TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: API Log Source
ENVIRONMENT: CrowdStrike Falcon
SUMMARY: Configuration Guide for CrowdStrike Falcon Alert Ingestion
Vendor Information
| Vendor | CrowdStrike |
|---|---|
| Collection Method | API |
| Query Syntax: | event.provider == "CrowdStrike" |
| Billable Sources Calculation | Multiple CrowdStrike Sites can be configured at the Huntress Account level, but not at the organization level. 1 Endpoint Source Per CrowdStrike Agent |
| Additional Information | Configuration is restricted to the Huntress Account level. |
Source Configuration
Configure CrowdStrike Falcon API Access
To successfully integrate the Huntress Managed SIEM with CrowdStrike Falcon, an API key with the following minimum permissions is required:
- Alerts (Read-Only)
To acquire the API client ID and secret, follow these steps:
- Login to your CrowdStrike Falcon console with an account with permission to create API keys.
- From the Navigation menu, select "Support and Resources", then "API clients and keys".
- Select "Add new API client".
- Enter a Client name and Description, then enable "Read" for Alerts scope.
- Select Save, then copy the client ID and secret into the Huntress integration, documented in the following step.
Create the Huntress SIEM Integration
- Navigate to Huntress SIEM -> Source Management -> CrowdStrike Falcon
- Select the green +Add button to create a new CrowdStrike Falcon configuration.
- Enter the details of the configuration as needed, including the API key obtained in the first two steps. Save the configuration. The Default Organization will be where logs that aren't endpoint or site-specific will be stored.
- Select Save.
Using Third Party EDR and AV Log Sources
Huntress has developed several third-party EDR and AV SIEM integrations in order to provide visibility in the Huntress platform into those third party activities and findings. We have developed several detections that surface third party detections to the Huntress SOC, and leverage that data for investigations. While this increases the visibility of the Huntress SOC into customers environments with alternative EDR/AV solutions, there are certain limitations that partners should be aware of.
Limitations
- These are one-way integrations that ingest high level alert and solution audit activity from the third party solutions. Raw telemetry is not included as that accounts for a significant amount of data that would rapidly overwhelm account data pools. Most EDR solutions store endpoint telemetry within the solution for a limited amount of time to meet compliance requirements, as generally storing raw endpoint telemetry is not suitable for SIEM ingestion.
- Huntress has no ability to leverage response actions of third party agents. If the Huntress agent is not installed in parallel, the Huntress SOC investigation capability will be limited to what other SIEM sources are available for that endpoint. For example firewall and cloud log sources.
- Huntress does not have the ability to manage third party agents or platforms, or update the state of third party detections within that solution console.
Benefits
- In scenarios where you have an organization or subset of endpoints with only the third party agent installed, the Huntress SOC will have very limited insight into that endpoint. However the detection alerts from that third party agent do provide a minimum amount of visibility into that particular endpoint.
- In scenarios where you have an organization or subset of endpoints with both the Huntress and the third party agent installed, for example with SIEM or EDR customers, the SOC can take remediation actions through the Huntress agent when the third party agent indicates an investigation is warranted.
Third party EDR integrations are provided to ensure Huntress can service and protect partners to the best possible ability given a diversity of contracted services and agents.