Content Comparison

Table of Contents

minLevel	1
maxLevel	63
outline	false
style	disc
type	list
printable	true

...

CrowdStrike Falcon Endpoint Detection and Response (EDR) is the core platform that provides endpoint security capabilities, including threat detection, investigation, and response. It involves the deployment of lightweight agents on endpoints to monitor and protect against malicious activities.

CrowdStrike Data Replicator , on the other hand, is a specific feature or component within the Falcon platform focused on data replication. This replication is beneficial for purposes such as disaster recovery, forensic analysis, and threat hunting, providing redundancy and resilience against data loss.

Device Information

Entity	Particulars
Vendor Name

Crowdstrike

CrowdStrike
Product Name	EDR
Type of Device	Cloud

Collection Method

Log Type	Ingestion label	Preferred Logging Protocol - Format	Log Collection Method	Data Source
CrowdStrike Falcon	CS_EDR (Data Replicator)

API Pull

Raw log telemetry	Cloud Storage - JSON	C2C - Storage	https://cloud.google.com/chronicle/docs/reference/feed-management-api#amazon_sqs
CrowdStrike

Detection Monitoring

Falcon Stream

CS_

DETECTS

STREAM (EDR

Detections

Streaming API)

API

Pull

- JSON

C2C

https://cloud.google.com/chronicle/docs/reference/feed-management-api#cs-detects

CyberHub

Device Configuration

Following are the configuration steps for Falcon EDR, this . This applies to the parser with the CS_DETECTSSTREAM ingestion label:

Within the In CrowdStrike application, create an API client by navigating to Support and resources > API clients and keys.

...

2.Create a new API Client with API scopes granting

...

read permission for Event streams API scope.Image Removed

...

Image Removed

Record the values for: Base URL + , Client ID + Client Secret.

...

Share the base URL, client ID and secret with Adaptive MxDR onboarding engineer.

Ensure that the base URL is whitelisted to allow successful network connections.

To Configure Data Replicator Configuration Steps:

Please follow the steps below to enable raw log telemetry.

Following are the configuration steps for Data Replicator, this applies to the parser with the CS_EDR ingestion label:

Click the ADD button to create a new Falcon Data Replicator feed. This will generate S3 identifier, SQS URL and Client secret.
Use the generated Feed, S3 identifier, SQS URL, and Client secret values to set up feed in Chronicle.

Integration Parameters

Data Replicator:
To set up an a Data Replicator ingestion feed using Amazon S3, follow the steps:

Property	Default Value	Description
Region	N/A	The S3 region associated with URISelect the region of your S3 bucket.
S3 URI	N/A	The S3 URI to ingest. (It will be a combination of S3 bucket source URI.name and prefix. Eg- S3://<S3 bucket name>/<prefix>)
URI is a	N/A	The type of object of file indicated by the URI. Valid values are: `FILES`: The URI points to a single file which will be ingested with each execution of the feed. `FOLDERS`: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed. `FOLDERS_RECURSIVE`: The URI points to a directory. All files and directories contained within the indicated directory will be ingested, including all files and directories within those directories, and so on.
Source deletion option	N/A	Option to delete files and/or directories after transferring.
Access key id	N/A	An account access key that is 20-character alphanumeric string, for example AKIAOSFOODNN7EXAMPLE.
Secret access key	N/A	An account access key that is a 40-character alphanumeric string, for example wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Oauth client ID	N/A	A public, client-specific OAuth identifier.
Oauth client secret	N/A	OAuth 2.0 client secret.
Oauth secret refresh URI	N/A	OAuth 2.0 client secret refresh URI.
Asset namespace	N/A	The namespace the feed will be associated with.

...

Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are: `SOURCE_DELETION_NEVER`: Never delete files from the source. `SOURCE_DELETION_ON_SUCCESS`:Delete files and empty directories from the source after successful ingestion. `SOURCE_DELETION_ON_SUCCESS_FILES_ONLY`:Delete files from the source after successful ingestion.
ACCESS KEY ID	No	This is the 20 character ID associated with your Amazon IAM account.
SECRET ACCESS KEY	No	This is the 40 character access key associated with your Amazon IAM account.
ASSET NAMESPACE	No	To assign an asset namespace to all events that are ingested from a particular feed, set the `"namespace"` field within `details`. The `namespace` field is a string.

To set up a Data Replicator ingestion feed using Amazon SQS:

Property	Default Value	Description
Region	N/A	The S3 region associated with URISelect the region of your S3 bucket.
Queue name	N/A	The SQS queue name to read from.
Account number	N/A	The SQS account number for the SQS queue and S3 bucket.
Source deletion option	N/A	Option Whether to delete source files and/or directories after transferringafter they have been transferred to Chronicle. This reduces storage costs. Valid values are: `SOURCE_DELETION_NEVER`: Never delete files from the source. `SOURCE_DELETION_ON_SUCCESS`:Delete files and empty directories from the source after successful ingestion. `SOURCE_DELETION_ON_SUCCESS_FILES_ONLY`:Delete files from the source after successful ingestion.
Queue access key ID	N/A	An account access key that This is the 20 -character alphanumeric string, for example, AKIAOSFOODNN7EXAMPLEcharacter ID associated with your Amazon IAM account.
Queue secret access key	N/A	An account access key that is a 40-character alphanumeric string, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Asset namespace	N/A	The namespace that the feed will be associated with.

Detections:

...

	This is the 40 character access key associated with your Amazon IAM account.
SOURCE DELETION OPTION	Yes	Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are: `SOURCE_DELETION_NEVER`: Never delete files from the source. `SOURCE_DELETION_ON_SUCCESS`:Delete files and empty directories from the source after successful ingestion. `SOURCE_DELETION_ON_SUCCESS_FILES_ONLY`:Delete files from the source after successful ingestion.
S3 BUCKET ACCESS KEY ID	No	This is the 20 character ID associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.
S3 BUCKET SECRET ACCESS KEY	No	This is the 40 character access key associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.
ASSET NAMESPACE	No	To assign an asset namespace to all events that are ingested from a particular feed, set the `"namespace"` field within `details`. The `namespace` field is a string.

Detections:

Property	Default Value	Description
OAUTH TOKEN ENDPOINT	N/A	Authentication URL (Base URL followed by `/oauth2/token`)
OAUTH CLIENT ID	N/A	OAuth Client ID
OAUTH CLIENT SECRET	N/A	OAuth Client Secret
BASE URL	api.crowdstrike.com	API Endpoint URL api.crowdstrike.com

CrowdStrike EDR Stream:

Property	Default Value	Description
Crowdstrikefalcon URL	https://api.crowdstrike.com	Base URL depending on customer region.
Client ID

N/A

	EMPTY	OAuth Client ID
Client Secret

N/A

EMPTY

OAuth Client Secret

Version	Old Version 1	New Version Current
Changes made by	Miguel Lauriano	Aparna Rr
Saved on	Apr 16, 2024	Feb 18, 2025

Versions Compared

Key

Device Information

Collection Method

Device Configuration

Integration Parameters

CrowdStrike EDR Stream: