Skip to main content

CrowdStrike Integration (Beta)

Integrating with CrowdStrike Falcon allows you to select and kick off triage acquisition on hosts with the Falcon Sensor installed using CrowdStrike Real Time Response.

Once you have kicked off the triage acquisition CrowdStrike Falcon Real Time Response will locate the endpoint running CrowdStrike Falcon Sensor Run a Cado Host command on the endpoint that performs collection of the triage package and uploads it to Cado for processing

For more information, see the Crowdstrike and Cado Security Joint Solution Brief and the CrowdStrike Marketplace listing.

Prerequisites

  1. Create an API Client with the permissions listed below. For more information on how to do this see this helpful blog article. This API Client will need
  • Real Time Response Admin: Write
  • Hosts: Read
  • Real Time Response: Read
  • Real Time Response: Write
  1. Copy and note down the Client ID, Client Secret and Endpoint URL to enter into the Cado Platform
  2. Enable Real Time Response in either the Default policies for each operating system, or your own that you can attach to a host group.
  3. Create Detections and Preventions Machine Learning exclusions with the following pattern to allow the Windows integration to function:
  • "C:\Windows\Temp\_MEI*\**\CadoHostRawGrabber.exe"
  • "C:\Windows\Temp\cado-host-*\cado-host.exe"
note

CrowdStrike Falcon defines policies on a “per platform basis”, so you will need a Windows Response Policy and a Linux Response Policy which allows RTR Admin.

Enabling integration in the Cado Platform

  1. Enable beta CrowdStrike integration feature by navigating to Settings > Experiments. Then toggle the “Crowdstrike” feature.

beta crowstrike setting 2. Navigate to Settings > Integrations > XDR and click “Add Connection”. 3. Click “Add Connection” and select CrowdStrike from the dropdown menu. Enter the URL, Client ID and Client Secret from the previous section. The integration should then appear on the settings page.

crowdstrike dropdown

  1. In any project, click “Import” -> XDR -> CrowdStrike
  2. If you have configured it correctly, then it should show a paginated list of all the hosts the CrowdStrike Falcon sensor installed and are part of the correct Host Group.