Versions Compared

Version Old Version 1 New Version 2
Changes made by

Miguel Lauriano

Miguel Lauriano

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CrowdStrike Falcon Endpoint Detection and Response (EDR) is the core platform that provides endpoint security capabilities, including threat detection, investigation, and response. It involves the deployment of lightweight agents on endpoints to monitor and protect against malicious activities.

CrowdStrike Data Replicator , on the other hand, is a specific feature or component within the Falcon platform focused on data replication. This replication is beneficial for purposes such as disaster recovery, forensic analysis, and threat hunting, providing redundancy and resilience against data loss.

Device Information

 Entity

Particulars

Vendor Name

Crowdstrike

CrowdStrike

Product Name

EDR

Type of Device

Cloud

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

CrowdStrike Falcon

CS_EDR (Data Replicator)

API Pull - JSON

C2C - Storage

https://cloud.google.com/chronicle/docs/reference/feed-management-api#amazon_sqs

CrowdStrike Detection Monitoring

CS_DETECTS (EDR Detections)

API Pull - JSON

C2C

https://cloud.google.com/chronicle/docs/reference/feed-management-api#cs-detects

Device Configuration

Following are the configuration steps for Falcon EDR, this . This applies to the parser with the CS_DETECTS ingestion label:

  1. Within the CrowdStrike application, create an API client by navigating to Support and resources > API clients and keys.

...

  1. Create a new API Client with API scopes granting permission to Read Detections and grant Read permissions under the API SCOPES field.

image-20240221-105512.png

image-20240221-105547.png

  1. Record the values for: Base URL + Client ID + Client Secret.

...