CrowdStrike Falcon Data Replicator

You can connect the CrowdStrike Falcon Data Replicator (FDR) to InsightIDR to analyze, alert, and investigate based on your process start data. Crowdstrike FDR data flows into Endpoint Activity > Process Start Events in Log Search.

Enhanced Endpoint Telemetry Add-On Module

Enhanced Endpoint Telemetry is available as an add-on to your InsightIDR license. When you purchase the EET add-on module, you receive full access to the archive of process start data that is captured by CrowdStrike FDR. While you do not need the Enhanced Endpoint Telemetry add-on module for InsightIDR to generate alerts on your data, it is required to view the process start data that triggered an alert in Log Search.

Check your eligibility

Review the following requirements to determine if you are eligible to use this integration:

  • Your organization is in a US region.
  • You are not a Rapid7 Managed Services Customer
  • You do not have any Insight Agents deployed in your environment

How to Configure the CrowdStrike FDR Integration

Integration between InsightIDR and CrowdStrike FDR requires a number of keys for the two products to communicate. Before attempting to configure this integration in InsightIDR, ensure you have enabled API access and obtained the necessary keys.

Step 1: Obtain Crowdstrike Credentials

Contact Crowdstrike Support to do the following:

  1. Enable API access on your account.
  2. Obtain the required keys. You will need to enter these keys into InsightIDR in a later step.
    • Unique Customer Identifier
    • Client ID
    • Client Secret
    • Cloud Endpoint API
    • Access-Key
    • Secret Key
    • SQS Region
    • SQS URL

Step 2: Set up the CrowdStrike Falcon Data Replicator in InsightIDR

  1. Log in to InsightIDR.
  2. From the left menu, select Settings > Third Party Agents.
  3. Switch the toggle ON. The Connect to CrowdStrike Falcon Data Replicator panel will appear.
  4. Under the CrowdStrike API credentials section enter the credentials you obtained from CrowdStrike support:
    1. Enter the Unique Customer Identifier. This allows InsightIDR to establish a connection to your Crowdstrike account.
    2. In the Client ID, enter your API Client ID.
    3. Enter the Client secret.
    4. In the Cloud Endpoint, enter your API Gateway URL.
  5. Under the Falcon Data Replicator credentials section enter the credentials you obtained from CrowdStrike support:
    1. Enter the access key into the Access Key field. This key grants InsightIDR access to the Falcon Data Replicator.
    2. Enter the Secret key.
    3. Enter the SQS Region. This denotes the region of the account.
    4. Enter the SQS URL.
  6. When ready, select the I've verified my credentials checkbox.
  7. Click Submit Credentials. InsightIDR will now attempt to establish a connection to the CrowdStrike Falcon Data Replicator. Establishing this connection can take up to 1 hour.

Submitted Credentials

Once submitted, you will not be able to view your credentials in InsightIDR. But don’t worry, the information is sent to be processed and a connection will be initiated.

Stop processing CrowdStrike FDR data

Once setup has been completed and a connection between InsightIDR and CrowdStrike you can stop the processing of data.

  1. From the InsightIDR left menu, select Settings > Third Party Agents.
  2. Switch the toggle OFF. The Disconnect Data Processing panel will appear.
  3. Click Disconnect.

Stop collecting CrowdStrike FDR data

If you no longer want to send CrowdStrike FDR data to Rapid7, contact Rapid7 Support to deactivate the integration and stop the collection of data.

How to Update your Credentials

It can take up to 1 hour for InsightIDR to establish a connection to the Crowdstrike Falcon Data Replicator. During this time, you can update your credentials using the Update Credentials button on the Third Party Agents page. Once a connection has been established, this button will no longer be available, and you will need to contact Rapid7 Support to update your credentials.

Update incorrect credentials during setup

You can only update your credentials while InsightIDR is establishing a connection. If a connection has already been established and you need to update your credentials, contact Rapid7 Support.

  1. On the Third Party Agents page, click Update Credentials.
  2. Update your credentials. For more information see [Obtain Crowdstrike Credentials].
  3. After verifying that you correctly entered the credentials, select “I’ve verified the credentials.”.
  4. Click Submit Credentials. InsightIDR will now attempt to establish a connection to the CrowdStrike Falcon Data Replicator.

Update outdated credentials

To update your credentials after the setup has completed, you must contact Rapid7 Support.

Validate Your Data Flow

Once InsightIDR establishes a connection,the toggle will be set to ON. At this point, if you have our Enhanced Endpoint Telemetry add-on module, you can view your CrowdStrike FDR process data in log search.

Log Search takes every log of raw, collected data and automatically sorts them into Log Sets for you. Crowdstrike FDR process start data under Endpoint Activity > Process Start Events. You may also navigate to the Log Search page from the Third Party Agents Page and enter your own query.

Toggle states and their meanings

Toggle StateDescription
ONData is flowing from CrowdStrike FDR into InsightIDR
OFFBefore First Time Setup: There is no connection between CrowdStrike FDR and InsightIDR

After Setup: If the toggle is switched off after a connection has been established, this means that InsightIDR is not processing CrowdStrike FDR data.
System ProcessingDisplays while InsightIDR attempts to establish a connection to CrowdStrike FDR.