DDS: CrowdStrike FDR Integration v1.0.0 #21242

tirthrajchaudhari-crest · 2025-09-03T13:44:18Z

What does this PR do?

This is a initial release PR of Crowdstrike FDR integration including all the required assets.

Integration Logo Source: https://static.datadoghq.com/static/images/logos/crowdstrike_large.svg

Additional Notes

OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository.
Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current Datadog behaviour.

Review checklist (to be filled by reviewers)

Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

github-actions · 2025-09-03T13:44:39Z

⚠️ Recommendation: Add qa/skip-qa Label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

rtrieu

Left you some minor feedback for your review!

rtrieu · 2025-09-03T19:23:13Z

crowdstrike_fdr/README.md

+### Set up data replication from CrowdStrike FDR to a customer-owned S3 bucket
+
+#### Configure CrowdStrike FDR Feed
+1. Login to **CrowdStrike Falcon** platform.


Suggested change

1. Login to **CrowdStrike Falcon** platform.

1. Log in to the **CrowdStrike Falcon** platform.

rtrieu · 2025-09-03T19:24:44Z

crowdstrike_fdr/README.md

+
+## Overview
+
+[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using S3 (Amazon Web Services Simple Storage Service) and SQS (Amazon Simple Queue Service).


Suggested change

[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using S3 (Amazon Web Services Simple Storage Service) and SQS (Amazon Simple Queue Service).

[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using Amazon Web Services Simple Storage Service (Amazon S3) and Amazon Simple Queue Service (Amazon SQS).

rtrieu · 2025-09-03T19:25:27Z

crowdstrike_fdr/README.md

+
+[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using S3 (Amazon Web Services Simple Storage Service) and SQS (Amazon Simple Queue Service).
+
+Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.


Suggested change

Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.

Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.

rtrieu · 2025-09-03T19:26:03Z

crowdstrike_fdr/README.md

+   - **Bucket name**: Enter a Bucket name (must be globally unique and begins with the prefix `crowdstrike-fdr` to comply with integration naming requirements).
+   - **AWS Region**: Choose a region.
+      - You can only use your S3 bucket if you're using the US-1, US-2, or EU-1 CrowdStrike clouds.
+      - Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is  provisioned.


Suggested change

- Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned.

- Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned.

rtrieu · 2025-09-03T19:27:11Z

crowdstrike_fdr/README.md

+6. In the **Description** section of the support case, be sure to include the following details:
+    - The Falcon Customer ID (CID) where your FDR feed is provisioned
+    - FDR feed name created in `Configure CrowdStrike FDR Feed` section
+    - The ARN of the custom S3 bucket copied in **Step-8** from `Setup Custom AWS S3 Bucket`.


Suggested change

- The ARN of the custom S3 bucket copied in **Step-8** from `Setup Custom AWS S3 Bucket`.

- The ARN of the custom S3 bucket copied in **Step-8** from `Setup Custom AWS S3 Bucket`

rtrieu · 2025-09-03T19:28:42Z

crowdstrike_fdr/README.md

+
+## Configure Datadog Forwarder
+
+- Please refer to the [Datadog Forwarder][2].


Suggested change

- Please refer to the [Datadog Forwarder][2].

- See the [Datadog Forwarder][2] page for configuration steps.

rtrieu

sorry, noticed a few more minor things to comply with our style guide! should be good to go after they get updated.

rtrieu · 2025-09-04T17:54:41Z

crowdstrike_fdr/README.md

+
+[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using Amazon Web Services Simple Storage Service (Amazon S3) and Amazon Simple Queue Service (Amazon SQS).
+
+Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.


Suggested change

Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.

Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, the integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.

rtrieu · 2025-09-04T17:54:57Z

crowdstrike_fdr/README.md

+3. In the **FDR feeds** tab, click **Create feed**.
+4. Provide a feed name.
+5. Set the feed **status** to on.
+6. Select **Customize your FDR feed** in **How do you want to create this feed?** option.


Suggested change

6. Select **Customize your FDR feed** in **How do you want to create this feed?** option.

6. Select **Customize your FDR feed** in the **How do you want to create this feed?** option.

rtrieu · 2025-09-04T17:55:13Z

crowdstrike_fdr/README.md

+5. Set the feed **status** to on.
+6. Select **Customize your FDR feed** in **How do you want to create this feed?** option.
+7. Click **Next**.
+8. Include only required **Event name** from the **Primary events** tab.


Suggested change

8. Include only required **Event name** from the **Primary events** tab.

8. Include only the required **Event name** from the **Primary events** tab.

rtrieu · 2025-09-04T17:55:43Z

crowdstrike_fdr/README.md

+
+### Set up data replication from CrowdStrike FDR to a customer-owned S3 bucket
+
+#### Configure CrowdStrike FDR Feed


Suggested change

#### Configure CrowdStrike FDR Feed

#### Configure the CrowdStrike FDR feed

rtrieu · 2025-09-04T17:56:10Z

crowdstrike_fdr/README.md

+9. Click **Next**.
+10. Click **Create feed**.
+
+#### Setup Custom AWS S3 Bucket


Suggested change

#### Setup Custom AWS S3 Bucket

#### Setup a custom AWS S3 bucket

rtrieu · 2025-09-04T17:56:22Z

crowdstrike_fdr/README.md

+8. Copy the **Bucket ARN** of your S3 bucket.
+9. Click **Save changes**.
+
+#### Raise Support Ticket in CrowdStrike


Suggested change

#### Raise Support Ticket in CrowdStrike

#### Raise a support ticket in CrowdStrike

rtrieu

looks good, thanks!

Add crowdstrike-fdr integration

fa8d4bd

temporal-github-worker-1 bot added docs/review-requested ecosystems/review-requested product/review-requested labels Sep 3, 2025

datadog-agent-integrations-bot bot added documentation dev/testing dev/tooling qa/skip-qa Automatically skip this PR for the next QA labels Sep 3, 2025

tirthrajchaudhari-crest changed the title ~~DDS: Crowdstrike FDR Integration v1.0.0~~ DDS: CrowdStrike FDR Integration v1.0.0 Sep 3, 2025

tirthrajchaudhari-crest added 3 commits September 3, 2025 20:30

Add images and test results

082f497

Add dashboard image and update manifest file

c4cca39

Resolve validate-assets stage

c7b6a27

tirthrajchaudhari-crest marked this pull request as ready for review September 3, 2025 15:17

tirthrajchaudhari-crest requested review from a team as code owners September 3, 2025 15:17

datadog-agent-integrations-bot bot added team/agent-integrations team/documentation team/logs-integrations-reviewers team/saas-integrations labels Sep 3, 2025

Empty commit to rerun validate assets

1f8d63f

rtrieu self-assigned this Sep 3, 2025

rtrieu requested changes Sep 3, 2025

View reviewed changes

temporal-github-worker-1 bot added docs/requested-changes and removed docs/review-requested labels Sep 3, 2025

tirthrajchaudhari-crest added 2 commits September 4, 2025 10:41

Address review comments

66020f3

Add facets in pipeline yaml file

c2c269b

tirthrajchaudhari-crest requested a review from rtrieu September 4, 2025 05:44

Minor description update

05a91cc

rtrieu requested changes Sep 4, 2025

View reviewed changes

Address review comments

cd19be2

tirthrajchaudhari-crest requested a review from rtrieu September 5, 2025 05:25

rtrieu approved these changes Sep 5, 2025

View reviewed changes

temporal-github-worker-1 bot added docs/approved and removed docs/requested-changes labels Sep 5, 2025

	1. Login to CrowdStrike Falcon platform.
	1. Log in to the CrowdStrike Falcon platform.


		## Overview

		[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using S3 (Amazon Web Services Simple Storage Service) and SQS (Amazon Simple Queue Service).


		[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using S3 (Amazon Web Services Simple Storage Service) and SQS (Amazon Simple Queue Service).

		Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.

	- Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned.
	- Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned.

	- The ARN of the custom S3 bucket copied in Step-8 from `Setup Custom AWS S3 Bucket`.
	- The ARN of the custom S3 bucket copied in Step-8 from `Setup Custom AWS S3 Bucket`


		## Configure Datadog Forwarder

		- Please refer to the [Datadog Forwarder][2].

	- Please refer to the [Datadog Forwarder][2].
	- See the [Datadog Forwarder][2] page for configuration steps.

	6. Select Customize your FDR feed in How do you want to create this feed? option.
	6. Select Customize your FDR feed in the How do you want to create this feed? option.

	8. Include only required Event name from the Primary events tab.
	8. Include only the required Event name from the Primary events tab.


		### Set up data replication from CrowdStrike FDR to a customer-owned S3 bucket

		#### Configure CrowdStrike FDR Feed

	#### Configure CrowdStrike FDR Feed
	#### Configure the CrowdStrike FDR feed

	#### Setup Custom AWS S3 Bucket
	#### Setup a custom AWS S3 bucket

	#### Raise Support Ticket in CrowdStrike
	#### Raise a support ticket in CrowdStrike

DDS: CrowdStrike FDR Integration v1.0.0 #21242

Are you sure you want to change the base?

DDS: CrowdStrike FDR Integration v1.0.0 #21242

Uh oh!

Conversation

tirthrajchaudhari-crest commented Sep 3, 2025

What does this PR do?

Additional Notes

Review checklist (to be filled by reviewers)

Uh oh!

github-actions bot commented Sep 3, 2025

Uh oh!

rtrieu left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rtrieu left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rtrieu left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!