Generating FDR Credentials on CrowdStrike Platform
This guide outlines the steps to enable Falcon Data Replicator (FDR) and generate the necessary AWS credentials to access network telemetry data from the CrowdStrike Falcon platform. These credentials are required for integration with the Xshield Security Platform.
Step 1: Enable Falcon Data Replicator (FDR)
-
Open a CrowdStrike Support Case (If FDR is not already enabled) Log in to your CrowdStrike Falcon console and open a support case requesting to enable Falcon Data Replicator (FDR) for your tenant.
-
Wait for Confirmation CrowdStrike Support will notify you via email once FDR has been successfully enabled for your tenant.
Step 2: Generate FDR AWS Credentials
To create FDR credentials, follow the below steps:
-
Log in to Falcon Console URL: https://falcon.crowdstrike.com
-
To create/edit FDR Feed Navigate to: Support & Resources → Resources & Tools → Falcon Data Replicator
-
Create or Edit a Feed Choose to create a new feed or edit an existing one.
-
Configure Feed Settings
- Name: Enter a descriptive label for the feed.
- Set the Feed Status to on.
-
Apply Filters
By default, all events are included, we do not want to include all the events, hence please select all the events and click -Remove selected events button to remove all events and only select the following events:
-
Event Types: Include the following event types required for Xshield integration:
NetworkListenIP4NetworkConnectIP4NetworkReceiveAcceptIP4
-
Operating Systems: Include relevant OS families based on your monitored environment (e.g., Windows, Linux, macOS).
📝 Tip: Applying these specific filters ensures that only relevant network telemetry events are exported to Xshield, helping to optimize bandwidth and storage consumption.
-
Save the Feed Click Save to apply the configuration.
-
Record the Generated Information After creation, the following will be displayed:
📝 Tip: Store these credentials securely. The secret is shown only once during creation cannot be retrieved again.
- Client ID (AWS Access Key)
- Secret (AWS Secret Key)
- SQS Notification URL
- AWS Region (e.g.,
us-west-2,eu-central-1)
Summary
By following these steps, you will:
- Enable Falcon Data Replicator (FDR) for your CrowdStrike Falcon tenant
- Generate the AWS credentials needed to access FDR data
- Apply precise filters to include only events required by the Xshield Security Platform
- Provide the required credentials and feed configuration for seamless integration with Xshield
** Appendix: Critical Parameters to Track **
| Parameter | Description |
|---|---|
Client ID | AWS Access Key for your FDR integration |
Secret | AWS Secret Key for authentication |
SQS URL | Queue to receive object metadata |
AWS Region | Must be configured in clients to connect successfully |
Event Type Filters | Include/Exclude specific network event types |
Operating System Filters | Include/Exclude specific OS types |