- 01 Nov 2024
- 3 Minutes to read
- PDF
How Red Canary Works with CrowdStrike Falcon
- Updated on 01 Nov 2024
- 3 Minutes to read
- PDF
Red Canary’s longstanding partnership with CrowdStrike leverages the complete telemetry collected by the Falcon sensor that is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.
While most companies’ CrowdStrike integrations are focused on the alerts generated by the CrowdStrike platform, Red Canary’s low-level integration leverages the raw telemetry via the Falcon Data Replicator, an integration developed jointly by CrowdStrike and Red Canary in 2016.
This combination of CrowdStrike alerts, CrowdStrike telemetry, and Red Canary’s detection and response delivers the best security outcomes for CrowdStrike users.
How it works
Red Canary and CrowdStrike use several integration points to implement exceptional security operations.
Getting started
Work with your Red Canary contact to connect your CrowdStrike Falcon deployment with Red Canary by following these simple steps:
Request an Authorization Form from your Red Canary contact. This form instructs CrowdStrike to grant Red Canary access to your CrowdStrike console and begin sending your telemetry to Red Canary for processing.
Complete and submit the Authorization Form to support@crowdstrike.com and include your CrowdStrike account manager and your Red Canary contact.
Share your CrowdStrike CID with Red Canary so we can configure our platform to accept your data.
Red Canary will coordinate the telemetry connection with CrowdStrike and notify you when data is successfully flowing between the platforms.
Red Canary will configure an alert source for CrowdStrike that sends each CrowdStrike alert to Red Canary for investigation.
This process generally takes three to five days, depending on CrowdStrike’s responsiveness to the MSSP Authorization form you submit.
CrowdStrike data Red Canary processes
We receive all of the data collected by your CrowdStrike sensors, as well as a number of system events generated by the CrowdStrike platform. Endpoint telemetry is used for detection purposes, whereas several system events become audit logs in Red Canary.
CrowdStrike alerts change when I activate Red Canary
Every alert generated by CrowdStrike’s detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.
You can enable “alert synchronization” to automatically update and close the alerts in the CrowdStrike platform once Red Canary has completed our review to keep your console tidy.
Export data collected by CrowdStrike
Yes. You can use the Canary Exporter to export CrowdStrike telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. For more information, see Get Data out of Red Canary.
FAQ
Are there network requirements for the CrowdStrike sensor to work?
Yes, depending on your network environment, you may need to allow (whitelist) TLS (1.0 or later) traffic between your network and CrowdStrike cloud's network addresses. You can find your CrowdStrike cloud’s IP addresses by clicking Support > Documentation > Cloud IP Addresses in your Falcon console.
Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception:
To access this information you must have Falcon portal login credentials:
How is sensor-to-server communication protected?
The Falcon sensor uses certificate pinning to defend against man-in-the-middle (MitM) attacks. Some network configurations, such as deep packet inspection, interfere with certificate validation.
To prevent interference with certificate validation, disable deep packet inspection (also called HTTPS interception, TLS interception, or SSL inspection) or similar network configurations. Other common sources of interference with certificate pinning include antivirus systems, firewalls, or proxies.
Can CrowdStrike be used with another third-party antivirus solution?
No, CrowdStrike Falcon only works with Windows Defender. If you’re using a different third-party antivirus solution, we recommend you disable the Quarantine & Security Center Registration setting within the prevention policy when installing a sensor. To do so, please go to Configuration > Prevention Policies, pick the affected policy and ensure Quarantine & Security Center Registration is disabled. When you’re ready to remove your third-party antivirus, you can enable Quarantine & Security Center Registration.
What Crowdstrike licenses are required for this integration?
The following Crowdstrike licenses are required to integrate Crowdstrike Falcon with Red Canary:
Falcon Prevent - NGAV
Falcon Insight - EDR
Falcon Data Replicator - Data Exporter
Threat Graph Standard - Enriched Sensor Data Storage