for your FDR resources
- AWS SQS URL — The AWS SQS URL associated with your FDR
- AWS S3 Identifier — The AWS S3 identifier associated with your FDR
Note
This information can be gathered from the Feed's Overview tab and from the Create feed: copy feed credentials confirmation screen.
Feed Overview
Set Up CrowdStrike Integration in XDR ⫘
- From the Taegis Menu, select Integrations → Cloud APIs → Add an Integration.
- From the Optimized tab, choose CrowdStrike.
Set up CrowdStrike Integration
- Provide a name for the integration, and then input the information gathered from the FDR console in the previous section.
- Select Add when complete to validate the integration. The Cloud API Integrations page displays with the successfully added CrowdStrike integration listed.
Verification ⫘
Use Advanced Search to find alerts relating to this integration with the following query:
FROM alert WHERE sensor_types='ENDPOINT_CROWD_STRIKE'