Skip to main content

Integrate Contrast Security ADR with CrowdStrike Falcon® Next-Gen SIEM

The Contrast Security ADR integration with CrowdStrike Falcon® Next-Gen SIEM enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation and Response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR sends detected attack events from the Contrast Security platform to your CrowdStrike instance over HTTPs.

The Contrast Security ADR for CrowdStrike application enables CrowdStrike to:

  • Parse and normalize the data received over the HTTPs.

  • Display Contrast Security ADR attack events in CrowdStrike, for consumption in the provided Contrast Security ADR Dashboard in CrowdStrike, or search and correlation in CrowdStrike Cloud SIEM.

Before you begin

Before you start, you must have:

  • CrowdStrike

  • Applications instrumented with a Contrast agent

Step 1: Set up CrowdStrike log ingestion

Follow the steps outlined in the CrowdStrike documentation icon-external-link.svghere.

  • Remember to select Contrast Security Application Detection and Response Data Connector and select Configure.

  • After selecting to generate an API key, copy and safely store the API key and API URL; these will be needed in the next step.

Step 2: Configure Contrast Security ADR to send attack events to CrowdStrike

Configure the integration in Contrast to send attack events to the CrowdStrike application.

  1. In Contrast, go to the user menu and select Organization settings > Integrations.

  2. Select the CrowdStrike option under the ADR Integrations section.

  3. Under the CrowdStrike fields, enter the API URL for the destination as well as your authentication token as configured in Step 1.

  4. Select Save.

Step 3: Verify successful data ingestion

Important

Search results are not generated until an applicable event occurs. Before verifying successful data ingestion, wait until the data connector status is Active and an event has occurred. Note that if an event timestamp exceeds the retention period, the data is not visible in search.

Refer to the CrowdStrike icon-external-link.svg documentation for more information.

  1. Verify that data is being ingested and appears in Next-Gen SIEM search results.

  2. Confirm that at least one match is generated.

  3. If you need to run a manual search, use this query in Advanced Event Search:

    #Vendor = "contrastsecurity" | #repo = "3pi_contrast_security_adr"

See also

In this section: