How to Use CrowdStrike with IBM’s QRadar
Introduction
The CrowdStrike platform includes an extensive set of API’s for use by both customers and partners. In this video and article, we will look at one example of how those API’s can be leveraged by a specific partner product – IBM’s QRadar.
Video
Getting Started
Before setting up and reviewing the integration options, there are a just a few prerequisite steps. Additional documentation can be found here.
- Download the CrowdStrike app from the IBM X-Force App Exchange. This extension enables QRadar to ingest the CrowdStrike event data.
- Upload that app to your QRadar instance via the web browser.
- To get started with the CrowdStrike API, you’ll want to first define the API client and set its scope. Refer to this guide to getting access to the CrowdStrike API for setting up a new API client key. For the new API client, make sure the scope includes the following.
- Detection – Read, Write
- Hosts – Read, Write
- Event Streams – Read
- IOCs – Write
Once the app is installed, the API information will be entered in the screen shown below.
How can customers use CrowdStrike event data within the QRadar interface?
Once the QRadar integrations are enabled, you will receive a feed of your CrowdStrike detections in the QRadar interface. They will be shown as “Offences” with a description that identifies then as CrowdStrike with additional details to reflect the event type.
For each type, you will see an event count and have the option to drill down for additional details. Here, we will look closer at the eight sensor based machine learning detection
From that view, you can then drill down again to a specific detection.
On the event information screen, you get all of the details associated with that detection. It includes the computer name, start time, containment status, and filename as well as any related CrowdStrike Intelligence reports.
What actions can customers take from the QRadar interface?
Network Containment
Using the “CrowdStrike Sensor ID” field, you can manage the containment status of the system.
You can choose to “Contain” a system, or “Lift Containment” as needed.
Detection Status
Looking to the “CrowdStrike Detect ID” you also have the ability to manage the detection status.
Options for detection status include “In Progress”, “True Positive”, “False Positive” and “Ignored”. This option gives you the ability to manage work flows while updating both the QRadar and CrowdStrike event status fields.
Open Detection Event
Using the “CrowdStrike Falcon® Host Link” you can also open the specific detection in the CrowdStrike UI to view the entire process tree.
Conclusion
Crowdstrike understands that companies have existing security tools and SIEM products like IBM’s QRadar. Our API first approach makes it possible for you to leverage the CrowdStrike event data as needed to optimize your workflows and maximize the efforts of your overworked security staff.