Create Crowdstrike integration
Have you done these on your CrowdStrike Instance?
- Is Falcon Data Replicator Service enabled?
- Have you created a Falcon Data Replicator feed? Configuring Falcon Data Replicator
- Have you created a Real-Time-Response API Client? Configuring an RTR API Client
If the answer is all Yes on the bullets above, log in to your Stairwell instance and follow the steps below. We recommend reading the documentation in its entirety before getting started.
Some acronyms you need to be aware of
- Real-Time-Response (RTR):
- CrowdStrike RTR (Real Time Response) is a powerful incident response and forensic investigation feature in the CrowdStrike Falcon platform. It provides security teams with remote access to endpoints in real-time, allowing them to investigate and remediate security incidents without needing physical access to the machine
- Falcon Data Replicator (FDR):
- The CrowdStrike Falcon Data Replicator (FDR) allows organizations to export raw endpoint telemetry from the Falcon platform to a cloud storage bucket for further analysis and integration with SIEMs or data lakes.
Let us set up / configure the Stairwell + Crowdstrike Integration
- Login to your Stairwell instance. Once logged in and greeted by the dashboard, click on the gear icon.
Below is a high-level explanation of the fields required for the integration:
- Name
- Identifier for the integration. You can name your integration whatever you wish. However, making a more meaningful name is the best practice.
- Hostname
- From the Real-Time-Response (RTR) setup step, this is the base URL associated with the Crowdstrike client credentials created.
- Example: api.us-2.crowdstrike.com
- From the Real-Time-Response (RTR) setup step, this is the base URL associated with the Crowdstrike client credentials created.
- Client ID
- This is the Crowdstrike API client ID found during the RTR setup and configuration.
- Client Secret
- This is the Crowdstrike API client secret. This is generated during the RTR setup and configuration. WARNING This API client secret code can only be viewed ONCE.
- AWS Client ID
- This is the AWS Client ID. This is generated during the FDR setup and configuration. WARNING This API client secret code can only be viewed ONCE
- AWS Secret
- This is the AWS Secret ID. This is generated during the FDR setup and configuration. WARNING This API client secret code can only be viewed ONCE
- SQS URI
- This is the AWS SQS queue URI. This is generated during the FDR setup and configuration.
I got both sides (Crowdstrike and Stairwell) set up and configured, what now?
After you successfully set up / configure both sides (Crowdstrike and Stairwell), you should wait for objects and results to populate within the Stairwell platform. It may take a few minutes to a few hours for objects and results to populate. See snapshots below:
Now that we see objects, let us see what kind of details we can get on a single object:
File properties, sightings, Stairwell's Mal-eval Score, file names, file paths, assets affected, matching YARA rules, and more. We provide all of these in a single pane of glass. That translates to quicker investigations and enables Security Analysts to quickly make actionable decisions and figure out their next steps.
What if I need technical help and need more information?
You can always reach out to your Account Manager or Sales Engineer. Make sure you keep their direct contact information.
Updated 25 days ago