Red Canary’s longstanding partnership with CrowdStrike leverages the complete telemetry collected by the Falcon sensor that is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.

While most companies’ CrowdStrike integrations are focused on the alerts generated by the CrowdStrike platform, Red Canary’s low-level integration leverages the raw telemetry via the Falcon Data Replicator, an integration developed jointly by CrowdStrike and Red Canary in 2016.

This combination of CrowdStrike alerts, CrowdStrike telemetry, and Red Canary’s detection and response delivers the best security outcomes for CrowdStrike users.

How it works

Red Canary and CrowdStrike use several integration points to implement exceptional security operations.

Getting started

Connect your CrowdStrike Falcon deployment to Red Canary by following these simple steps:

1. Request an Authorization Form from your Red Canary contact. This form instructs CrowdStrike to grant Red Canary access to your CrowdStrike console and begin sending your telemetry to Red Canary for processing.
2. Complete and submit the Authorization Form to support@crowdstrike.com and include your CrowdStrike account manager and your Red Canary contact.
3. Share your CrowdStrike CID with Red Canary so we can configure our platform to accept your data.
4. Red Canary will coordinate the telemetry connection with CrowdStrike and notify you when data is successfully flowing between the platforms.
5. Red Canary will configure an alert source for CrowdStrike that sends each CrowdStrike alert to Red Canary for investigation.

This process generally takes three to five days, depending on CrowdStrike’s responsiveness to the MSSP Authorization form you submit.

What kind of CrowdStrike data does Red Canary process?

We receive all of the data collected by your CrowdStrike sensors, as well as a number of system events generated by the CrowdStrike platform. Endpoint telemetry is used for detection purposes, whereas several system events become audit logs in Red Canary.

What happens to my CrowdStrike alerts when I activate Red Canary?

Every alert generated by CrowdStrike’s detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.

You can enable “alert synchronization” to automatically update and close the alerts in the CrowdStrike platform once Red Canary has completed our review to keep your console tidy.

Can I export the data collected by CrowdStrike?

Yes. You can use the Canary Exporter to export CrowdStrike telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. For more information, see Exporting telemetry from Red Canary in the Red Canary Help Center.