CrowdStrike🔗
The following instructions are for configuring a native ingest of telemetry and detections from CrowdStrike into Secureworks® Taegis™ XDR using Falcon Data Replicator (FDR).
Note
This integration requires CrowdStrike Falcon Data Replicator. Please reach out to your Sophos Account Team for support.
Data Provided from Integration🔗
| Detections | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | Detection Finding | Technique Finding | Generic | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CrowdStrike | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Supported CrowdStrike Events
| Taegis Event Type | CrowdStrike Event Types |
|---|---|
| Asset | AgentConnect LocalIpAddressIP4 LocalIpAddressIP6 NetworkContainmentCompleted NetworkUncontainmentCompleted OsVersionInfo |
| Auth | ActiveDirectoryAccountCreated ActiveDirectoryAccountDisabled ActiveDirectoryAccountEnabled ActiveDirectoryAccountLocked ActiveDirectoryAccountPasswordUpdate ActiveDirectoryAccountUnlocked ActiveDirectoryAuthentication ActiveDirectoryAuthenticationFailure ActiveDirectoryIncomingDceRpcEpmRequest ActiveDirectoryIncomingDceRpcRequest ActiveDirectoryIncomingLdapSearchRequest ActiveDirectoryIncomingPsExecExecution2 ActiveDirectoryInteractiveDomainLogon ActiveDirectoryServiceAccessRequest ActiveDirectoryServiceAccessRequestFailure EventLogCleared OpenDirectoryCreateUser OpenDirectoryDeleteUser OpenDirectoryGroupAdd OpenDirectoryGroupRemove OpenDirectoryGroupSet OpenDirectoryPasswordModification UserAccountAddedToGroup UserAccountCreated UserAccountDeleted UserIdentity UserLogoff UserLogon UserLogonFailed UserLogonFailed2 |
| Antivirus | QuarantinedFile OdsMaliciousFileFound |
| DNS | DnsRequest SuspiciousDnsRequest |
| File Modification | ADExplorerFileWritten ArcFileWritten ArjFileWritten BlfFileWritten BmpFileWritten BZip2FileWritten CabFileWritten CriticalFileModified CrxFileWritten DebFileWritten DirectoryCreate DmgFileWritten DmpFileWritten DwgFileWritten ELFFileWritten EmailArchiveFileWritten EmailFileWritten EseFileWritten ExecutableDeleted FileCreateInfo FileDeleteInfo FileOpenInfo FileRenameInfo FileSetMode GenericFileWritten GifFileWritten GzipFileWritten IdwFileWritten ImgExtensionFileWritten IsoExtensionFileWritten JarFileWritten JavaClassFileWritten JpegFileWritten LnkFileWritten MachOFileWritten MotwWritten MSDocxFileWritten MsiFileWritten MSPptxFileWritten MSVsdxFileWritten MSXlsxFileWritten NewExecutableRenamed NewExecutableWritten NewScriptWritten OleFileWritten OoxmlFileWritten PackedExecutableWritten PdfFileWritten PeFileWritten PngFileWritten PythonFileWritten RarFileWritten RegistryHiveFileWritten RpmFileWritten RtfFileWritten SevenZipFileWritten SldFileWritten SourceCodeFileWritten SuspiciousEseFileWritten SuspiciousPeFileWritten TarFileWritten TiffFileWritten VdiFileWritten VmdkFileWritten WebScriptFileWritten XarFileWritten ZipFileWritten |
| Generic | DcBluetoothDeviceBlocked DcBluetoothDeviceConnected DcBluetoothDeviceDisconnected DcUsbDeviceBlocked DcUsbDeviceConnected DcUsbDeviceDisconnected DcBluetoothDevicePolicyViolation DcUsbDevicePolicyViolation DcUsbDeviceWhitelisted EarlyExploitPivotDetect EndOfProcess FsVolumeMounted FsVolumeUnmounted HostedServiceStarted HostedServiceStopped KernelServiceStarted LogonBehaviorCompositionDetectInfo NetShareAdd NetShareDelete ProcessActivitySummary RegCredAccessDetectInfo RemovableDiskModuleLoadAttempt RemovableMediaVolumeMounted ServiceStarted ServiceStopped TerminateProcess |
| HTTP | HttpRequest HttpRequestDetect HttpRequestV2DetectInfo HttpResponse |
| Thread Injection | BrowserInjectedThread DllInjection DocumentProgramInjectedThread InjectedThread InjectedThreadFromUnsignedModule JavaInjectedThread ProcessInjection |
| Management | WmiCreateProcess WmiFilterConsumerBindingEtw WmiProviderRegistrationEtw WmiQueryDetectInfo SensitiveWmiQuery |
| Netflow | NetworkCloseIP4 NetworkCloseIP6 NetworkConnectIP4 NetworkConnectIP6 NetworkListenIP4 NetworkListenIP6 NetworkReceiveAcceptIP4 NetworkReceiveAcceptIP6 |
| Persistence | AsepFileChange AsepFileChangeDetectInfo AsepFileChangeScanInfo AsepKeyUpdate AsepValueUpdate CreateService ScheduledTaskDeleted ScheduledTaskModified ScheduledTaskRegistered |
| Process | ProcessBlocked ProcessRollup2 SyntheticProcessRollup2 |
| Process Module | ClassifiedModuleLoad DotnetModuleLoadDetectInfo KernelModeLoadImage ModuleDetectInfo ModuleLoadV3DetectInfo ReflectiveDotnetModuleLoad UnsignedModuleLoad |
| Registry | RegGenericKeyUpdate RegGenericValueUpdate RegKeySecurityDecreasedFromUnsignedModule RegSystemConfigValueUpdate RegistryOperationBlocked RegistryOperationDetectInfo RegSystemConfigKeyUpdate SuspiciousRegAsepUpdate |
| Scriptblock | CommandHistory ScriptControlBlocked ScriptControlDetectInfo ScriptControlScanTelemetry ScriptFileContentsDetectInfo |
| Third Party Alert | EppDetectionSummaryEvent IDPDetectionSummaryEvent |
Supported CrowdStrike Secondary Events. (No enabled)
| Taegis Event Type | CrowdStrike Event Types |
|---|---|
| Asset | aidmaster InstalledApplication |
Note
DNS, Netflow, and Process Taegis events are extracted from DetectionSummaryEvent events.
Set Up FDR and Gather Information🔗
Please note that we've developed this guide to assist with integrating XDR with CrowdStrike FDR based on our current understanding of the CrowdStrike software, but can't offer a guarantee due to potential changes made by CrowdStrike. We advise you to use the official CrowdStrike documentation to set up your FDR feed and create necessary credentials for the integration. Please consider our instructions as a helping hand to be followed at your discretion as we aim to ease this process for you.
-
Open Falcon Data Replicator under Support and Resources, or use search within Falcon to locate the feature.
Open FDR from Navigation 
Open FDR from Search -
From Create Feed, enter a feed name, select Customize your FDR feed, and then choose Next.
Create Feed -
On the Primary Events tab, select all the event types and then choose + Add selected events.
Select all Event Types -
On the Secondary Events tab, select all available options.
Select All Secondary Events Options Important
Make sure both Primary and Secondary events are added to the Feed configuration.
-
On the Partitions tab, select both partition types.
Select Both Partition Types -
Save the feed credentials presented for your records as this screen is only shown once.
Save Feed Credentials Important
Save the authentication information FDR provides as it is never displayed again.
-
You will need following items to set up the CrowdStrike integration in XDR:
- CID — The ID for your CrowdStrike customer account (Client ID)
- AWS Region — The name of the AWS region where your FDR's SQS queue resides (Storage region)
- AWS Access Key ID (Client ID) — The AWS Access Key ID (Client ID) for your FDR resources
- AWS Secret Access Key (Secret) — The AWS Secret Access Key (Secret) for your FDR resources
- AWS SQS URL — The AWS SQS URL associated with your FDR
- AWS S3 Identifier — The AWS S3 identifier associated with your FDR
Note
This information can be gathered from the Feed's Overview tab and from the Create feed: copy feed credentials confirmation screen.
Feed Overview
Set Up CrowdStrike Integration in XDR🔗
- From the Taegis Menu, select Integrations → Cloud APIs → Add an Integration.
-
From the Optimized tab, choose CrowdStrike.
CrowdStrike Integration Setup -
Provide a name for the integration, and then input the information gathered from the FDR console in the previous section.
- Select Add when complete to validate the integration. The Cloud API Integrations page displays with the successfully added CrowdStrike integration listed.
Verification🔗
Use Advanced Search to find detections relating to this integration with the following query:
FROM detection WHERE sensor_types='ENDPOINT_CROWD_STRIKE'