Extend protection beyond your endpoints with CrowdStrike Falcon® XDR integrated with ExtraHop NDR. Falcon® XDR provides consolidated threat visibility, hassle-free detections and investigation, and end-to-end orchestration and response.
This integration enables XDR with real-time reception of the Detections and Records ExtraHop is generating from your wire data.
Falcon XDR_ Connector.json (9.6 KB)
The following figure shows an example of ExtraHop Record data in XDR, where you can then leverage the data for creating dashboards, or running powerful queries using the LogScale Query Language.
Figure 1. ExtraHop Record data in XDR
- (5) Triggers
- Falcon XDR: Detection Connector
- Falcon XDR: Record Connector - DNS_RESPONSE
- Falcon XDR: Record Connector - HTTP_RESPONSE
- Falcon XDR: Record Connector - RDP_OPEN
- Falcon XDR: Record Connector - SSL_OPEN
- You must have Reveal(x) Enterprise or 360, running firmware 8.8 or later
- An ExtraHop user account that has Unlimited privileges
- You must have Falcon XDR
- You must be able to setup an ExtraHop Reveal(x) Data Connector in Falcon
- Follow CrowdStrike documentation and return to these steps when you have your ingest endpoint and authentication Login | Falcon
When installing the bundle on a Command appliance or Cloud Control Plane, select the option to install the bundle on all of the connected sensors that should participate in this integration.
- Download the bundle on this page.
- Upload and apply the bundle.
When installing this bundle on a Command appliance or 360 console, configure the open data stream (ODS) targets on each connected Discover appliance that the bundle was installed on.
- Log into the Admin UI on the Discover appliance.
- Configure an HTTP target for an open data stream with the following parameters:
- In the Name field, type
- In the Host field, type in the hostname CrowdStrike provided when configuring the Reveal(x) data ingestion
- In the Port field, type in 443
- From the Type drop-down list, select HTTPS.
- Check “Multiple connections”
- Enter the Additional HTTP header using your XDR token
Authorization: Bearer <YOUR_INGEST_TOKEN>
Note: Replace <YOUR_INGEST_TOKEN> with the one CrowdStrike provided when configuring the Reveal(x) data ingestion
The completed ODS target page should look similar to the following figure:
- In the Web UI on the Reveal(x) 360 Console or Command appliance where you installed the bundle, click the System Settings icon , and then click Triggers.
- In the list of triggers, filter on Falcon XDR
- Click the select all checkbox at the top left next to Name
- Click Enable on the right hand pane
- (Optional) Click into each Records trigger to modify assignments – pick specific Devices or Groups for what Records will send. Note: Detection updates have no assignments, all Detections will send, only Record Connector triggers need assignments
- Click Save, then click Done.
- Your configured data is available in Falcon XDR, in real time