CrowdStrike Falcon Integration
Overview
CrowdStrike Falcon is a cloud-native endpoint detection and response (EDR) platform. KYRA MDR ingests CrowdStrike detection and event data via the Falcon SIEM Connector or Streaming API for centralized threat correlation. Supports Falcon Prevent, Insight, and Discover modules.
Prerequisites
- A KYRA MDR Collector installed and running
- CrowdStrike Falcon tenant with administrative access
- API client credentials (Client ID and Secret) with Event Streams scope
- Falcon SIEM Connector or Streaming API access
Configuration
Configure CrowdStrike Falcon SIEM Connector:
- In the Falcon console, navigate to Support > API Clients and Keys
- Create a new API client with Event Streams: Read scope
- Note the Client ID and Client Secret
- Install the Falcon SIEM Connector on a Linux host:
sudo dpkg -i falcon-siem-connector.debsudo /opt/crowdstrike/etc/cs.falconhoseclient.cfg \ --cid <client-id> \ --csecret <client-secret> \ --output syslog \ --syslog-host <collector-ip> \ --syslog-port 514sudo systemctl start cs.falconhoseclient- Verify events are flowing with
sudo systemctl status cs.falconhoseclient
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Detection | Malware and behavioral detections | Endpoint threat detection |
| Incident | Correlated detection groups | Incident investigation |
| Authentication | User logon/logoff events | Identity monitoring |
| Process | Process creation and termination | Threat hunting, lateral movement |
| Network | Endpoint network connections | C2 detection, data exfiltration |
| File | File creation, modification, deletion | Ransomware detection, forensics |
Troubleshooting
SIEM Connector not streaming: Verify the API credentials have the correct scope (Event Streams: Read). Check the connector logs at /var/log/crowdstrike/falconhoseclient.log.
Missing detections: The SIEM Connector streams events in near real-time. Ensure the connector service is running and the API rate limits are not exceeded.
Duplicate events: If multiple SIEM Connectors share the same API credentials, events may be duplicated. Use unique client credentials per connector.
Contact kyra@seekerslab.com for support.