SIEM and Endpoint Integration

Challenge and Technical Objectives

Our team recently developed a SIEM and SOAR Integration for Crowdstrike, connecting QRadar's SIEM capabilities to the FALCON Endpoint Protection Platform.

The application requirement was to combine Crowdstrike’s FALCON Endpoint Protection Platform (EPP) with QRadar's SIEM capabilities. Falcon EPP consists of Falcon Insight and Falcon Intel.

The application's purpose is to ingest Crowdstrike Platform’s events and display detection alerts from Crowdstrike’s instance and display it in custom role-based dashboards within QRadar.

Solution Designed

The solution was designed to ingest events using streaming APIs and automate detection alerts of Indicators of Compromise (IOCs). This includes leveraging QRadar’s search capabilities using Crowdstrike’s Threat Graph API. It also includes Advanced Enrichment via correlation of IBM data to get CS Intel. The solution can also connect to the multiple CS clouds, each cloud can be configured to receive data from multiple clients.

To achieve real-time detection alerts, data streams are processed in parallel threads. For each new client added to one of the CS clouds, a new thread will be initialized to poll detections from the CS cloud. As each client is polling in their own thread, detections from all the clients can be received simultaneously.

The solution architecture supports: Multiple and various events from Streaming API, Changing the Streaming API and Query API call to OAuth API call, and Modifying the QRadar config page.

Technologies Deployed and Version

The application was built with the following technologies: Python 3, Parallel processing with multiple threads, AQL Queries, Crowdstrike API, and AWS Platform for Hosting.

QRadar version: Original version: 7.3.x, Python 2 | Upgraded version: 7.4.x, Python 3

The Results

Published two (2) Applications with QRadar:

1. CrowdStrike Falcon Intel
2. CrowdStrike Falcon EndPoint

Upgraded to multi-tenancy architecture:

The apps receive the CS Intel and Endpoint Detection data from multiple clients, each residing in different clouds that are geographically distributed.

1. US Commercial Cloud
2. Falcon On GovCloud
3. EU Cloud
4. US Commercial Cloud 2

Data from each cloud is processed in parallel to achieve high performance and real-time detection alerts.

The application has been published in the IBM X-Force exchange with user guide documentation. The applications have been downloaded by 1000+ instances combined users of both QRadar and Crowdstrike.

Want to learn more about our applications? Contact us at connect@metronlabs.com.