CrowdStrike Falcon Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

CrowdStrike Falcon is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. CrowdStrike Falcon security events can generate and contribute to correlated incidents in Cisco XDR.

In Cisco XDR, we enable CrowdStrike Falcon users to leverage it for threat hunting and investigation features as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the CrowdStrike Falcon integration to query for security detections of many different observables including file, network, email, host, and process identifiers, as well as to add MD5 and SHA-256 file hashes, IPv4 and IPv6 addresses, and domain names to blocklists, and isolate specific hosts from the network. This integration can also provide host and vulnerability information to Cisco XDR for triaging detections and incidents.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the CrowdStrike Falcon integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The CrowdStrike Falcon integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the CrowdStrike Falcon integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Crowdstrike Falcon integration, Cisco XDR ingests the detections and security events that are sent by CrowdStrike Falcon and uses them for incident correlation.

To view incidents with Crowdstrike Falcon data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Crowdstrike Falcon in the Source column to find incidents generated with Crowdsrike Falcon data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Crowdstrike Falcon and other sources.

If you do not have any incidents with Crowdstrike Falcon data, you can verify that Cisco XDR is receiving data from Crowdstrike Falcon using the Detection Ingest Status tile on the Dashboards page. For more information about Cisco XDR Dashboards, see Dashboards.

To create a new dashboard that includes the Detection Ingest Status card:

  1. In the Cisco XDR navigation menu, choose Control Center > Dashboards and click Customize in the upper right corner of the Dashboards page.

  2. In the My Dashboards area, click Create new dashboard and enter a unique dashboard name in the Dashboard Name field.

  3. In the list of integrations, find the Secure Cloud Analytics integration and click the (Expand) icon.

  4. Check the Detection Ingest Status check box to add the card to the dashboard.

  5. Click Save.

    The new customized dashboard is displayed on the Dashboards page. If no data is displayed in the Detection Ingest Status card for Crowdstrike Falcon, check your integration configuration.

You can perform the following tasks after you integrate CrowdStrike Falcon with Cisco XDR:

  • Investigations Start a new investigation into any combination of file, network, email, host, process identifiers, and file hashes and the results will include any records of them found in CrowdStrike Falcon. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know CrowdStrike Falcon has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in CrowdStrike Falcon. Available actions include the option to open observables in Crowdstrike Endpoint detections search, and perform actions on indicators, such as allow, block, or detect only. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by CrowdStrike Falcon. For more information, including on how to filter the view to only the reports from CrowdStrike Falcon, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for CrowdStrike Falcon can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for CrowdStrike Falcon can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The CrowdStrike Falcon target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses CrowdStrike Falcon and is included in the Cisco Managed Incident Playbook can be used to Contain Incident: Assets (Devices), Contain Incident: File Hashes, Identify Vulnerabilities, and Validate Eradicated Hosts and Unquarantine Assets. See Containment and Recovery on the Response page.