How to Integrate with CrowdStrike
Integrating CrowdStrike Falcon with Cado allows you to initiate triage acquisition on hosts running the Falcon Sensor via CrowdStrike Real Time Response.
Once initiated, CrowdStrike Falcon Real Time Response will locate the endpoint with the Falcon Sensor, execute a Cado Host command to collect the triage package, and upload it to Cado for processing.
For more information, see the CrowdStrike and Cado Security Joint Solution Brief and the CrowdStrike Marketplace listing.
Prerequisites
- Create an API Client with the following permissions. Refer to this blog article for instructions:
- Real Time Response Admin: Write
- Hosts: Read
- Real Time Response: Read
- Real Time Response: Write
- Alerts: Read
- Detections: Read
- Note the Client ID, Client Secret, and Endpoint URL for entry into the Cado Platform.
- Enable Real Time Response in the Default policies for each OS or in custom policies attached to host groups.
- Create Detections and Preventions Machine Learning exclusions with the following patterns to enable Windows integration:
Windows\Temp\_MEI*\**\CadoHostRawGrabber.exe
Windows\Temp\cado-host-*\cado-host.exe
- (Optional) To prevent endpoint detection alerts for
CadoHostRawGrabber.exe
related toHiveCredTheft
,RawReadOnSAMHive
, andRawReadOnSecurityHive
, create IOA exclusions with the following patterns:- Image Filename:
.*\\Windows\\Temp\\_MEI.*\\.*\\CadoHostRawGrabber\.exe
- Command Line:
.*\\Windows\\TEMP\\_MEI.*\\binaries\\CadoHostRawGrabber\.exe\s+--inputPath\s+.*\s+--outputPath\s+.*\\Windows\\TEMP\\.*
- Image Filename:
Exclusions are not required for Linux and macOS.
CrowdStrike Falcon defines policies by platform, so you will need separate Windows and Linux Response Policies that allow RTR Admin. macOS is not currently supported.
Enabling the Integration in Cado Platform
-
Go to Settings > Integrations > XDR and click Add Connection.
-
Select CrowdStrike from the dropdown menu. Enter the URL, Client ID, and Client Secret from the prerequisites section. The integration will then appear on the settings page.
-
In any investigation, click Import > XDR > CrowdStrike.
-
If configured correctly, a paginated list of hosts with the CrowdStrike Falcon Sensor installed will appear, showing those within the appropriate Host Group.