Login
      Contents x
      How Red Canary Works with Crowdstrike Falcon
      • 02 Aug 2024
      • 3 Minutes to read
      • PDF
      Contents

      How Red Canary Works with Crowdstrike Falcon

      • Updated on 02 Aug 2024
      • 3 Minutes to read
      • PDF
      Article summary

      Red Canary’s longstanding partnership with CrowdStrike leverages the complete telemetry collected by the Falcon sensor that is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.

      While most companies’ CrowdStrike integrations are focused on the alerts generated by the CrowdStrike platform, Red Canary’s low-level integration leverages the raw telemetry via the Falcon Data Replicator, an integration developed jointly by CrowdStrike and Red Canary in 2016.

      This combination of CrowdStrike alerts, CrowdStrike telemetry, and Red Canary’s detection and response delivers the best security outcomes for CrowdStrike users.

      How it works

      Red Canary and CrowdStrike use several integration points to implement exceptional security operations.

      mceclip0.png

      Getting started

      Work with your Red Canary contact to connect your CrowdStrike Falcon deployment with Red Canary by following these simple steps:

      1. Request an Authorization Form from your Red Canary contact. This form instructs CrowdStrike to grant Red Canary access to your CrowdStrike console and begin sending your telemetry to Red Canary for processing.

      2. Complete and submit the Authorization Form to support@crowdstrike.com and include your CrowdStrike account manager and your Red Canary contact.

      3. Share your CrowdStrike CID with Red Canary so we can configure our platform to accept your data.

      4. Red Canary will coordinate the telemetry connection with CrowdStrike and notify you when data is successfully flowing between the platforms.

      5. Red Canary will configure an alert source for CrowdStrike that sends each CrowdStrike alert to Red Canary for investigation.

      This process generally takes three to five days, depending on CrowdStrike’s responsiveness to the MSSP Authorization form you submit.

      CrowdStrike data Red Canary processes

      We receive all of the data collected by your CrowdStrike sensors, as well as a number of system events generated by the CrowdStrike platform. Endpoint telemetry is used for detection purposes, whereas several system events become audit logs in Red Canary.

      CrowdStrike alerts change when I activate Red Canary

      Every alert generated by CrowdStrike’s detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.

      You can enable “alert synchronization” to automatically update and close the alerts in the CrowdStrike platform once Red Canary has completed our review to keep your console tidy.

      Export data collected by CrowdStrike

      Yes. You can use the Canary Exporter to export CrowdStrike telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. For more information, see Get Data out of Red Canary in the Red Canary Help Center.

      FAQ

      Are there network requirements for the CrowdStrike sensor to work?

      Yes, depending on your network environment, you may need to allow (whitelist) TLS (1.0 or later) traffic between your network and CrowdStrike cloud's network addresses. You can find your CrowdStrike cloud’s IP addresses by clicking Support > Documentation > Cloud IP Addresses in your Falcon console.

      Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception:

      How is sensor-to-server communication protected?

      The Falcon sensor uses certificate pinning to defend against man-in-the-middle (MitM) attacks. Some network configurations, such as deep packet inspection, interfere with certificate validation.

      To prevent interference with certificate validation, disable deep packet inspection (also called HTTPS interception, TLS interception, or SSL inspection) or similar network configurations. Other common sources of interference with certificate pinning include antivirus systems, firewalls, or proxies.

      Can CrowdStrike be used with another third-party antivirus solution?

      No, CrowdStrike Falcon only works with Windows Defender. If you’re using a different third-party antivirus solution, we recommend you disable the Quarantine & Security Center Registration setting within the prevention policy when installing a sensor. To do so, please go to Configuration > Prevention Policies, pick the affected policy and ensure Quarantine & Security Center Registration is disabled. When you’re ready to remove your third-party antivirus, you can enable Quarantine & Security Center Registration.


      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout