If you're having trouble at any stage please contact us at firstname.lastname@example.org.
CrowdStrike Falcon is a suite of services as endpoint protection, threat intelligence and incident response. Falcon management service is delivered as a cloud service.
The CrowdStrike Falcon connector will help you with:
- Get and keep the granular activities from CrowdStrike Falcon at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Get the CrowdStrike Falcon alerts at your SIEM/SOC systems
What is it
SkyFormation Cloud Connector for CrowdStrike, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in CrowdStrike Falcon account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for CrowdStrike retrieves the events from the Falcon service through its APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format (e.g. CEF)
- Send the event to the existing SIEM/SOC system over syslog
CrowdStrike Falcon Audit Sources & Events Supported
|Audit Source (API)||Service/Module Covered||Event Types||Notes|
|Falcon Streaming API||full audit events and alerts||administrative actions, alerts|
|CrowdStrike Falcon Data Replicator (FDR)||CrowdStrike FDR||The raw Threat Graph event (aka Falcon platform)||Events are forwarded by CrowdStrike to AWS S3 bucket and and collected the SkyFormation connector from there.|
How to on-board CrowdStrike Falcon Connector to SkyFormation