Overview

This guide provides step-by-step instructions for setting up the integration between CrowdStrike Falcon and Stairwell.

Before proceeding, ensure the following are configured in your CrowdStrike Falcon instance:

• Falcon Data Replicator (FDR) Service is enabled
• A Falcon Data Replicator Feed is created
• A Real-Time-Response (RTR) API Client is set up

If you have not configured the above, contact Stairwell Support for assistance.

Some acronyms you need to be aware of

• Real-Time-Response (RTR):
  • CrowdStrike RTR (Real Time Response) is an incident response and forensic investigation feature in the CrowdStrike Falcon platform. It provides security teams with remote access to endpoints in real-time, allowing them to investigate and remediate security incidents without needing physical access to the machine
    • Required for RTR Configuration
      1. Real time response Read
      2. Real time response Write
      3. Hosts Read
• Falcon Data Replicator (FDR):
  • The CrowdStrike Falcon Data Replicator (FDR) allows organizations to export raw endpoint telemetry from the Falcon platform to a cloud storage bucket for further analysis and integration with SIEMs or data lakes.
    • Recommended Events:
      • PeFileWritten
      • PeFileWrittenDetectInfo
      • SuspiciousPeFileWritten
      • NewExecutableWritten

Setting up & configuring the Stairwell + Crowdstrike Integration

1. Login to your Stairwell instance. Once logged in, click on the gear icon in the toolbar

Below is a high-level explanation of the fields required for the integration:

• Name
  • Identifier for the integration. You can name your integration whatever you wish. However, making a more meaningful name is the best practice.
• Hostname
  • From the Real-Time-Response (RTR) setup step, this is the base URL associated with the Crowdstrike client credentials created.
    • Example: api.us-2.crowdstrike.com
• Client ID
  • This is the Crowdstrike API client ID found during the RTR setup and configuration.
• Client Secret
  • This is the Crowdstrike API client secret. This is generated during the RTR setup and configuration.

    Warning: This API Client Secret can only be viewed ONCE.

• AWS Client ID
  • This is the AWS Client ID. This is generated during the FDR setup and config

    Warning: This API Client ID can only be viewed ONCE.

• AWS Secret
  • This is the AWS Secret ID. This is generated during the FDR setup and configuration.

    Warning: This API Secret can only be viewed ONCE.

• SQS URI
  • This is the AWS SQS queue URI. This is generated during the FDR setup and configuration.

Both sides (Crowdstrike and Stairwell) are set up and configured, what now?

After you successfully set up / configure both sides (Crowdstrike and Stairwell), you should wait for objects and results to populate within the Stairwell platform. It may take a few minutes to a few hours for objects and results to populate. See snapshots below:

Now that we see objects, let us see what kind of details we can get on a single object:

File properties, sightings, Stairwell's Mal-eval Score, file names, file paths, assets affected, matching YARA rules, and more. We provide all of these in a single pane of glass. That translates to quicker investigations and enables Security Analysts to quickly make actionable decisions and figure out their next steps.

What if I need technical help and need more information?

You can always reach out to Stairwell support - [email protected] for more information/details on the integration