Skip to main content

How to Integrate with CrowdStrike

Integrating CrowdStrike Falcon with Cado allows you to initiate triage acquisition on hosts running the Falcon Sensor via CrowdStrike Real Time Response.

Once initiated, CrowdStrike Falcon Real Time Response will locate the endpoint with the Falcon Sensor, execute a Cado Host command to collect the triage package, and upload it to Cado for processing.

For more information, see the CrowdStrike and Cado Security Joint Solution Brief and the CrowdStrike Marketplace listing.

Prerequisites

  1. Create an API Client with the following permissions. Refer to this blog article for instructions:
    • Real Time Response Admin: Write
    • Hosts: Read
    • Real Time Response: Read
    • Real Time Response: Write
    • Alerts: Read
    • Detections: Read
  2. Note the Client ID, Client Secret, and Endpoint URL for entry into the Cado Platform.
  3. Enable Real Time Response in the Default policies for each OS or in custom policies attached to host groups.
  4. Create Detections and Preventions Machine Learning exclusions with the following patterns to enable Windows integration:
    • Windows\Temp\_MEI*\**\CadoHostRawGrabber.exe
    • Windows\Temp\cado-host-*\cado-host.exe
  5. (Optional) To prevent endpoint detection alerts for CadoHostRawGrabber.exe related to HiveCredTheft, RawReadOnSAMHive, and RawReadOnSecurityHive, create IOA exclusions with the following patterns:
    • Image Filename: .*\\Windows\\Temp\\_MEI.*\\.*\\CadoHostRawGrabber\.exe
    • Command Line: .*\\Windows\\TEMP\\_MEI.*\\binaries\\CadoHostRawGrabber\.exe\s+--inputPath\s+.*\s+--outputPath\s+.*\\Windows\\TEMP\\.*

Exclusions are not required for Linux and macOS.

note

CrowdStrike Falcon defines policies by platform, so you will need separate Windows and Linux Response Policies that allow RTR Admin. macOS is not currently supported.

Enabling the Integration in Cado Platform

  1. Go to Settings > Integrations > XDR and click Add Connection.

  2. Select CrowdStrike from the dropdown menu. Enter the URL, Client ID, and Client Secret from the prerequisites section. The integration will then appear on the settings page.

    crowdstrike dropdown

  3. In any investigation, click Import > XDR > CrowdStrike.

  4. If configured correctly, a paginated list of hosts with the CrowdStrike Falcon Sensor installed will appear, showing those within the appropriate Host Group.