Device Integration: CrowdStrike Falcon Data Replicator (FDR)

TABLE OF CONTENTS

• Overview
• Integration Steps
  • Prerequisites
  • Step 1: Enable FDR Export (CrowdStrike Side)
  • Step 2: Configure CrowdStrike FDR on ADR UI
  • Step 3: Add Configuration in JSON Format
    • Example Configuration
• Verification (MSSP Only)
  • Verification from ADR UI
  • Additional Notes

Overview

This Knowledge Base Article (KBA) explains how to integrate CrowdStrike Falcon Data Replicator (FDR) with the ADR SIEM platform.
CrowdStrike FDR enables continuous export of Falcon telemetry and security logs to a CrowdStrike-managed Amazon S3 bucket, which are then delivered via Amazon SQS for consumption by SIEM tools.

To enable this integration, the customer must have an active FDR license and work with the CrowdStrike Support team to activate FDR export and generate the required AWS credentials.

Integration Steps

Prerequisites

Ensure the following prerequisites are met before configuration:

• Active CrowdStrike Falcon FDR license

• FDR export enabled by CrowdStrike Support

• AWS credentials provided by CrowdStrike:

  • AWS Access Key ID

  • AWS Secret Access Key

  • SQS Queue URL

  • AWS Region

• Required permissions on the credentials:

  sqs:ReceiveMessage sqs:DeleteMessage sqs:GetQueueAttributes s3:GetObject
  

Note:
If AWS API credentials are generated from the CrowdStrike Falcon Console, the above permissions are already pre-configured.

Step 1: Enable FDR Export (CrowdStrike Side)

1. Confirm that your organization has the FDR license.

2. Contact CrowdStrike Support to:

   • Enable FDR export in the Falcon Console

   • Generate AWS credentials and SQS details

3. CrowdStrike will provide:

   • AWS Access Key ID

   • AWS Secret Access Key

   • SQS Queue URL

   • AWS Region

Important:

• Logs are exported to a CrowdStrike-owned S3 bucket

• Customers do not need to create or manage any S3 bucket

Step 2: Configure CrowdStrike FDR on ADR UI

1. Log in to the ADR UI

2. Navigate to:
   Provisioning → Addon Devices → Add

3. Fill in the following fields:

Device

• Select: CrowdStrike FDR

Name

• Enter a meaningful device name

CCE Host

• Enter the CCE IP address

Username / Access Key

• Enter the AWS Access Key ID

Password / Secret Key

• Enter the AWS Secret Access Key

Step 3: Add Configuration in JSON Format

In the Config field, enter the following JSON:

{  "region": "xx-xxxx-x",  "url": "https://your.sqs.url" }

Example Configuration

{  "region": "us-west-2",  "url": "https://sqs.us-west-2.amazonaws.com/272323453180/cs-mav-cannon-gyr-queue-2134234242538-592ee818" }

4. Click Save to complete the configuration.

Verification (MSSP Only)

Verification from ADR UI

1. Wait for 10–15 minutes

2. Log in to ADR UI

3. Navigate to:
   System → Logs / Flows Collection Status

4. Verify that:

   • CrowdStrike FDR device status is Active

   • Logs are being received successfully

Additional Notes

• Customers must coordinate with CrowdStrike Support to enable FDR export.

• All credentials and SQS details are provided by CrowdStrike after FDR activation.

• No customer-managed S3 bucket is required.

• Incorrect region or SQS URL may result in no log ingestion.