[SAASINT-4634] DDS: CrowdStrike FDR Integration v1.0.0 #21242
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
datadog-agent-integrations-bot
bot
added
documentation
dev/testing
dev/tooling
qa/skip-qa
|
This PR does not modify any files shipped with the agent. To help streamline the release process, please consider adding the |
tirthrajchaudhari-crest
changed the title
rtrieu
requested changes
Sep 3, 2025
crowdstrike_fdr/README.md
Outdated
| - **Bucket name**: Enter a Bucket name (must be globally unique and begins with the prefix `crowdstrike-fdr` to comply with integration naming requirements). | ||
| - **AWS Region**: Choose a region. | ||
| - You can only use your S3 bucket if you're using the US-1, US-2, or EU-1 CrowdStrike clouds. | ||
| - Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned. |
There was a problem hiding this comment.
Suggested change
| - Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned. | |
| - Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned. |
There was a problem hiding this comment.
Done
temporal-github-worker-1
bot
added
docs/requested-changes
and removed
docs/review-requested
labels
rtrieu
requested changes
Sep 4, 2025
crowdstrike_fdr/README.md
Outdated
| 3. In the **FDR feeds** tab, click **Create feed**. | ||
| 4. Provide a feed name. | ||
| 5. Set the feed **status** to on. | ||
| 6. Select **Customize your FDR feed** in **How do you want to create this feed?** option. |
There was a problem hiding this comment.
Suggested change
| 6. Select **Customize your FDR feed** in **How do you want to create this feed?** option. | |
| 6. Select **Customize your FDR feed** in the **How do you want to create this feed?** option. |
There was a problem hiding this comment.
Done
crowdstrike_fdr/README.md
Outdated
|
|
||
| ### Set up data replication from CrowdStrike FDR to a customer-owned S3 bucket | ||
|
|
||
| #### Configure CrowdStrike FDR Feed |
There was a problem hiding this comment.
Suggested change
| #### Configure CrowdStrike FDR Feed | |
| #### Configure the CrowdStrike FDR feed |
There was a problem hiding this comment.
Done
temporal-github-worker-1
bot
added
docs/approved
and removed
docs/requested-changes
labels
temporal-github-worker-1
bot
dismissed
rtrieu’s stale review
Review from rtrieu is dismissed. Related teams and files:
- documentation
- crowdstrike_fdr/README.md
temporal-github-worker-1
bot
added
docs/review-requested
and removed
docs/approved
labels
Signed-off-by: tirthraj.chaudhari <[email protected]>
tirthrajchaudhari-crest
force-pushed
the
crowdstrike-fdr-v1.0.0
branch
from
3ea2752 to
e466dc1
Compare
torosmassa
changed the title
shrey4b
approved these changes
Sep 18, 2025
crowdstrike_fdr/README.md
Outdated
|
|
||
| [CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using Amazon Web Services Simple Storage Service (Amazon S3) and Amazon Simple Queue Service (Amazon SQS). | ||
|
|
||
| Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, the integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. |
There was a problem hiding this comment.
Done
abhi-modugula
added
the
assets/deploy-logs-staging
abhi-modugula
approved these changes
Sep 19, 2025
rtrieu
reviewed
Sep 23, 2025
| 6. In the **Description** section of the support case, be sure to include the following details: | ||
| - The Falcon Customer ID (CID) | ||
| - Indicate the below type of events you wish to have provided in this new FDR feed. | ||
| - primary events (All events found within the Events Data Dictionary) |
There was a problem hiding this comment.
Suggested change
| - primary events (All events found within the Events Data Dictionary) | |
| - Primary events (All events found within the Events Data Dictionary) |
rtrieu
approved these changes
Sep 23, 2025
temporal-github-worker-1
bot
added
docs/approved
and removed
docs/review-requested
labels
sarah-witt
approved these changes
Sep 23, 2025
github-actions bot
pushed a commit
that referenced
this pull request
Sep 23, 2025
* Add crowdstrike-fdr integration * Add images and test results * Add dashboard image and update manifest file * Resolve validate-assets stage * Empty commit to rerun validate assets * Address review comments * Add facets in pipeline yaml file * Minor description update * Address review comments * Update minor configurations steps Signed-off-by: tirthraj.chaudhari <[email protected]> * Add extra category value in manifest file --------- Signed-off-by: tirthraj.chaudhari <[email protected]> ba3d2ba
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This is a initial release PR of Crowdstrike FDR integration including all the required assets.
Integration Logo Source: https://static.datadoghq.com/static/images/logos/crowdstrike_large.svg
Additional Notes
Review checklist (to be filled by reviewers)
qa/skip-qalabel if the PR doesn't need to be tested during QA.backport/<branch-name>label to the PR and it will automatically open a backport PR once this one is merged