How to Use CrowdStrike with IBM’s QRadar

Introduction

The CrowdStrike platform includes an extensive set of API’s for use by both customers and partners. In this video and article, we will look at one example of how those API’s can be leveraged by a specific partner product – IBM’s QRadar.

Video

Getting Started

Before setting up and reviewing the integration options, there are a just a few prerequisite steps. Additional documentation can be found here.

  1. Download the CrowdStrike app from the IBM X-Force App Exchange. This extension enables QRadar to ingest the CrowdStrike event data.
  2. Upload that app to your QRadar instance via the web browser.
  3. To get started with the CrowdStrike API, you’ll want to first define the API client and set its scope. Refer to this guide to getting access to the CrowdStrike API for setting up a new API client key. For the new API client, make sure the scope includes the following.
    • Detection – Read, Write
    • Hosts – Read, Write
    • Event Streams – Read
    • IOCs – Write

Once the app is installed, the API information will be entered in the screen shown below.

qradar api configuration dialog box

How can customers use CrowdStrike event data within the QRadar interface?

Once the QRadar integrations are enabled, you will receive a feed of your CrowdStrike detections in the QRadar interface. They will be shown as “Offences” with a description that identifies then as CrowdStrike with additional details to reflect the event type.

qradar offenses

 

For each type, you will see an event count and have the option to drill down for additional details. Here, we will look closer at the eight sensor based machine learning detection

qradar ml

 

From that view, you can then drill down again to a specific detection.

qradar event list

 

On the event information screen, you get all of the details associated with that detection. It includes the computer name, start time, containment status, and filename as well as any related CrowdStrike Intelligence reports.

qradar intel

What actions can customers take from the QRadar interface?

Network Containment

Using the “CrowdStrike Sensor ID” field, you can manage the containment status of the system.

qradar contain

 

You can choose to “Contain” a system, or “Lift Containment” as needed.

qradar contain status

 

Detection Status

Looking to the “CrowdStrike Detect ID” you also have the ability to manage the detection status.

qradar detection

 

Options for detection status include “In Progress”, “True Positive”, “False Positive” and “Ignored”. This option gives you the ability to manage work flows while updating both the QRadar and CrowdStrike event status fields.

qradar detection status

Open Detection Event

Using the “CrowdStrike Falcon Host Link” you can also open the specific detection in the CrowdStrike UI to view the entire process tree.

qradar event URL

 

Conclusion

Crowdstrike understands that companies have existing security tools and SIEM products like IBM’s QRadar. Our API first approach makes it possible for you to leverage the CrowdStrike event data as needed to optimize your workflows and maximize the efforts of your overworked security staff.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial