Skip to content

CrowdStrike

CYDERES supports ingesting CrowdStrike logs in two separate ways in order to capture data related what is happening with endpoints in your environment.

The CrowdStrike Falcon Data Replicator will present robust endpoint telemetry and alert data in an AWS S3 bucket provided by CrowdStrike. This feature must be requested through CrowdStrike support.

Although the CrowdStrike Data Replicator is an incredibly rich telemetry source, it is incredibly voluminous. CrowdStrike can also provide a data stream of only alerts and some administrative events utilizing the Falcon Connect Streaming API.

Data Types

  • EDR

CrowdStrike Falcon Data Replicator - Configuration

Reference: https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/

Open a support ticket by sending an email to support@crowdstrike.com to enable the 'CrowdStrike Data Replicator'. The CrowdStrike support representative will create an S3 Bucket for the CrowdStrike account and provide the following:

Gather Information

  • AWS_KEY
  • AWS_SECRET
  • QUEUE_URL

Provide these pieces of information to CYDERES in order to complete setup.

CrowdStrike Falcon Connect Streaming API - Configuration

Reference: https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/

Open a support ticket by sending an email to support@crowdstrike.com to enable the Falcon Streaming API. Once completed, continue the following steps:

  1. In the Crowdstrike console, click the Support panel on the left, click API Clients and Keys
  2. Click Add New API Client in the OAuth2 API Clients panel
  3. Fill in the Client Name and record this for later, CYDERES will use this as the app ID.
  4. Under Scopes select Read for Event Streams
  5. Click Add and record the client_id and secret these will be sent to CYDERES as well.
  6. Send the following to CYDERES and we will configure a hosted SIEM Connector to receive the events from the streaming API:

    • API Client Name
    • Client ID
    • Secret

MITRE ATT&CK Coverage

View in the ATT&CK Navigator

CrowdStrike Coverage