CrowdStrike🔗
The following instructions are for configuring a native ingest of telemetry and detections from CrowdStrike into Secureworks® Taegis™ XDR using Falcon Data Replicator (FDR).
Note
Customers who wish to integrate their CrowdStrike endpoints into XDR will need to purchase the standard Falcon Data Replicator (FDR) from CrowdStrike. Customers will need to contact their CrowdStrike account representative for the pricing details about FDR.
Data Provided from Integration🔗
| Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | Generic | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CrowdStrike | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Supported CrowdStrike Events
| Taegis Event Type | CrowdStrike Event Types |
|---|---|
| Asset | LocalIpAddressIP4 LocalIpAddressIP6 OsVersionInfo |
| Auth | ActiveDirectoryAccountCreated ActiveDirectoryAccountDisabled ActiveDirectoryAccountEnabled ActiveDirectoryAccountLocked ActiveDirectoryAccountPasswordUpdate ActiveDirectoryAccountUnlocked ActiveDirectoryAuthentication ActiveDirectoryAuthenticationFailure ActiveDirectoryIncomingDceRpcEpmRequest ActiveDirectoryIncomingDceRpcRequest ActiveDirectoryIncomingLdapSearchRequest ActiveDirectoryIncomingPsExecExecution2 ActiveDirectoryInteractiveDomainLogon ActiveDirectoryServiceAccessRequest ActiveDirectoryServiceAccessRequestFailure EventLogCleared OpenDirectoryCreateUser OpenDirectoryDeleteUser OpenDirectoryGroupAdd OpenDirectoryGroupRemove OpenDirectoryGroupSet OpenDirectoryPasswordModification UserAccountAddedToGroup UserAccountCreated UserAccountDeleted UserIdentity UserLogoff UserLogon UserLogonFailed UserLogonFailed2 |
| Antivirus | QuarantinedFile OdsMaliciousFileFound |
| DNS | DnsRequest SuspiciousDnsRequest |
| File Modification | ADExplorerFileWritten ArcFileWritten ArjFileWritten BlfFileWritten BmpFileWritten BZip2FileWritten CabFileWritten CriticalFileModified CrxFileWritten DebFileWritten DmgFileWritten DmpFileWritten DwgFileWritten ELFFileWritten EmailArchiveFileWritten EmailFileWritten EseFileWritten ExecutableDeleted FileCreateInfo FileDeleteInfo FileOpenInfo FileRenameInfo FileSetMode GenericFileWritten GifFileWritten GzipFileWritten IdwFileWritten ImgExtensionFileWritten IsoExtensionFileWritten JarFileWritten JavaClassFileWritten JpegFileWritten LnkFileWritten MachOFileWritten MSDocxFileWritten MsiFileWritten MSPptxFileWritten MSVsdxFileWritten MSXlsxFileWritten NewExecutableRenamed NewExecutableWritten OleFileWritten OoxmlFileWritten PdfFileWritten PeFileWritten PngFileWritten PythonFileWritten RarFileWritten RegistryHiveFileWritten RpmFileWritten RtfFileWritten SevenZipFileWritten SldFileWritten SourceCodeFileWritten SuspiciousEseFileWritten SuspiciousPeFileWritten TarFileWritten TiffFileWritten VdiFileWritten VmdkFileWritten WebScriptFileWritten XarFileWritten ZipFileWritten |
| Generic | DcBluetoothDeviceBlocked DcBluetoothDeviceConnected DcBluetoothDeviceDisconnected DcUsbDeviceBlocked DcUsbDeviceConnected DcUsbDeviceDisconnected DcBluetoothDevicePolicyViolation DcUsbDevicePolicyViolation DcUsbDeviceWhitelisted FsVolumeMounted FsVolumeUnmounted HostedServiceStarted HostedServiceStopped NetShareAdd NetShareDelete RemovableDiskModuleLoadAttempt RemovableMediaVolumeMounted ServiceStarted ServiceStopped |
| HTTP | HttpRequestDetect |
| Thread Injection | BrowserInjectedThread DllInjection DocumentProgramInjectedThread InjectedThread InjectedThreadFromUnsignedModule JavaInjectedThread ProcessInjection |
| Management | WmiCreateProcess WmiFilterConsumerBindingEtw WmiProviderRegistrationEtw WmiQueryDetectInfo SensitiveWmiQuery |
| Netflow | NetworkCloseIP4 NetworkCloseIP6 NetworkConnectIP4 NetworkConnectIP6 NetworkListenIP4 NetworkListenIP6 NetworkReceiveAcceptIP4 NetworkReceiveAcceptIP6 |
| Persistence | AsepFileChange AsepFileChangeDetectInfo AsepFileChangeScanInfo AsepKeyUpdate AsepValueUpdate CreateService ScheduledTaskDeleted ScheduledTaskModified ScheduledTaskRegistered |
| Process | ProcessBlocked ProcessRollup2 SyntheticProcessRollup2 |
| Registry | RegGenericKeyUpdate RegGenericValueUpdate RegSystemConfigValueUpdate RegistryOperationBlocked RegistryOperationDetectInfo RegSystemConfigKeyUpdate |
| Scriptblock | CommandHistory ScriptControlBlocked ScriptControlDetectInfo ScriptControlScanTelemetry |
| Third Party Alert | DetectionSummaryEvent EppDetectionSummaryEvent IDPDetectionSummaryEvent |
Supported CrowdStrike Secondary Events
| Taegis Event Type | CrowdStrike Event Types |
|---|---|
| Asset | aidmaster |
Note
DNS, Netflow, and Process Taegis events are extracted from DetectionSummaryEvent events.
Set Up FDR and Gather Information🔗
Please note that we've developed this guide to assist with integrating XDR with CrowdStrike FDR based on our current understanding of the CrowdStrike software, but can't offer a guarantee due to potential changes made by CrowdStrike. We advise you to use the official CrowdStrike documentation to set up your FDR feed and create necessary credentials for the integration. Please consider our instructions as a helping hand to be followed at your discretion as we aim to ease this process for you.
-
Open Falcon Data Replicator under Support and Resources, or use search within Falcon to locate the feature.
Open FDR from Navigation 
Open FDR from Search -
From Create Feed, enter a feed name, select Customize your FDR feed, and then choose Next.
Create Feed -
On the Primary Events tab, select all the event types and then choose + Add selected events.
Select all Event Types -
On the Secondary Events tab, select all available options.
Select All Secondary Events Options Important
Make sure both Primary and Secondary events are added to the Feed configuration.
-
On the Partitions tab, select both partition types.
Select Both Partition Types -
Save the feed credentials presented for your records as this screen is only shown once.
Save Feed Credentials Important
Save the authentication information FDR provides as it is never displayed again.
-
You will need following items to set up the CrowdStrike integration in XDR:
- CID — The ID for your CrowdStrike customer account (Client ID)
- AWS Region — The name of the AWS region where your FDR's SQS queue resides (Storage region)
- AWS Access Key ID (Client ID) — The AWS Access Key ID (Client ID) for your FDR resources
- AWS Secret Access Key (Secret) — The AWS Secret Access Key (Secret) for your FDR resources
- AWS SQS URL — The AWS SQS URL associated with your FDR
- AWS S3 Identifier — The AWS S3 identifier associated with your FDR
Note
This information can be gathered from the Feed's Overview tab and from the Create feed: copy feed credentials confirmation screen.
Feed Overview
Set Up CrowdStrike Integration in XDR🔗
- From the Taegis Menu, select Integrations → Cloud APIs → Add an Integration.
-
From the Optimized tab, choose CrowdStrike.
Set up CrowdStrike Integration -
Provide a name for the integration, and then input the information gathered from the FDR console in the previous section.
- Select Add when complete to validate the integration. The Cloud API Integrations page displays with the successfully added CrowdStrike integration listed.
Verification🔗
Use Advanced Search to find alerts relating to this integration with the following query:
FROM alert WHERE sensor_types='ENDPOINT_CROWD_STRIKE'