IBM QRadar

We use Crowdstrike and we are interested in getting the EDR Data out of Crowdstrike into QRadar. The existing QRadar apps and DSM only pull out DETECTIONS and nothing else.

the Falcon Data Replicator is essentially all the data in JSON format put into an AWS S3 bucket with an SQS queue. We have QRoC and everyone seems to be gawking at performing this integration.

This seems to be yet another instance were there are clear and easy routes to integrate with Splunk but I'm struggling to get it to work with QRadar.

Anyone have any thoughts or insight?

I can suggest trying to using the DSM editor and creating a parser for your log source

DSM Editor overview - IBM Documentation

or create a uDSM and create a Log Souce extension

Log source extensions - IBM Documentation

The IBM Security® Expert Labs can help you create a udsm and log source extension if you need help

There is a feature request for this integration you can vote up here: https://ibmsecurity.ideas.ibm.com/ideas/QDSM-I-1674

I hope you are not the same person I was discussing this issue in a private chat in the QRadar Subreddit, but Crowdstrike Falcon FDR has some unique SQS formatting for the data it adds to the S3 bucket. There is no Crowdstrike FDR DSM (yet), but also a protocol issue as is not just a matter of creating a DSM for these events. The last user I chatted with on this CS FDR had attempted the integration, but was having issues due to this custom SQS format. After discussing these issues with dev, I believe a protocol needs to be created so the SQS events can be correctly received by QRadar.

I would vote up the existing idea so that we can get an investigation in to the SQS protocol issues in front of development teams.

Yep, that was me! It's got a few votes now so hopefully it will come under review soon.