Configure CrowdStrike

Endpoint Detection and Response (EDR) integrations provide our NDR solution with a level of enrichment and intelligence into malicious activity at the endpoint that we would otherwise not see. Collecting EDR telemetry and infusing it into our threat detection capabilities makes our NDR Cases and Incidents richer and more holistic because we now have the vantage point of the endpoint and the network. Not only do our NDR detections become substantial, the EDR integration can also help influence the risk or severity score of what we see in NDR.

LogRhythm NDR leverages CrowdStrike's capabilities to provide more advanced threat detection to our customers.

Once CrowdStrike is configured, LogRhythm NDR starts ingesting the CrowdStrike events periodically using the time range which runs like a cronjob.
CrowdStrike events are ingested as a ThirdPartyEvent, and cases are created as events pass through the pipeline.
A new collection named "endpoint_ruleset" is introduced in mongodb to store the endpoint integration rulesets of different endpoint integration services.

Obtain a Client ID and Client Secret in CrowdStrike

To configure a CrowdStrike integration within LogRhythm NDR, you must first obtain a Client ID and Client Secret within the CrowdStrike Falcon Console.

For more information on obtaining required information from the CrowdStrike Falcon Console, see Getting Access to the CrowdStrike API.

The API key requires the following API scopes:

API Route

Methods

Scope Needed

Access

Notes

/detects/queries/detects/v1

GET

DETECTIONS

READ

Allows access to detection information.

Read: View information about a detection, such as its behavior, severity, associated host, timestamps, etc.
Write: Modify metadata about a detection, such as its status, assignee, and description. This scope can't change core information about the detection (behavior, severity, associated host, timestamp, etc).

/detects/entities/summaries/GET/v1

POST

DETECTIONS

READ

Allows access to detection information.

Read: View information about a detection, such as its behavior, severity, associated host, timestamps, etc.
Write: Modify metadata about a detection, such as its status, assignee, and description. This scope can't change core information about the detection (behavior, severity, associated host, timestamp, etc).

/oauth2/token

POST

N/A

To obtain the Client ID and Client Secret in the Falcon console:
Click the Falcon tab.
In the drop-down menu, click Support.
Click API Clients and Keys.
Click Add API Key.
The Add new API client page appears.
Enter a Client Name and Description for this API key.
In the Detections row, click Read.
Click Add.
The Client ID and Client Secret appear.

Add a New CrowdStrike Integration in LogRhythm NDR

To create a new CrowdStrike integration:

Log in to the LogRhythm NDR UI.
Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears.
To add a new endpoint integration, click Add Endpoint Integration.
Click Active to make the integration active.
Click Endpoint Type, and click CrowdStrike.

Enter the integration credentials into the relevant fields.

Field	Description
Integration Name	A unique name for this integration configuration.
Polling Interval	The amount of time (in minutes) between each collection of new information from the integration.
API URL	The API URL for CrowdStrike is https://api.crowdstrike.com
Client ID	The Client ID generated in the CrowdStrike Falcon console.
Client Secret	The Client Secret generated in the CrowdStrike Falcon console.

To verify the credentials have been entered correctly, click Test.
If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be verified and re-entered.
Click Save.
The CrowdStrike integration is now complete within LogRhythm NDR.

Verify a CrowdStrike Integration is Working

To verify that information is being collected for the CrowdStrike integration:

Log in to the LogRhythm NDR UI.
Click the Hunt tab, and then click Activity.
The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour.
To view the integration events alone, click ThirdPartyEvent on the graph.
All integration-related events appear.
To view the integration, click the Discover icon located to the left of the search field, and then click General.
Select the Origin option, and then click the Visualize icon (which is the bar graph icon) for the item.

If events do not display, you may have to change the time range.
To single out data for a selected filter, click the addfilter option in the Discover drop-down menu.
For example, use the "entry_origin" filter (entry_origin: "CrowdStrike") to filter the engine that detected the traffic, giving you the following options:
1 - Distributed Analytics Engine
2 - Host Compliance Engine
3 - Network Analysis Engine
4 - Rules Engine
The Value based Filters & Aggregations dialog box appears.
To add the filter to the item displayed in the Value based Filters & Aggregations dialog box, click the + icon next to the item.
To remove the filter, click the - icon next to the item.
To view the integration events, click the + icon.

Edit a CrowdStrike Integration

To make changes to an existing CrowdStrike integration:

Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears.
Click the green Edit icon in the Actions column for the CrowdStrike integration you wish to edit.
The Edit Operator page opens.
After making changes, click Update.
The endpoint integration is updated within LogRhythm NDR.

Delete a CrowdStrike Integration

To delete an existing CrowdStrike integration:

Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears.
Click the red Delete icon in the Actions column for the CrowdStrike integration you wish to remove.
Click Yes.
The CrowdStrike integration is deleted in LogRhythm NDR.