☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Getting Started
Integrate with XDR
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
Vulnerabilities
- Vulnerability Management
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
- Power BI for XDR
Secureworks Products, Services, and Policies
- Taegis NDR
  - Overview
  - Service Description
  - Transitioning from CTP
  - Legacy iSensor Service Descriptions
    - Managed iSensor
    - Managed iSensor Add-on
- ManagedXDR
- ManagedXDR Plus
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- Secureworks Professional Services
- Legal

CrowdStrike

integrations endpoints vmware crowdstrike edr

The following instructions are for configuring a native ingest of telemetry and detections from CrowdStrike into Secureworks® Taegis™ XDR using Falcon Data Replicator (FDR).

Note

Customers who wish to integrate their CrowdStrike endpoints into XDR will need to purchase the standard Falcon Data Replicator (FDR) from CrowdStrike. Customers will need to contact their CrowdStrike account representative for the pricing details about FDR.

Data Provided from Integration ⫘

	Alerts	Auth	DNS	File Collection	HTTP	NIDS	Netflow	Process	File Modification	API Call	Registry	Scriptblock	Management	Persistence	Thread Injection
CrowdStrike	✓	✓	✓		✓		✓	✓	✓		✓	✓	✓	✓	✓

Supported CrowdStrike Events

Taegis Event Type	CrowdStrike Event Types
Auth	ActiveDirectoryAccountCreated ActiveDirectoryAccountDisabled ActiveDirectoryAccountEnabled ActiveDirectoryAccountLocked ActiveDirectoryAccountPasswordUpdate ActiveDirectoryAuthentication ActiveDirectoryAuthenticationFailure ActiveDirectoryIncomingDceRpcEpmRequest ActiveDirectoryIncomingDceRpcRequest ActiveDirectoryIncomingLdapSearchRequest ActiveDirectoryIncomingPsExecExecution2 ActiveDirectoryInteractiveDomainLogon ActiveDirectoryServiceAccessRequest ActiveDirectoryServiceAccessRequestFailure EventLogCleared UserAccountAddedToGroup UserAccountCreated UserAccountDeleted UserIdentity UserLogoff UserLogon UserLogonFailed UserLogonFailed2
DNS	DnsRequest SuspiciousDnsRequest
File Modification	FileCreateInfo FileDeleteInfo FileOpenInfo FileRenameInfo
Generic	RemovableDiskModuleLoadAttempt RemovableMediaVolumeMounted
HTTP	HttpRequestDetect
Thread Injection	BrowserInjectedThread DocumentProgramInjectedThread InjectedThread InjectedThreadFromUnsignedModule JavaInjectedThread
Management	WmiCreateProcess WmiFilterConsumerBindingEtw WmiProviderRegistrationEtw
Netflow	NetworkCloseIP4 NetworkCloseIP6 NetworkConnectIP4 NetworkConnectIP6 NetworkListenIP4 NetworkListenIP6 NetworkReceiveAcceptIP4 NetworkReceiveAcceptIP6
Persistence	AsepFileChange AsepFileChangeDetectInfo AsepFileChangeScanInfo AsepKeyUpdate AsepValueUpdate CreateService ScheduledTaskDeleted ScheduledTaskModified ScheduledTaskRegistered
Process	ProcessBlocked ProcessRollup2 SyntheticProcessRollup2
Registry	RegGenericValueUpdate RegSystemConfigValueUpdate RegistryOperationBlocked RegistryOperationDetectInfo
Scriptblock	CommandHistory ScriptControlBlocked ScriptControlDetectInfo ScriptControlScanTelemetry
Third Party Alert	DetectionSummaryEvent IDPDetectionSummaryEvent

Note

DNS, Netflow, and Process Taegis events are extracted from DetectionSummaryEvent events.

Set Up FDR and Gather Information ⫘

Please note that we've developed this guide to assist with integrating XDR with CrowdStrike FDR based on our current understanding of the CrowdStrike software, but can't offer a guarantee due to potential changes made by CrowdStrike. We advise you to use the official CrowdStrike documentation to set up your FDR feed and create necessary credentials for the integration. Please consider our instructions as a helping hand to be followed at your discretion as we aim to ease this process for you.

Open Falcon Data Replicator under Support and Resources, or use search within Falcon to locate the feature.

Open FDR from Navigation

Open FDR from Search

From Create Feed, enter a feed name, select Customize your FDR feed, and then choose Next.

Create Feed

On the Primary Events tab, select all the event types and then choose + Add selected events.

Select all Event Types

On the Secondary Events tab, select all available options.

Select All Secondary Events Options

Important

Make sure both Primary and Secondary events are added to the Feed configuration.

On the Partitions tab, select both partition types.

Select Both Partition Types

Save the feed credentials presented for your records as this screen is only shown once.

Save Feed Credentials

Important

Save the authentication information FDR provides as it is never displayed again.

You will need following items to set up the CrowdStrike integration in XDR:

CID — The ID for your CrowdStrike customer account (Client ID)
AWS Region — The name of the AWS region where your FDR's SQS queue resides (Storage region)
AWS Access Key ID (Client ID) — The AWS Access Key ID (Client ID) for your FDR resources
AWS Secret Access Key (Secret) — The AWS Secret Access Key (Secret) for your FDR resources
AWS SQS URL — The AWS SQS URL associated with your FDR
AWS S3 Identifier — The AWS S3 identifier associated with your FDR

Note

This information can be gathered from the Feed's Overview tab and from the Create feed: copy feed credentials confirmation screen.

Feed Overview

Set Up CrowdStrike Integration in XDR ⫘

From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
Choose Set Up CrowdStrike.

Set up CrowdStrike Integration

Provide a name for the integration, and then input the information gathered from the FDR console in the previous section.
Select Add when complete to validate the integration. The Cloud API Integrations page displays with the successfully added CrowdStrike integration listed.

Verification ⫘

Use Advanced Search to find alerts relating to this integration with the following query:

FROM alert WHERE sensor_types='ENDPOINT_CROWD_STRIKE'

CrowdStrike

Data Provided from Integration ⫘

Set Up FDR and Gather Information ⫘

Set Up CrowdStrike Integration in XDR ⫘

Verification ⫘

On this page: