Ingest raw EDR events from CrowdStrike Falcon Data Replicator - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Ingest raw EDR event data from CrowdStrike Falcon Data Replicator into Cortex XSIAM.

Cortex XSIAM enables ingestion of raw EDR event data from CrowdStrike Falcon Data Replicator (FDR), streamed to Amazon S3. In addition to all standard SIEM capabilities, this integration unlocks some advanced Cortex XSIAM features, enabling comprehensive analysis of data from all sources, enhanced detection and response, and deeper visibility into CrowdStrike FDR data.

Key benefits include:

  • Querying all raw event data received from CrowdStrike FDR using XQL.

  • Querying critical modeled and unified EDR data via the xdr_data dataset.

  • Enriching incident and alert investigations with relevant context.

  • Grouping alerts with alerts from other sources to accelerate the scoping process of incidents, and to cut investigation time.

  • Leveraging the data for analytics-based detection.

  • Utilizing the data for rule-based detection, including correlation rules, BIOC, and IOC.

  • Leveraging the data within playbooks for incident response.

When Cortex XSIAM begins receiving EDR events from CrowdStrike FDR, it automatically creates a new dataset labeled crowdstrike_fdr_raw, allowing you to query all CrowdStrike FDR events using XQL. For example XQL queries, refer to the in-app XQL Library.

In addition, Cortex XSIAM parses and maps critical data into the xdr_data dataset and XDM data model, enabling unified querying and investigation across all supported EDR vendors' data, and unlocking key benefits like stitching and advanced analytics. While mapped data from all supported EDR vendors, including CrowdStrike, will be available in the xdr_data dataset, it's important to note that third-party EDR data present some limitations.

Third-party agents, including CrowdStrike, typically provide less data compared to our native agents, and do not include the same level of optimization for causality analysis and cloud-based analytics. Furthermore, external EDR rate limits and filters might restrict the availability of critical data required for comprehensive analytics. As a result, only a subset of our analytics-based detectors will function with third-party EDR data.

Raw event data from CrowdStrike FDR lacks key contextual information. To enhance its usability, we allocate additional resources to stitch it with other event data and data sources. Therefore, enabling the CrowdStrike FDR integration might temporarily make the tenant unavailable for a maintenance period of up to an hour.

We are continuously enhancing our support and using advanced techniques to enrich missing third-party data, while somehow replicating some proprietary functionalities available with our agents. This approach maximizes value for our customers using third-party EDRs within existing constraints. However, it’s important to recognize that the level of comprehensiveness achieved with our native agents cannot be matched, as much of the logic happens on the agent itself. These capabilities are unique, and are not found in typical SIEMs. Many of them, along with their underlying logic, are patented by Palo Alto Networks. Therefore, they should be regarded as added value beyond standard SIEM functionalities for customers who are not using our agents.

Danger

Ensure that your organization has a license for the CrowdStrike Falcon Data Replicator (FDR).

Ensure that CrowdStrike FDR is enabled. CrowdStrike FDR can only be enabled by CrowdStrike Support. If CrowdStrike FDR is not enabled, submit a support ticket through the CrowdStrike support portal.

Follow these steps to check if CrowdStrike FDR is enabled:

  1. Log in to the CrowdStrike Falcon user interface using an account that has view/create permission for the API clients and keys page.

  2. Navigate to SupportAPI Clients and Keys.

  3. Verify that FDR AWS S3 Credentials and SQS Queue is listed.

Note

Due to limitations with the S3 bucket used by CrowdStrike, data can only be collected once, by one system.

Note

For more information on configuring data collection from CrowdStrike via Falcon Data Replicator, see CrowdStrike documentation.

  1. In the CrowdStrike user interface, select Support and resourcesResources and ToolsFalcon data replicator.

  2. Click the FDR feeds tab.

  3. Click Create feed.

  4. Enter a feed name.

  5. In Falcon Flight Control deployments, there is an option called Select which CID will manage this feed. In typical environments, the parent CID manages the feed for all of its child CIDs. This creates an aggregated feed that has data from all of the child CIDs. For information about aggregated feeds, and how they compare to individual feeds, see CrowdStrike documentation.

    • To set up an aggregated feed, select the parent CID.

    • To set up an individual feed, select a child CID or select both a parent CID and the Exclude Child CIDs option.

    • To exclude only some of the child CIDs, don’t select the Exclude Child CIDs option. Instead, select Customize your FDR feed in the next step.

  6. Set the feed status.

  7. Select the method for creating your feed, from the following options:

    • Create your FDR feed with default settings, where you get the recommended settings, including all current and future events, all secondary events (if available), and no partitions.

    • Customize your FDR feed, where you start with the option to use a filter to get the specific events that you want in the feed. You can then customize secondary events and partitioning.

  8. Include secondary events. They are required for data stitching and enrichment.

  9. Optionally, in Flight Control deployments, edit the existing child CIDs included in the feed, and choose whether future CIDs are automatically included, by using the Include future CIDs option.

  10. Click Create feed.

  11. From the summary page that appears, copy and save all the information shown on the page somewhere safe, for later use. This page includes the credentials that are required for setting up an SQS consumer.

    Note

    Ensure that you copy the Secret, and store it in a safe place. You will not be able to retrieve it later. If you need a new secret, you must reset the feed credentials.

  1. Log in to CrowdStrike Falcon using an account that has view/create permission for the API clients and keys page.

  2. Navigate to cs-logo.pngSupportAPI Clients and Keys.

  3. On the same line as FDR AWS S3 Credentials and SQS Queue, click Create new credentials.

    Note

    CrowdStrike Falcon Data Replicator only supports one FDR credential configuration.

  4. Configure your new FDR credentials.

    cs-fdr-credentials-created.png
  5. Copy the values for the CLIENT ID, SECRET, S3 IDENTIFIER, and SQS URL, and save them somewhere safe, because you will need them when you configure data collection in Cortex XSIAM.

    Note

    Ensure that you save the SECRET value, because this is the only time that it is displayed. You can go back to this page later to copy the other credentials, but you will not have access to the secret again.

  6. Click DONE.

  1. In Cortex XSIAM, select SettingsData Sources.

  2. On the Data Sources page, click Add Data Source, search for and select CrowdStrike Falcon Data Replicator, and click Connect.

  3. Set these parameters:

    • Name: Specify a descriptive name for your log collection configuration.

    • SQS URL: Specify the SQS URL you received when you created the FDR credential in CrowdStrike Falcon, as explained above.

    • AWS Client ID: Specify the CLIENT ID you received when you created the FDR credential in CrowdStrike Falcon, as explained above.

    • AWS Client Secret: Specify the SECRET you received when you created the FDR credential in CrowdStrike Falcon, as explained above.

  4. Click Test to validate access, and then click Enable.

When events start to come in, a green check mark appears below the CrowdStrike Falcon Data Replicator configuration, along with the amount of data received.