X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Use CrowdStrike with IBM’s QRadar

Introduction

The CrowdStrike platform includes an extensive set of API’s for use by both customers and partners. In this video and article, we will look at one example of how those API’s can be leveraged by a specific partner product – IBM’s QRadar.

Video

Getting Started

Before setting up and reviewing the integration options, there are a just a few prerequisite steps.

  1. Download the CrowdStrike app from the IBM X-Force App Exchange. This extension enables QRadar to ingest the CrowdStrike event data.
  2. Upload that app to your QRadar instance via the web browser.
  3. Collect the CrowdStrike API keys required for the desired level of integration. 
    • Endpoint – There are three API keys required to set up the data exchange and integration of your event data between CrowdStrike and QRadar. The Stream and Query API keys can be obtained from CrowdStrike support. An OAuth API key that allows read / write access to “Detections” and read / write access on “Hosts” can be configured in the Falcon UI.
    • Intel – For Intel customers, the Intel API key is required to see correlated threat intelligence for the detections in the QRadar instance. That key can be obtained from CrowdStrike support.

Once the app is installed, the API information will be entered in the screens shown below. The first is for the endpoint API’s.

qradar api config

There is a separate configuration screen for the Intel integration.

qradar intel api config

How can customers use CrowdStrike event data within the QRadar interface?

Once the QRadar integrations are enabled, you will receive a feed of your CrowdStrike detections in the QRadar interface. They will be shown as “Offences” with a description that identifies then as CrowdStrike with additional details to reflect the event type.

qradar offenses

 

For each type, you will see an event count and have the option to drill down for additional details. Here, we will look closer at the eight sensor based machine learning detection

qradar ml

 

From that view, you can then drill down again to a specific detection.

qradar event list

 

On the event information screen, you get all of the details associated with that detection. It includes the computer name, start time, containment status, and filename as well as any related CrowdStrike Intelligence reports.

qradar intel

What actions can customers take from the QRadar interface?

Network Containment

Using the “CrowdStrike Sensor ID” field, you can manage the containment status of the system.

qradar contain

 

You can choose to “Contain” a system, or “Lift Containment” as needed.

qradar contain status

 

Detection Status

Looking to the “CrowdStrike Detect ID” you also have the ability to manage the detection status.

qradar detection

 

Options for detection status include “In Progress”, “True Positive”, “False Positive” and “Ignored”. This option gives you the ability to manage work flows while updating both the QRadar and CrowdStrike event status fields.

qradar detection status

Open Detection Event

Using the “CrowdStrike Falcon Host Link” you can also open the specific detection in the CrowdStrike UI to view the entire process tree.

qradar event URL

 

Conclusion

Crowdstrike understands that companies have existing security tools and SIEM products like IBM’s QRadar. Our API first approach makes it possible for you to leverage the CrowdStrike event data as needed to optimize your workflows and maximize the efforts of your overworked security staff.

More resources

 

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial