Centralise security alerts from Crowdstrike with Elastic SIEM
Elastic SIEM provides a centralised environmental activity for both internal and external context. With connectors available for most common security tools, new data can be ingested with one-click integrations, community-built plug-ins, and simple custom connectors.
Crowdstrike is one of the pioneers of global cyber security and an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.
In this article, we will focus on how to integrate the Crowdstrike Falcon threat detections into Elastic SIEM to make use of Elasticsearch querying and visualisation capabilities. Elastic SIEM will be the central platform to provide a holistic view of the security posture of an organisation.
What is covered:
Setup a sandbox environment to generate threats
Use CrowdStrike EDR to detect these threats
Setup Falcon SIEM connector to share alerts
Use Elastic Agent to consume alerts and visualise in Elastic SIEM
The architecture consists of three main core components:
Falcon SIEM Connector
The endpoint machines are the machines on which the Crowdstrike Host sensor would be installed for continuous monitoring of suspicious activities. Crowdstrike Host sensor is a lightweight application that actively scans for threats on the machine without having to manually run virus scans.
Falcon Insight™ is the EDR (Endpoint Detection and Response) module of CrowdStrike Falcon® endpoint protection.
It ensures consumers have real-time visibility into everything that is happening on their endpoints from a security perspective, eliminating the risk of “silent failure,” which allows intruders to remain in your environment undetected
Falcon SIEM Connector
The SIEM Connector provides users a way to consume the SIEM consumable data streams.
Virtual/Endpoint Machines with Crowdstrike sensor installed or Crowdstrike Falcon Sandbox
Elastic Cloud with Kibana and Integration Server
Virtual Machine to run SIEM connector and Fleet Agent with Crowdstrike agent
Triggering Malicious Activities:
Once prerequisites are complete, start triggering the malwares in the endpoint machines which contain the Crowdstrike host sensor.
If a threat is detected the Crowdstrike EDR will show the threat and the related information in the Endpoint Security Dashboard.
Visualizing in Elasticsearch:
The SIEM Connector will keep polling the threats and write to the following output path: (var/log/crowdstrike/falconhoseclient/output) by default. The Elastic Agent will also keep reading from the Crowdstrike SIEM path and push into Elasticsearch. The Elastic Agent will ensure that the ECS format will be maintained.
One might be wondering what purpose does Elasticsearch solve? The important reason for exporting data to Elasticsearch stack is because of its strong querying and aggregation capabilities. Kibana on the other hand makes use of the aggregation for defining the different custom dimensions on display in visualizations which Crowdstrike fails to provide.