Skip to content

CrowdStrike

Cyderes supports ingesting CrowdStrike logs in two separate ways to capture Endpoint data.

The CrowdStrike Falcon Data Replicator will present robust endpoint telemetry and alert data in an AWS S3 bucket provided by CrowdStrike. FDR may require a license and is necessary to provide appropriate security visibility, alerting, and triage for Endpoint related events. Please contact a Cyderes representative for additional information on FDR licensing.

CrowdStrike can also provide a data stream of detections and some administrative events utilizing the Falcon Connect Streaming API. This is not required.

Data Types

  • CS_EDR (CrowdStrike FDR)
  • CS_STREAM or CS_CEF_EDR (CrowdStrike Streaming API)

CrowdStrike Falcon Data Replicator - Configuration

Reference: https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/

CrowdStrike FDR is a data replicator created by CrowdStrike to replicate log data to cloud storage.

Cyderes recommends the use of FDR unless ingestion of CrowdStrike Detections is required.

If FDR is in use, logging configuration can be initiated by opening a support ticket to support@crowdstrike.com to enable the 'CrowdStrike Data Replicator'. The CrowdStrike support representative will create an S3 Bucket for the CrowdStrike account and provide the following:

Gather Information

  • IAM Role ARN
  • External ID
  • S3 Bucket ARN
  • S3 Bucket Region
  • S3 Path Prefix to Data

Provide these pieces of information to Cyderes to complete implementation:

CrowdStrike Falcon Connect Streaming API - Configuration

Reference: https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/

The Falcon Connect Streaming API is a generic API for use with services that CrowdStrike has not made an integration for. Cyderes has created a custom integration to collect data from this API.

Cyderes does not recommend using the Falcon Streaming API unless ingestion of CrowdStrike Detections is required.

Open a support ticket by sending an email to support@crowdstrike.com to enable the Falcon Streaming API. Once completed, continue with the following steps:

  1. In the CrowdStrike console, click the Support panel on the left, click API Clients and Keys
  2. Click Add New API Client in the OAuth2 API Clients panel
  3. Fill in the Client Name and record this to send to Cyderes
  4. Under Scopes select Read for Event Streams
  5. Click Add and record the client_id and secret to send to Cyderes
  6. Send the following to Cyderes. Cyderes will then configure a hosted SIEM Connector to receive the events from the streaming API:
    • API Client Name
    • Client ID
    • Secret

CrowdStrike Falcon SOAR Configuration

Reference: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/crowdstrike-falcon#configure_crowdstrike_falcon_to_work_with/

To define a CrowdStrike API client, a Falcon Administrator role is needed in order to view, create, or modify API clients or keys.

  1. In the Falcon UI, navigate to Support and resources > API clients and keys, which gives options to view existing clients, add new API clients, or view the audit log.
  2. Click Create API client, enter a descriptive Client name and Description such as Cyderes SOAR, and select the appropriate API Scopes.
  3. Permissions needed for the integration to work:
    • NOTE: Falcon Complete customers should set these values to ONLY Read with NO Write permissions.
    • Alerts: Read / Write
    • Detections: Read / Write
    • Hosts: Read / Write
    • Host Groups: Read
    • Incidents: Read / Write
    • IOC Management: Read / Write
    • IOCs (Indicators of Compromise): Read / Write
    • Event streams: Read
    • User management: Read
  4. After saving it, the Client ID and Client Secret will be presented. The secret is only shown once and should be stored in a secure place. Deliver these values to Cyderes in a secure manner.

Crowdstrike Health Check Report API Key Setup

For Managed EDR customers, Cyderes offers an automated Health Check dashboard in your customer portal. To perform this integration, a properly scoped API Client will need to be created.

To define a CrowdStrike API client, a Falcon Administrator role is needed in order to view, create, or modify API clients or keys.

  1. To define a CrowdStrike API client, a Falcon Administrator role is needed in order to view, create, or modify API clients or keys.
  2. In the Falcon UI, navigate to Support and resources > API clients and keys, which displays the OAuth2 API clients and API clients action log tabs.
  3. While in the OAuth2 API clients tab, click Create API Client, enter a descriptive Client name and Description such as Cyderes Health Report, and select the appropriate API Scopes.
  4. Scope Permissions needed for the integration to work (NOTE: All scopes listed should only have Read permissions, no Write permissions):
    • Alerts
    • Detections
    • Hosts
    • Host groups
    • Incidents
    • Machine Learning Exclusions
    • Prevention policies
    • Response policies
    • IOA Exclusions
    • Sensor Download
    • Sensor update policies
    • Sensor Visibility Exclusions
    • User management
  5. After saving it, the Client ID, Client Secret, and Base URL will be presented. The secret is only shown once and should be stored securely. Deliver these values to the Cyderes Managed Endpoint team using a secure method such as Secure Email.

MITRE ATT&CK Coverage

View in the ATT&CK Navigator

CrowdStrike Coverage