DataDog · apiazza-dd · Sep 23, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
@@ -619,6 +619,11 @@ plaid/assets/logs/                                                  @DataDog/saa
 /beyondtrust_password_safe/manifest.json                             @DataDog/saas-integrations @DataDog/agent-integrations @DataDog/documentation
 /beyondtrust_password_safe/assets/logs/                              @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers
 
+/crowdstrike_fdr/                                                    @DataDog/saas-integrations
+/crowdstrike_fdr/*.md                                                @DataDog/saas-integrations @DataDog/documentation
+/crowdstrike_fdr/manifest.json                                       @DataDog/saas-integrations @DataDog/documentation
+/crowdstrike_fdr/assets/logs/                                        @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers
+
 # To keep Security up-to-date with changes to the signing tool.
 /datadog_checks_dev/datadog_checks/dev/tooling/signing.py             @DataDog/agent-integrations
 # As well as the secure downloader.

@@ -177,6 +177,8 @@ integration/cri:
 - cri/**/*
 integration/crio:
 - crio/**/*
+integration/crowdstrike_fdr:
+- crowdstrike_fdr/**/*
 integration/databricks:
 - databricks/**/*
 integration/datadog_checks_tests_helper:

@@ -0,0 +1,7 @@
+# CHANGELOG - crowdstrike_fdr
+
+## 1.0.0 / 2025-09-03
+
+***Added***:
+
+* Initial Release
@@ -0,0 +1,121 @@
+# CrowdStrike FDR
+
+## Overview
+
+[CrowdStrike Falcon Data Replicator (FDR)][1] is a high-fidelity data export solution that enables organizations to securely stream raw endpoint telemetry in near real time. FDR delivers detailed event data through a data feed in JSON format using Amazon Web Services Simple Storage Service (Amazon S3) and Amazon Simple Queue Service (Amazon SQS).
+
+Integrate CrowdStrike FDR with Datadog to gain insights into Authentication & Identity, Account & Privilege Changes, Execution Monitoring & Threat Detection, File & Malware Activity and Network Behavior events using pre-built dashboard visualizations. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search, and detailed insights. Additionally, integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.
+
+## Setup
+
+### Set up data replication from CrowdStrike FDR to a customer-owned S3 bucket
+
+#### Configure CrowdStrike FDR Feed
-#### Configure CrowdStrike FDR Feed
+#### Configure the CrowdStrike FDR feed
-#### Configure CrowdStrike FDR Feed
+#### Configure the CrowdStrike FDR feed
+1. Log in to the **CrowdStrike Falcon** platform.
+2. Go to **Support and resources** > **Resources and tools** > **Falcon data replicator**.
+3. In the **FDR feeds** tab, click **Create feed**.
+4. Provide a feed name.
+5. Set the feed **status** to on.
+6. Select **Customize your FDR feed** in **How do you want to create this feed?** option.
-6. Select **Customize your FDR feed** in **How do you want to create this feed?** option.
+6. Select **Customize your FDR feed** in the **How do you want to create this feed?** option.
-6. Select **Customize your FDR feed** in **How do you want to create this feed?** option.
+6. Select **Customize your FDR feed** in the **How do you want to create this feed?** option.
+7. Click **Next**.
+8. Include only required **Event name** from the **Primary events** tab.
+9. Click **Next**.
+10. Click **Create feed**.
+
+#### Setup Custom AWS S3 Bucket
+1. Sign in to the AWS Management Console and navigate to Amazon S3.
+2. Provide the details as mentioned below:
+   - **Bucket name**: Enter a Bucket name (must be globally unique and begins with the prefix `crowdstrike-fdr` to comply with integration naming requirements).
+   - **AWS Region**: Choose a region.
+      - You can only use your S3 bucket if you're using the US-1, US-2, or EU-1 CrowdStrike clouds.
+      - Ensure that your bucket resides in the same AWS region as your Falcon CID where the FDR feed is provisioned.
+        CrowdStrike terminology for cloud regions differs slightly from AWS, as shown in this table.
+        | CrowdStrike region | AWS region   |
+        |--------------------|--------------|
+        | US-1               | us-west-1    |
+        | US-2               | us-west-2    |
+        | EU-1               | eu-central-1 |
+
+        For example, if your Falcon CID resides in US-1, the bucket must reside in AWS's us-west-1 region.
+3. Click **Create bucket**.
+4. Once the bucket is created, click on the newly created bucket.
+5. Go to the **Permissions** tab.
+6. Click **Bucket policy** > **Edit**.
+7. Replace the 2 occurrences of the **<bucket_name>** placeholder in the below policy statement with your own bucket's name and add it in the **Policy** section: 
+    ```
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "Allow cs ls",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::292230061137:root"
+          },
+          "Action": [
+            "s3:ListBucket",
+            "s3:GetBucketLocation"
+          ],
+          "Resource": "arn:aws:s3:::<bucket_name>"
+        },
+        {
+          "Sid": "allow cs all",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::292230061137:root"
+          },
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::<bucket_name>/*"
+        }
+      ]
+    }
+    ```
+8. Copy the **Bucket ARN** of your S3 bucket.
+9. Click **Save changes**.
+
+#### Raise Support Ticket in CrowdStrike
+1. Log in to the **CrowdStrike Falcon** console with an account that has **Administrator** privileges.
+2. Navigate to **Support and resources** > **Support portal**.
+3. Select **Support** > **Cases**.
+4. Click **Create Case**.
+5. Provide `FDR to send data to a customer-owned S3 bucket` as a **Case Title**.
+6. In the **Description** section of the support case, be sure to include the following details:
+    - The Falcon Customer ID (CID) where your FDR feed is provisioned
+    - FDR feed name created in `Configure CrowdStrike FDR Feed` section
+    - The ARN of the custom S3 bucket copied in **Step-8** from `Setup Custom AWS S3 Bucket`
+    - Confirmation that the bucket has been set up according to the specifications outlined
+7. **Customer ID (CID)**: Provide Falcon Customer ID
+8. **Preferred Working Time Zone**: Select any preferred timezone
+9. **Product Area**: Select `API and Integrations`
+10. **Product Topic**: Select `Falcon Data Replicator`
+11. Click **Submit Case**.
+12. Wait until CrowdStrike Support confirms that provisioning is complete.
+
+## Configure Datadog Forwarder
+
+- See the [Datadog Forwarder][2] page for configuration steps.
+
+## Data Collected
+
+### Logs
+
+| Format | Event Types |
+| ------ | ----------- |
+| JSON   | Primary Events |
+
+### Metrics
+
+The CrowdStrike FDR integration does not include any metrics.
+
+### Events
+
+The CrowdStrike FDR integration does not include any events.
+
+## Support
+
+For any further assistance, contact [Datadog support][3].
+
+[1]: https://www.crowdstrike.com/en-us/resources/data-sheets/falcon-data-replicator/
+[2]: https://docs.datadoghq.com/logs/guide/forwarder/?tab=cloudformation
+[3]: https://docs.datadoghq.com/help/
+[4]: https://github.com/CrowdStrike/FDR