Crowdstrike Falcon Data Replicator (FDR)

SamurAI [Local] Collector	SamurAI [Cloud] Collector

This guide explains how to configure CrowdStrike Falcon Data Replicator (FDR) so that security telemetry is ingested into the SamurAI platform via AWS SQS.

CrowdStrike FDR delivers data by:

• Writing event files to a CrowdStrike managed S3 bucket
• Publishing notifications to a CrowdStrike managed SQS queue
• Allowing authorized consumers (such as SamurAI) to read data using FDR credentials

Prerequisites

1. CrowdStrike Licensing

• Falcon Data Replicator (FDR) must be enabled on the Falcon tenant
• This requires an active FDR subscription
• If FDR is not enabled, CrowdStrike Support must enable it first

2. Permissions

The user performing setup must have access to:

• Support - API Clients and Keys in the Falcon console
• Permission to create API Clients with FDR read access

From the Crowdstrike Falcon Console

Verify FDR is Enabled

1. Log in to CrowdStrike Falcon Console
2. Navigate to:
   • Support - API Clients and Keys
   • Confirm that FDR AWS S3 Credentials and SQS Queue is visible.

If not present, open a ticket with CrowdStrike Support to enable FDR.

Create FDR API Credentials

1. In Support - API Clients and Keys
2. Locate FDR AWS S3 Credentials and SQS Queue
3. Click Create new credentials
4. CrowdStrike will generate:
   • Client ID (also referred to as AWS Access Key)
   • Client Secret (also referred to as AWS Secret Key)

Copy and securely store the Secret immediately. The secret is only shown once and cannot be retrieved later.

Collect the SQS Queue URL

1. In the same FDR AWS S3 Credentials and SQS Queue section
2. Locate the SQS Queue URL
3. Copy the full URL (for example:
   • https://sqs.eu-west-1.amazonaws.com/xxxxxxxx/fdr-queue-name

This URL is the Feed URL required for the SamurAI platform integration.

Identify the Storage Region

• The Storage Region is the AWS region where the SQS queue and S3 bucket reside

• This is visible:

  • In the SQS Queue URL (for example eu-west-1)
  • Or explicitly listed in the FDR credentials table

This region must be entered exactly as shown.

Complete the Crowdstrike FDR Integration

You will need:

• Client ID: from Step 4 under Create FDR API Credentials
• Secret: from Step 4 under Create FDR API Credentials
• Storage Region: from section Identify the Storage Region
• Feed URL: from step 3 under Collect the SQS Queue URL

1. Login to the SamurAI Portal

2. Click Telemetry and select Integrations from the main menu

3. Select Create

4. Locate and click Crowdstrike Falcon Data Replicator

5. Click Next (we leverage a Samurai Cloud Collector)

6. Enter a Name of Integration

7. Enter a Description (Optional)

8. Enter your Client ID

9. Enter your Secret

10. Enter the Storage Region

11. Enter the Feed URL

12. Click Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the SamurAI MDR Portal and we shall get it updated.