IBM Security QRadar

 View Only
Expand all | Collapse all

QRadar x Crowdstrike "Detections" (Falcon Endpoint)

  • 1.  QRadar x Crowdstrike "Detections" (Falcon Endpoint)

    Posted Mon April 08, 2024 06:56 AM

    Hey,

    We've recently had issues with QRadar and Crowdstrike connections, but we settled with using Falcon Endpoint as an app and getting the logs through that. After doing so, we started to get some detections (finally!) - but after doing so we noticed only a small number of detections were actually coming through, an example is that in Crowdstrike we had 12 alerts/detections, yet only two came through QRadar - is there a reason this might be?



    ------------------------------
    Charlie Kemp
    SOC Manager
    ------------------------------


  • 2.  RE: QRadar x Crowdstrike "Detections" (Falcon Endpoint)

    Posted Thu May 16, 2024 09:33 AM

    Hello,

    Hello,

    The Crowdstrike Falcon Endpount app uses an application to pull down events to QRadar and send them to the log source.
    If the events are not getting to QRadar then you would need to contact Crowdstrike to investigate the issue since they developed and support the Crowdstrike application.
    https://supportportal.crowdstrike.com/
     If Crowdstrike can verify the events are being sent to QRadar then please raise a case with IBM QRadar Support with the information provided by Crowdstrike.

    Regards,



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------

    Original Message