Crowdstrike FDR

The Crowdstrike Falcon Data Replicator integration connects to your FDR feed to ingest Endpoint Event data into the Nebulock platform.

1. Navigate to Falcon Data Replicator in Support and Resources.

   

2. Click “Create Feed” and give your feed a name, toggle Feed to “On” and then choose Customize Feed.

   

3. Exclude unused events by searching for the terms in the boxes below, selecting the checkbox, and clicking Remove Selected Items.

4. 
   

   📘

   Oci
   SensorHeartbeat
   AgentOnline
   AgentConnect
   BillingInfo
   DcUsbDevice
   DcBluetooth
   Eks
   FirmwareAnalysis
   SensorSelf
   ResourceUtilization
   RecentlyModifiedFileExecutedInContainer
   CloudScanControl

   Example in the images below: Search for “Oci”, hit Apply, select the checkbox to mark all items, and then click “Remove Selected Events.” Continue for each item in the list above.

   

5. Leave Secondary Events as is, and under Partition select “Partition by time” and then click “Next”.

   

6. Now review the settings and click “Create Feed” and be sure to save the AWS SQS and S3 details for the Nebulock Integration Configuration.

7. In the Nebulock platform, go to Integrations and click Add Integration.

   

8. Choose Crowdstrike from the Provider list, and paste the S3 details you copied into the boxes that start with [FDR] in the configuration.