Ingest raw EDR event data from CrowdStrike Falcon Data Replicator into Cortex XSIAM.
Cortex XSIAM enables ingestion of raw EDR event data from CrowdStrike Falcon Data Replicator (FDR), streamed to Amazon S3. In addition to all standard SIEM capabilities, this integration unlocks some advanced Cortex XSIAM features, enabling comprehensive analysis of data from all sources, enhanced detection and response, and deeper visibility into CrowdStrike FDR data.
Key benefits include:
Querying all raw event data received from CrowdStrike FDR using XQL.
Querying critical modeled and unified EDR data via the
xdr_data
dataset.Enriching incident and alert investigations with relevant context.
Grouping alerts with alerts from other sources to accelerate the scoping process of incidents, and to cut investigation time.
Leveraging the data for analytics-based detection.
Utilizing the data for rule-based detection, including correlation rules, BIOC, and IOC.
Leveraging the data within playbooks for incident response.
When Cortex XSIAM begins receiving EDR events from CrowdStrike FDR, it automatically creates a new dataset labeled crowdstrike_fdr_raw
, allowing you to query all CrowdStrike FDR events using XQL. For example XQL queries, refer to the in-app XQL Library.
In addition, Cortex XSIAM parses and maps critical data into the xdr_data
dataset and XDM data model, enabling unified querying and investigation across all supported EDR vendors' data, and unlocking key benefits like stitching and advanced analytics. While mapped data from all supported EDR vendors, including CrowdStrike, will be available in the xdr_data
dataset, it's important to note that third-party EDR data present some limitations.
Third-party agents, including CrowdStrike, typically provide less data compared to our native agents, and do not include the same level of optimization for causality analysis and cloud-based analytics. Furthermore, external EDR rate limits and filters might restrict the availability of critical data required for comprehensive analytics. As a result, only a subset of our analytics-based detectors will function with third-party EDR data.
Raw event data from CrowdStrike FDR lacks key contextual information. To enhance its usability, we allocate additional resources to stitch it with other event data and data sources. Therefore, enabling the CrowdStrike FDR integration might temporarily make the tenant unavailable for a maintenance period of up to an hour.
We are continuously enhancing our support and using advanced techniques to enrich missing third-party data, while somehow replicating some proprietary functionalities available with our agents. This approach maximizes value for our customers using third-party EDRs within existing constraints. However, it’s important to recognize that the level of comprehensiveness achieved with our native agents cannot be matched, as much of the logic happens on the agent itself. These capabilities are unique, and are not found in typical SIEMs. Many of them, along with their underlying logic, are patented by Palo Alto Networks. Therefore, they should be regarded as added value beyond standard SIEM functionalities for customers who are not using our agents.
Danger
Ensure that your organization has a license for the CrowdStrike Falcon Data Replicator (FDR).
Ensure that CrowdStrike FDR is enabled. CrowdStrike FDR can only be enabled by CrowdStrike Support. If CrowdStrike FDR is not enabled, submit a support ticket through the CrowdStrike support portal.
Follow these steps to check if CrowdStrike FDR is enabled:
Log in to the CrowdStrike Falcon user interface using an account that has view/create permission for the API clients and keys page.
Navigate to
→ .Verify that FDR AWS S3 Credentials and SQS Queue is listed.
Note
Due to limitations with the S3 bucket used by CrowdStrike, data can only be collected once, by one system.
Note
For more information on configuring data collection from CrowdStrike via Falcon Data Replicator, see CrowdStrike documentation.