|
| 1 | +# CrowdStrike FDR |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using Amazon Web Services Simple Storage Service (Amazon S3) and Amazon Simple Queue Service (Amazon SQS). |
| 6 | + |
| 7 | +Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity, and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, the integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. |
| 8 | + |
| 9 | +## Setup |
| 10 | + |
| 11 | +### Set up data replication from CrowdStrike FDR to a customer-owned S3 bucket |
| 12 | + |
| 13 | +#### Setup a custom AWS S3 bucket |
| 14 | +1. Sign in to the AWS Management Console and navigate to Amazon S3. |
| 15 | +2. Provide the details as mentioned below: |
| 16 | + - **Bucket name**: Enter a Bucket name (must be globally unique and begins with the prefix `crowdstrike-fdr` to comply with integration naming requirements). |
| 17 | + - **AWS Region**: Choose a region. |
| 18 | + - You can only use your S3 bucket if you're using the US-1, US-2, or EU-1 CrowdStrike clouds. |
| 19 | + - Ensure that your bucket resides in the same AWS region as your Falcon CID. |
| 20 | + CrowdStrike terminology for cloud regions differs slightly from AWS, as shown in this table. |
| 21 | + | CrowdStrike region | AWS region | |
| 22 | + |--------------------|--------------| |
| 23 | + | US-1 | us-west-1 | |
| 24 | + | US-2 | us-west-2 | |
| 25 | + | EU-1 | eu-central-1 | |
| 26 | + |
| 27 | + For example, if your Falcon CID resides in US-1, the bucket must reside in AWS's us-west-1 region. |
| 28 | +3. Click **Create bucket**. |
| 29 | +4. Once the bucket is created, click on the newly created bucket. |
| 30 | +5. Go to the **Permissions** tab. |
| 31 | +6. Click **Bucket policy** > **Edit**. |
| 32 | +7. Replace the 2 occurrences of the **<bucket_name>** placeholder in the below policy statement with your own bucket's name and add it in the **Policy** section: |
| 33 | + ``` |
| 34 | + { |
| 35 | + "Version": "2012-10-17", |
| 36 | + "Statement": [ |
| 37 | + { |
| 38 | + "Sid": "Allow cs ls", |
| 39 | + "Effect": "Allow", |
| 40 | + "Principal": { |
| 41 | + "AWS": "arn:aws:iam::292230061137:root" |
| 42 | + }, |
| 43 | + "Action": [ |
| 44 | + "s3:ListBucket", |
| 45 | + "s3:GetBucketLocation" |
| 46 | + ], |
| 47 | + "Resource": "arn:aws:s3:::<bucket_name>" |
| 48 | + }, |
| 49 | + { |
| 50 | + "Sid": "allow cs all", |
| 51 | + "Effect": "Allow", |
| 52 | + "Principal": { |
| 53 | + "AWS": "arn:aws:iam::292230061137:root" |
| 54 | + }, |
| 55 | + "Action": "s3:*", |
| 56 | + "Resource": "arn:aws:s3:::<bucket_name>/*" |
| 57 | + } |
| 58 | + ] |
| 59 | + } |
| 60 | + ``` |
| 61 | +8. Copy the **Bucket ARN** of your S3 bucket. |
| 62 | +9. Click **Save changes**. |
| 63 | +
|
| 64 | +#### Raise a support ticket in CrowdStrike |
| 65 | +1. Log in to the **CrowdStrike Falcon** console with an account that has **Administrator** privileges. |
| 66 | +2. Navigate to **Support and resources** > **Support portal**. |
| 67 | +3. Select **Support** > **Cases**. |
| 68 | +4. Click **Create Case**. |
| 69 | +5. Provide `FDR to send data to a customer-owned S3 bucket` as a **Case Title**. |
| 70 | +6. In the **Description** section of the support case, be sure to include the following details: |
| 71 | + - The Falcon Customer ID (CID) |
| 72 | + - Indicate the below type of events you wish to have provided in this new FDR feed. |
| 73 | + - primary events (All events found within the Events Data Dictionary) |
| 74 | + - The ARN of the custom S3 bucket copied in **Step-8** from `Setup Custom AWS S3 Bucket` |
| 75 | + - Confirmation that the bucket has been set up according to the specifications outlined |
| 76 | +7. **Customer ID (CID)**: Provide Falcon Customer ID |
| 77 | +8. **Preferred Working Time Zone**: Select any preferred timezone |
| 78 | +9. **Product Area**: Select `API and Integrations` |
| 79 | +10. **Product Topic**: Select `Falcon Data Replicator` |
| 80 | +11. Click **Submit Case**. |
| 81 | +12. Wait until CrowdStrike Support confirms that provisioning is complete. |
| 82 | +
|
| 83 | +## Configure Datadog Forwarder |
| 84 | +
|
| 85 | +- See the [Datadog Forwarder][2] page for configuration steps. |
| 86 | +
|
| 87 | +## Data Collected |
| 88 | +
|
| 89 | +### Logs |
| 90 | +
|
| 91 | +| Format | Event Types | |
| 92 | +| ------ | ----------- | |
| 93 | +| JSON | Primary Events | |
| 94 | +
|
| 95 | +### Metrics |
| 96 | +
|
| 97 | +The CrowdStrike FDR integration does not include any metrics. |
| 98 | +
|
| 99 | +### Events |
| 100 | +
|
| 101 | +The CrowdStrike FDR integration does not include any events. |
| 102 | +
|
| 103 | +## Support |
| 104 | +
|
| 105 | +For any further assistance, contact [Datadog support][3]. |
| 106 | +
|
| 107 | +[1]: https://www.crowdstrike.com/en-us/resources/data-sheets/falcon-data-replicator/ |
| 108 | +[2]: https://docs.datadoghq.com/logs/guide/forwarder/?tab=cloudformation |
| 109 | +[3]: https://docs.datadoghq.com/help/ |
| 110 | +[4]: https://github.com/CrowdStrike/FDR |
0 commit comments