Integrate Contrast Security ADR with CrowdStrike Falcon® Next-Gen SIEM (Northstar)

The Contrast Security ADR integration with CrowdStrike Falcon Next-Gen SIEM enables ADR to send incident details to your Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR sends detected attack events from the Contrast Security platform to your CrowdStrike instance over HTTPs.

The Contrast Security ADR for CrowdStrike application enables CrowdStrike to:

Parse and normalize the data received over the HTTPs.
Display Contrast Security ADR attack events in CrowdStrike, for consumption in the provided Contrast Security ADR Dashboard in CrowdStrike, or search and correlation in CrowdStrike Cloud SIEM.

Before you begin

Before you start, you must have:

CrowdStrike
Applications instrumented with a Contrast agent

Set up CrowdStrike log ingestion

Follow the steps outlined in the CrowdStrike documentation.

Remember to select Contrast Security Application Detection and Response Data Connector and select Configure.
After selecting to generate an API key, copy and safely store the API key and API URL; these will be needed in the next step.

Configure Contrast Security ADR to send events to CrowdStrike

Configure the integration in Northstar to send attack events, observations, and incidents to the CrowdStrike application.

For Northstar, in the left navigation, select Administration > Integrations.
Select the CrowdStrike Falcon option under the Integrations section.
Under the Manage Credentials tab:
1. Enter the API URL for the destination as well as your authentication token as configured under Set up CrowdStrike log ingestion .
2. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration.
Use the Filters tab to define specific criteria for the events sent to the integration. This ensures that only relevant events matching your criteria are forwarded, significantly reducing the overall number of attack events sent to the app. Learn more about attack events.
1. Environment: allows you to select a specific environment (such as Production, Development, or QA). By applying this filter, you ensure that only events associated with the selected environments are sent to the app, improving focus and relevance.
2. Result: allows you to select specific outcomes for the event, such as Exploited, Blocked, Probed, or Suspicious. By configuring this filter, you ensure that only events where a specific result was achieved are forwarded, enabling you to quickly pinpoint the most relevant events for which a threshold has been met in the app.
3. Application: allows you to specify which applications should have their attack events sent to the integration. By using this filter, you can ensure that only events related to your selected applications are forwarded to the app, enabling targeted monitoring.
4. Filter by Application Metadata: allows you to filter which events are sent based on the application metadata defined for those applications. For example, you can choose only to include events associated with a particular business unit or other custom metadata tags. Learn more about custom metadata.
Under the Advanced tab, select from the modes of data to send to the app:
1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.
2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.
Select Save.
Continue to Verify successful data ingestion.

Verify successful data ingestion

Important

Search results are not generated until an applicable event occurs. Before verifying successful data ingestion, wait until the data connector status is Active and an event has occurred. Note that if an event timestamp exceeds the retention period, the data is not visible in search.

Refer to the CrowdStrike documentation for more information.

Verify that data is being ingested and appears in Next-Gen SIEM search results.
Confirm that at least one match is generated.
If you need to run a manual search, use this query in Advanced Event Search:
#Vendor = "contrastsecurity" | #repo = "3pi_contrast_security_adr"