Endpoint Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Endpoint Logs

      Crowdstrike FDR

      Pull Crowdstrike FDR endpoint data.

      Overview

      In this guide, you will create new credentials for Crowdstrike FDR in order to pull endpoint events, alerts, incidents, and host details. This endpoint data is used to identify impacted identities who have clicked on malicious links and impacted devices in which malicious files were downloaded, as well as collect rich details about the impacted devices. 

      In this guide you'll complete the following steps:

      At the end of this configuration, you will provide Radiant Security with the following values:

      • AWS Client ID
      • AWS Secret Key
      • SQS URL

      Prerequisites

      To complete the configuration, you will need the following:
      • Permissions: Falcon Administrator
      • License: Falcon Insight and Falcon Data Replicator
      • You must have an active subscription to Falcon Data Replicator and it must be enabled in Crowdstrike

      Important note: If you are a customer that's already using FDR, please note that Crowdstrike will create two AWS S3 buckets and up to two AWS SQS queues per bucket for a maximum of four feeds. One of the S3 buckets must be reserved for Radiant Security.

      Create credentials for Crowdstrike FDR

      1. Log in to your CrowdStrike Falcon console as an administrator.
      2. From the upper left corner, click the Menu icon.
      3. Click Support and resources, then click Falcon data replicator.
        image (15)
      4. In the top right, click on the Create feed button.
      5. On the Create feed page, enter a Feed name, set the feed status to On. Keep the default settings selected.
        image (16)
      6. Click Next to proceed.
      7. On the next page, keep the default settings unchanged and click Next.
        image (17)
      8. Click the Create feed button.
      9. Copy the Client ID, Secret, and Notifications URL for the next steps.
        image (18)

      Note: Be sure to document and store the Secret Key carefully as it cannot be retrieved later.

      Add the credentials in Radiant Security

      1. Log in to Radiant Security.
      2. From the navigation menu, select Settings > Credentials and click + Add Credential.
      3. Select the correct vendor from the list and click Configure Credential.
      4. Under Credential Name, give the credential an identifiable name like Crowdstrike_FDR_Credentials and fill in the Required Credentials fields with the values you copied from the previous step:
        • AWS Client ID
        • AWS Secret Key
        • The SQS URL should have a format like: https://sqs.us-east-2.amazonaws.com/

        Screenshot 2024-02-01 at 9.01.32 PM
      5. Click Add Credential to save the changes.

      Add a data connector

      1. From the navigation menu, select Settings > Data Connectors and click + Add Connector to create a new data connector.
      2. Select the correct vendor from the list and click Data Feeds.
      3. Select the applicable data feed and click Credentials.
      4. From the drop-down, select the credential, or click + Add New Credential to add a new credential if it doesn’t already exist.
      5. Click Add Connector to finish creating the new data connector.

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2024-11-19