Skip to content

Commit

Permalink
Merge pull request #1376 from SEKOIA-IO/feature/crowdstrike
Browse files Browse the repository at this point in the history 
Update overview crowdstrike integration
  • Loading branch information
@rombernier
rombernier authored Oct 18, 2023
2 parents 5c2e421 + 03b4cc6 commit 041f637
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
9 changes: 8 additions & 1 deletion docs/xdr/features/collect/integrations/endpoint/crowdstrike_falcon.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ type: intake
CrowdStrike Falcon is an Endpoint Detection and Response solution.
This setup guide explains how to forward and collect the detections and activity logs of your CrowdStrike EDR to Sekoia.io.

CrowdStrike Falcon integration gathers EDR logs. Below is a concise list of activities that can be monitored using CrowdStrike Falcon logs:

- Alerts raised by the EDR, with limited informations like hash, command line, IP.
- Crowdstrike Falcon Audit logs
- Crowdstrike Falcon Incident logs
- Identity protection events

{!_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md!}

{!_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md!}
Expand All @@ -16,7 +23,7 @@ This setup guide explains how to forward and collect the detections and activity
This integration supports the following events from CrowdStrike Falcon:

- Detection Summaries (`DetectionSummaryEvent`)
- Incident Summaries ('IncidentSummaryEvent')
- Incident Summaries (`IncidentSummaryEvent`)
- Audit logs (`UserActivityAuditEvent` and `AuthActivityAuditEvent`)
- Identity protection events (`IdpDetectionSummaryEvent` and `IdentityProtectionEvent`)

Expand Down
8 changes: 8 additions & 0 deletions docs/xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ CrowdStrike provides cloud workload and endpoint security, threat intelligence,
!!! warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.

CrowdStrike Falcon Telemetry gathers raw system logs, legitimate and suspicious activities. Below is a non-exhaustive list of activities that can be monitored using CrowdStrike Telemetry logs:

-Process creation and termination
-File path creation and deletion
-Events related to processes
-DNS requests
-HTTP connections

{!_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md!}

{!_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md!}
Expand Down

0 comments on commit 041f637

Please sign in to comment.