Crowdstrike Falcon Data Replicator

Samurai [Local] Collector	Samurai [Cloud] Collector

This guide describes the steps required to configure Crowdstrike Falcon Data Replicator to send Falcon logs to S3 storage for ingestion into SamurAI MDR via a cloud collector.

Prerequisites

Ensure that you have required subscriptions to use Crowdstrike Falcon Data Replicator and that an AWS cloud collector has been deployed via the Samurai MDR portal.

Guide available here

If you are planning to reuse an already deployed cloud collector, the information can be found via:

Navigate to the Samurai MDR portal.
Click Telemetry and select Collectors from the main menu
Click on the name of the desired collector.
Note down information:

Account number
Bucket name
Region

Alternatively, you can utilize the integration setup wizard via the Samurai MDR portal for the desired telemetry source listed on Product Integration Guide page which shall provide you the same information required to setup your telemetry source.

Enabling Crowdstrike Falcon Data Replicator Logs

Follow the Crowdstrike Falcon Data Replicator documentation guide:

Login to Crowdstrike Falcon Portal https://falcon.crowdstrike.com/login/
Click on top left Menu and browse to Support and resources -> Documentation
Procced to Falcon Data Replicator under Tools and Reference
Within the document follow the steps outlined in Use your own S3 bucket on the S3 bucket which has been setup as a Collector within Samurai.

When following the vendor documentation, please perform the following adjustments:

S3 Bucket policy: Extend the S3 policy instead of overwriting it to keep the SamurAI access functioning
Log file SSE-KMS encryption: If enabled, extend the KMS Policy with:

{
    "Sid": "Allow NTTHS Samurai account to use this KMS key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::600502389717:root"
    },
    "Action": [
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

Data to forward: Specify primary events when opening the requested support case towards Crowdstrike for which data to forward to the S3 bucket

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.