Red Canary's integration with CrowdStrike Falcon goes deeper than a standard alert-based integration. Rather than relying solely on alerts generated by the Falcon platform, Red Canary ingests raw telemetry via the Falcon Data Replicator (FDR), a data pipeline developed jointly by CrowdStrike and Red Canary.This telemetry feeds Red Canary's detection platform, which processes and analyzes it before our Cyber Incident Response Team (CIRT) reviews confirmed threats and eliminates false positives. The result is a layered security operation that combines:
CrowdStrike alerts: Every detection generated by Falcon's native rules
CrowdStrike raw telemetry: Low-level endpoint event data via FDR
Red Canary Managed Detection and Response: Automated analysis and expert triage
Note
Most CrowdStrike integrations only consume Falcon-generated alerts. Red Canary's integration operates at the telemetry layer, giving our platform and analysts richer context for detection and investigation.
How the Integration Works
Red Canary and CrowdStrike use several integration points to implement exceptional security operations. At a high level:
CrowdStrike Falcon sensors collect endpoint telemetry and send it to the Falcon cloud.
The Falcon Data Replicator streams raw telemetry to Red Canary in real time.
Red Canary's detection platform analyzes the telemetry and processes all Falcon-generated alerts.
Red Canary's CIRT reviews detections, confirms true positives, and enriches confirmed alerts with investigation context.
(If enabled) Alert synchronization closes reviewed alerts back in the Falcon console automatically.
Getting Started
To get started, you'll need to work with your Red Canary contact to connect your CrowdStrike Falcon deployment. Setup typically takes 3–5 business days, depending on CrowdStrike's processing time for the MSSP Authorization form. The setup process looks like this:
Request an Authorization Form from your Red Canary contact. This instructs CrowdStrike to grant Red Canary access to your Falcon console and begin sending telemetry to Red Canary for processing.
Submit the Authorization Form to support@crowdstrike.com, making sure to CC your CrowdStrike account manager and your Red Canary contact on the email.
Share your CrowdStrike CID with Red Canary so we can configure our platform to accept your data.
Red Canary coordinates the connection with CrowdStrike and notifies you once telemetry is flowing successfully between platforms.
Red Canary configures an alert source for CrowdStrike that routes each Falcon alert to Red Canary for investigation.
Ingest Details
Red Canary ingests the following data from CrowdStrike:
Endpoint Telemetry: Red Canary receives the full scope of data collected by your CrowdStrike Falcon sensors. This raw telemetry is used exclusively for detection purposes and is processed by Red Canary's detection platform before any analyst review.
System Events: Several system-level events generated by the CrowdStrike platform are ingested as audit logs in Red Canary, providing visibility into platform-level activity.
Alerts: Every alert generated by CrowdStrike's detection rules is forwarded to Red Canary for investigation. Red Canary's platform and CIRT determine whether each alert is a true or false positive and add investigation context to confirmed detections to accelerate your response workflow. You can enable alert synchronization to automatically update and close alerts in the CrowdStrike console once Red Canary completes its review. This keeps your Falcon console tidy without requiring manual reconciliation across platforms.
Exporting CrowdStrike Data
CrowdStrike telemetry ingested by Red Canary can be exported downstream using the Canary Exporter. Supported destinations include:
SIEM platforms
Long-term storage
Custom processing pipelines
For configuration details, see Get Data out of Red Canary.
Requirements
CrowdStrike Licensing
The following CrowdStrike license modules are required before beginning the integration:
License | Purpose |
|---|---|
LicensePurposeFalcon Prevent (NGAV) | Next-generation antivirus and endpoint protection |
Falcon Insight (EDR) | Endpoint detection and response telemetry |
Falcon Data Replicator | Raw telemetry export to Red Canary |
Threat Graph Standard | Enriched sensor data storage |
Contact your CrowdStrike account manager if you're unsure which modules are active on your account.
Network Requirements
The Falcon sensor requires TLS (1.0 or later) traffic between your network and CrowdStrike's cloud infrastructure. Depending on your environment, you may need to explicitly allow this traffic at your network egress points.
To find your cloud's IP addresses, go to Support > Documentation > Cloud IP Addresses in the Falcon console (login required to access US1 Cloud IP Addresses and US2 Cloud IP Addresses).
Ensure that traffic to all listed cloud IP addresses is:
Authorized at network egress points
Not subject to manipulation or TLS interception
The Falcon sensor uses certificate pinning to defend against man-in-the-middle (MitM) attacks. If your environment uses deep packet inspection (also called HTTPS, TLS, or SSL inspection), this can interfere with certificate validation and break sensor connectivity. To prevent this, either disable TLS inspection for CrowdStrike-bound traffic or add CrowdStrike cloud addresses to your inspection bypass list. Other common sources of interference include antivirus systems, firewalls, and proxies with TLS interception enabled.
Permission Requirements
Red Canary requires several permissions within your CrowdStrike environment to ingest telemetry, investigate threats, and (if applicable) perform remediation.
Falcon Data Replicator (FDR)
Red Canary needs read access to the S3 bucket that stores your replicated CrowdStrike telemetry. FDR feed credentials and the associated IAM permissions are managed through CrowdStrike.
Note
Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for more information on default roles. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.
User Roles
Red Canary adheres to the principle of least privilege through default user roles. Red Canary analysts investigate and detect threats in your CrowdStrike environment using the Falcon Investigator default role. If you’ve subscribed to Active Remediation, our Threat Response Engineers will perform remediation actions using the Falcon Security Lead, Real Time Responder Admin, and Detections Exceptions Manager default roles. Your Technical Implementation Manager will help you create these users during onboarding.
Note: Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for more information on default roles. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.
OAuth API
Red Canary requires OAuth API credentials within your CrowdStrike environment to investigate and respond to threats. For specific scopes, permissions, and justifications, see Create API Credentials to Integrate Your Existing CrowdStrike Falcon Environment with Red Canary.
Antivirus Compatibility
CrowdStrike Falcon is only compatible with Windows Defender as a co-resident antivirus. If your endpoints are running a different third-party antivirus solution, you must disable the Quarantine & Security Center Registration setting in the affected prevention policy before deploying the sensor:
Go to Configuration > Prevention Policies in the Falcon console.
Select the affected policy.
Disable Quarantine & Security Center Registration.
Once you've fully removed the third-party antivirus, you can re-enable this setting.
FAQ
What happens to my CrowdStrike alerts when I activate Red Canary?
Every alert generated by CrowdStrike's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Alerts are reviewed by Red Canary's Cyber Incident Response Team (CIRT), who add additional context to confirmed alerts to accelerate your response. We support state and comment synchronization for CrowdStrike Falcon alerts.
Can I run CrowdStrike Falcon with another endpoint security or antivirus program installed?
Yes, but it requires specific configuration. If you are using a third-party antivirus solution other than Windows Defender, you must disable the Quarantine & Security Center Registration setting within your CrowdStrike prevention policy. This prevents conflicts between the two programs.
To adjust this:
Go to Configuration > Prevention Policies.
Select the relevant policy.
Ensure Quarantine & Security Center Registration is disabled.
Once you are ready to decommission your third-party antivirus, you can re-enable this setting to allow Falcon to register as your primary security provider.
How do I install and uninstall Falcon Agents?
See Install and Uninstall the CrowdStrike Falcon Sensor for more details.
Can Red Canary assist with setting up Falcon Data Replicator to export its data to my own S3 bucket?
Setting up Falcon Data Replicator to export its data to a customer-owned S3 bucket is an advanced configuration that is dependent on your individual cloud environment. Red Canary does not provide assistance with this setup. If you have any questions or encounter issues, we recommend reaching out to CrowdStrike Support for guidance and to ensure your CrowdStrike account is properly configured before integrating it with Red Canary.
Note
Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for configuring Falcon Data Replicator to export to your own S3 bucket. The Use your own cloud storage details are found in the Falcon Documentation > Tools and Reference > Falcon Data Replicator topic. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.
How do I create prevention policies, exclusions, or custom IOCs in CrowdStrike?
Assign prevention policies, create exclusions, and configure custom IOCs/IOAs to tune CrowdStrike to your unique threat landscape.
Note: Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for configuring prevention policies, exclusions, and custom IOCs. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.
What are the recommended CrowdStrike prevention policy settings?
CrowdStrike recommends prevention policy settings by sensor operating system. For host groups that you want Red Canary to perform remediation actions on, see Getting Started with Active Remediation for more details.
Note: Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for recommended prevention policy settings. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.
What Red Canary automation actions are available for CrowdStrike?
Currently, the following automation actions are available for CrowdStrike:
Isolate the Endpoint (Full)
Deisolate Endpoint
Kill Processes (IOC)
Delete Registry Entry (IOC)
Delete/Capture Files (IOC)
Collect Forensics — requires specific CrowdStrike response policy settings before use. See the FAQ "What response policy settings are required for Collect Forensics and Active Remediation?" below for details.
See Add Automation Actions for more information.
What response policy settings are required for Collect Forensics and Active Remediation?
Some Red Canary automation actions require specific CrowdStrike response policy settings to function. Requirements vary by action and by host group. Because Windows, Linux, and Mac each have their own dedicated response policy, apply the relevant settings to each platform policy.
Collect Forensics
For each platform policy on host groups where you want to run the Collect Forensics action, enable the following:
Real Time Response
Custom Scripts
getputHigh-risk Commands
run,put-and-run
Active Remediation
If your organization has purchased Active Remediation, your TIM will guide you through the required response policy settings for your remediation host groups. See Getting Started with Active Remediation for details
Note
For more on response policy settings, refer to the CrowdStrike documentation for your region:You'll need to log in with your CrowdStrike account credentials for the appropriate region.
Does Red Canary support multi-CID accounts?
Yes. Red Canary supports integrating multiple CIDs individually; however, each CID requires its own FDR feed and S3 bucket. Because of the technical requirements of our CrowdStrike integration, we cannot ingest aggregated data from a parent CID at this time.
Note: Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for more information on Falcon Flight Control and multi-CID support. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.
Does Red Canary support an aggregated Falcon Data Replicator feed for multi-CID accounts?
No. Because of the technical requirements of our CrowdStrike integration, we require each CID to have its own FDR feed and Amazon S3 bucket.
Note: Refer to the CrowdStrike documentation (US-1, US-2, EU-1) for more information on separate S3 buckets. The Falcon Flight Control and multi-CID environments details are found in the Falcon Documentation > Tools and Reference > Falcon Data Replicator topic. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.