Transcription
CrowdStrike QRadar Integration AppInstallation and User GuideCrowdStrike Falcon EndPointVersion: 1.0.0
Installation DocumentOverview:This document describes how to integrate the QRadar Platform with CrowdStrike to escalating events.The integration installs to the QRadar platform a set of custom fields which are designed to supportthe following use cases:1. Ingests and displays detection alerts from CS instance2. Contain systems and Push IOCs3. Investigate detection alerts from CrowdStrike (Event/alert data) by right clicking into alert and openingCS in new window4. Detection status management – Ability to change the CrowdStrike status of detections (differentdetection status available from CrowdStrike)Prerequisites:Verify that your environment meets the following requirements: QRadar platform version is 7.2.8 Patch 14 or later. You designated a Master Administrator account on the QRadar platform. You downloaded the CrowdStrike integration file, CrowdStrike-Falcon-EndPoint.zip, from the IBMSecurity App Exchange Install the extension:Perform the following to install the integration on the QRadar:1. Login to QRadar platform2. Open the Admin tab and click Extension Management under System Configuration3. Click the Add button
4. Browse the downloaded App package which Dev team has sent5. Click Install Immediately and click Add then click the Install6. Please verify whether there are 26 Custom Event Properties and one Log Source a click the Installbutton.7. Once the installation is done, click the Installed tab and check whether the app issuccessfully installedSetup the Configuration:Once the Installation is done navigate to Admin tab and open the “Configure CrowdStrike FalconEndPoint Integration” icon and provide the Intel API customer ID and Keys using the below steps,1. Under the Plug-ins click the Configure CrowdStrike Falcon Intel Integration.
2. In the popped-up window provide the below,a) Stream API tabi. Host URL: firehouse.crowdstrike.comii. APP ID: As provided by a CS representativeiii. API Key: As provided by a CS representativeiv. API UUID: As provided by a CS representativeb) Query API tabi. Host URL: https://falconapi.crowdstrike.comii. Query API UserName: As provided by a CS representativeiii. Query API Password: As provided by a CS representativec) OAuth2 API tabi. Host URL: https://api.crowdstrike.comii. Client ID: As provided by a CS representativeiii. Client Secret: As provided by a CS representative3. Click the Save button
User DocumentOverview:This document describes how to use the CrowdStrike Falcon Endpoint app functionalities inQRadar platform.The integration enables the below functionalities.1. QRadar events(in log activity tab) for CrowdStrike Detections.2. Open the CrowdStrike Falcon host link in new window.3. Detection status management – Ability to change the CrowdStrike status of the detection.4. Update Containment status.5. Upload IOC into CrowdStrikePrerequisites:Once app is installed in QRadar Instance, proceed to setup the configuration Navigate to the admin tab and open the "Configure CrowdStrike Falcon Endpoint Integration" iconand provide the credentials for Stream API, Query API and OAuth2 API. Functionalities:QRadar Events for CrowdStrike Detections:Once the configuration is saved, app will start polling the CrowdStrike detections as events in QRadar.1. Navigate to the Log Activity tab and add filter to the log source "CrowdStrike Detection" .2. The events will start populating in QRadar.[Please see next page]
Open the Falcon host link in new window:Open the created event for CrowdStrike detection and right click the “FalconHost Link” custom field. Itwill show “Open CrowdStrike FalconHost URL” menu to open the link in a new window.Detection status management:Open the created event for CrowdStrike detection and right click the “Detect ID” custom field. It willshow “Update Detection Status” menu to open the link in a new window. Fetch the recent detection status from CrowdStrike and show it in the dropdown. To update the detection status, choose any one of the following options in the dropdown (New, In Progress, True Positive, False Positive, Ignored) and click the “Update CS Detection Status” button
Update Containment Status:Open the created event for CrowdStrike detection and right click the “Sensor ID” custom field. It will show“Update Device Contain Status” menu to open the link in a new window. Fetch the recent device contain status and host name from CrowdStrike, show it in popup window To update the device containment status, choose any one of the options (Contain, Lift Contain) andclick the “Update CS device Contain Status” button. Once updated in CrowdStrike, the recent status will fetch again and show it in the same window
Upload IOC:Open the event and click the “Upload IOC” button on event details top bar. It will open a new window toupload IOCs into CrowdStrike. To upload the IOCs into CrowdStrike, choose any one of the Types(sha256/sha1/md5/domain/ipv4/ipv6) and fill in the Value and Description. Click on the “Upload IOC” button to upload IOCs into CrowdStrike. [Continued in next page]
[End of Document]
3. Detection status management – Ability to change the CrowdStrike status of the detection. 4. Update Containment status. 5. Upload IOC into CrowdStrike Prerequisites: Once app is installed in QRadar Instance, proceed to setup the configuration Navigate to the admin tab and open the "Configure Crowd
