Accenture MxDR Quick Start Guide for AER Access in Crowdstrike
The following guide will provide you with instructions to setup the Accenture Managed MxDR CrowdStrike service.
 The document includes the following topics:
Managed Extended Response Detection (MxDR) Introduction
Managed Extended Response Detection (MxDR) Overview
Pre-Installation Questionnaire (PIQ)
 Introduction
 The Accenture Managed Extended Detection Response (MxDR)service delivers visibility and response, where Accenture SOC analysts action suspicious threat activities and find emerging and unknown threats across on-premises and cloud endpoints using forensics data coupled with machine learning analytics and the Accenture Global Intelligence Network. MxDR allows for close collaboration and seamless handoff of incident intelligence and helps to prioritize efforts and relieve security teams of valuable time and effort that would have been spent investigating incident alerts and detecting and responding to advanced attacks.
 Overview
 The CrowdStrike MxDR service has three primary components:
Log Collection Platform (LCP)
CrowdStrike Falcon Management
Host Management
Â
Log Collection Platform (LCP)
 The Log Collection Platform (LCP) is designed to collect, compress, and send your log data securely to Accenture MxDR. The LCP is deployed in the Accenture Security Cloud and pulls the data directly from CrowdStrike’s cloud via API (application programming interfaces).
Note: No client hardware or network access is needed.
 CrowdStrike Falcon Management
 The CrowdStrike Falcon Console will be co-managed by Accenture MxDR for shared services with client. After signing-up for the service, client’s will be provided with an Authorization Form for Access to CrowdStrike Falcon Host by MSP (Managed Service Provided) Personnel which will need to be provided to CrowdStrike, this should be emailed to MSSP@crowdstrike.com, Service Delivery Leads should be copied. This will grant Accenture MxDR access to your CrowdStrike data.
 Topology
Existing Accenture clients who currently own CrowdStrike will be moved under the Accenture MxDR parent instance in coordinated manner
New CrowdStrike clients will be deployed with Accenture MxDR as Parent
Each CID (Customer ID) has a stand-alone Splunk backend for data isolation purposes
Access Control
Access to the client’s CID is granted after the client submits the MSSP Authorization Form to CrowdStrike on behalf of Accenture MxDR (form can be provided by CrowdStrike or Service Delivery Lead)
Accounts for Accenture will be housed at the parent Accenture MxDR instance
Accenture MxDR requires the following roles in the client’s environment (changes to these permissions may impact the capabilities of the service):
Falcon Security Lead
Quarantine Manager
Custom IOAs Manager
Detection Exceptions Manager
Real Time Responders – Administrator
o  Accenture MxDR analyst accounts and access will be managed by Accenture MxDR
Access and entitlements for clients will be managed in their respective child CIDs and will allow choice of the existing CrowdStrike roles
 Event Data and Detections
 Detections
Detections will flow from the client CIDs into the Accenture MxDR instance
Detections can be managed at either the parent or child level, and by either Accenture or the client
Raw event data
Endpoint Activity Monitoring (EAM) data will be housed and stored in each client environment, and will only be searchable across the CIDs that house it
Accenture MxDR analysts will be able to search client Endpoint Activity Monitoring (EAM) data by pivoting into their respective consoles
 SIEM (Security Information Event Management) Connections for Detections
Accenture will consume detection data directly from each respective client CID
If required, clients will consume their detection data directly from their respective CID
Policy Management
 Accenture MxDR will have access to policy management, but clients will handle managing these policies. Unless pre-authorized to do so, Accenture MxDR will not update policies.
Host Management
Falcon agent installation and management are the responsibility of the client. If applicable, remediation is performed by MxDR analysts via the Falcon Console.
Pre-Installation Questionnaire (PIQ)
The pre-installation questionnaire (PIQ) is used to capture device and network details from your environment to begin the onboarding process. The PIQ requires information about the network ranges eligible for pre-authorized containment if applicable, how you will deploy the agent, and information about your current environment.
An Accenture MxDR Engineer will supply the PIQ for the client to complete via email or Service Request within the MxDR portal.
The client is expected to complete the PIQ and return it to the MxDR Engineer for processing.
Complete and return the PIQ – If remediation is authorized, the network range(s) of the hosts authorized for remediation must be defined in proper section of PIQ.
 FAQ (Frequently Asked Question)
 Will Accenture MxDR handle deployment of CrowdStrike falcon agents to new clients?
No. Accenture MxDR will have co-management access to CrowdStrike Falcon console to supply service, but this will not include deployment of agents.
 Will Accenture MxDR update the CrowdStrike (CS) agent configurations?
We will update the Endpoint Detection & Response (EDR) policy (blacklist, whitelist, etc.) if authorized. We will not update the endpoint policies (AV signatures, firewall rules, etc.).
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.