CrowdStrike Endpoint Security
Integration Points
Protocol | Information Discovered | Used For |
---|---|---|
Falcon Streaming API | Detection Summary, Authentication Log, Detection Status Update, Indicators of Compromise, Containment Audit Events, IP White-listing events, Sensor Grouping Events. | Security and Compliance |
Falcon Data Replicator | Detection Summary, User Activity, Authentication Activity. | Security and Compliance |
Falcon Streaming API Integration
FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Streaming API:
- Detection Summary
- Authentication Log
- Detection Status Update
- Customer Indicators of Compromise
- Containment Audit Events
- IP White-listing Events
- Sensor Grouping Events
CrowdStrike provides details about Falcon Streaming API here.
To receive Crowdstrike security events via Falcon Streaming API, follow these two steps:
- Configure Crowdstrike Service for Falcon Streaming API.
- Configure FortiSIEM for Falcon Streaming API Based Access.
Configure CrowdStrike Service for Falcon Streaming API
Create an account to be used for FortiSIEM communication:
- Login to CrowdStrike as Falcon Customer Admin.
- Go to Support App > Key page.
- Click Reset API Key. Copy the API key and UUID for safe keeping. Note that your API key and UUID are assigned one pair per customer account, not one pair per user. Thus, if you generate a new API key, you may be affecting existing applications in your environment.
Configure FortiSIEM for Falcon Streaming API Based Access
Use the account in previous step to enable FortiSIEM access.
- Login to FortiSIEM.
- Go to ADMIN > Setup > Credential.
- Click New to create CrowdStrike Falcon credential.
- Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
- Choose Access Protocol = Falcon Streaming API.
- Choose UUID and API Key Secret for the credential created while Configuring CrowdStrike Service for Falcon Streaming API.
- Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
- Click Save.
- Enter an IP Range to Credential Association.
- Set Hostname to firehose.crowdstrike.com.
- Select the Credential created in step 3.
- Click Save.
- Select the entry in step 4 and click Test Connectivity and make sure Test Connectivity succeeds, implying that the credential is correct.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.
To test for events received via CrowdStrike Streaming API:
- Go to ADMIN > Setup > Pull Events.
- Select the CrowdStrike Streaming API entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.
Falcon Data Replicator Integration
FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Data Replicator method:
- Detection Summary Events
- User Activity Audit Events
- Auth Activity Audit Events
CrowdStrike provides details about Data Replicator method here.
To receive Crowdstrike security events via Falcon Data Replication Integration, follow these two steps:
Obtain AWS Credentials from CrowdStrike
Contact CrowdStrike to obtain AWS credentials for pulling CrowdStrike logs from AWS.
- Generate a GPG key pair in ASCII format.
- Send the public part of the GPG key to support@crowdstrike.com.
- CrowdStrike will encrypt the API key with your public key and send you the encrypted API key. You can decrypt using your private GPG key.
- CrowdStrike Support will also provide you an SQS Queue URL.
Credentials obtained in steps 3 and 4 above will be used in the next step.
Configure FortiSIEM for Falcon Data Replicator
Use the credentials in previous step to enable FortiSIEM access.
- Login to FortiSIEM.
- Go to ADMIN > Setup > Credentials.
- In Step 1: Enter Credentials, click New to create CrowdStrike Falcon Data Replicator credential.
- Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
- Choose Access Protocol = CrowdStrike Falcon Data Replicator.
- Enter the Region where the instance is located.
- Enter SQS Queue URL from here.
- Password Config: see Password Configuration.
- Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
- Click Save.
- In Step 2: Enter IP Range to Credential Associations, click New.
- Get the Hostname from the SQL Queue URL. For example, for Queue URL:
https://us-west-1.queue.amazonaws.com/754656674199/cs-prod-cannon-queue-d5836cd3792ece8f
set host name to
us-west-1.queue.amazonaws.com
. - Select the Credential created in step 3 above.
- Click Save.
- Get the Hostname from the SQL Queue URL. For example, for Queue URL:
- Select the entry in step 4, click the Test drop-down list, and select Test Connectivity. If the test succeeds, then the credential is correct.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.
To test for events received via CrowdStrike Falcon Data Replicator:
- Go to ADMIN > Setup > Pull Events.
- Select the CrowdStrike Falcon Data Replicator entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.