Skip to main content

Integrating Druva Events with CrowdStrike Next-Gen SIEM

This article provides steps to integrate CrowdStrike with Druva via webhooks.

Updated this week

Overview

This section outlines the process for integrating Druva event data directly into CrowdStrike's Next-Gen SIEM. This integration enables enhanced security monitoring and centralized visibility of your Druva environment within CrowdStrike.

The setup involves configurations in two key locations: the Cloud Platform console > Integration Center and the CrowdStrike console > Data Connector.

The process involves the following steps:

  1. Setting up a Data Connector within your CrowdStrike console.

  2. Retrieving the generated API URL and key from CrowdStrike.

  3. Configuring this API key within the Integration Center of your Cloud Platform console.

  4. Finally, testing the end-to-end flow to ensure Druva events are successfully being sent to CrowdStrike.

This integration provides a streamlined way to leverage Druva's rich event data within your broader CrowdStrike security ecosystem.

Step 1 Configuration in CrowdStrike console

This configuration is required to setup Data Connector within your CrowdStrike console and generate an API URL and an API key which is used for Druva to push events to CrowdStrike. The API and URL and API Key retrieved is inserted while configuration within the Integration Center of your Cloud Platform console.

Procedure

  1. From the hamburger menu on the top left of CrowdStrike’s Next-Gen SIEM platform dashboard, navigate to Data Connector > Data Connectors page.

  2. The existing connectors list appears. Click Add connection on the Connections page.

  3. On the Add connection page, select Push as the Connector Type and then click Apply.

  4. On the Add connection page, search for the connector name Druva Security Cloud Data Connector as criteria in the Filter by connector name and then click Druva Security Cloud Data Connector. Click Configure.

  5. On the Add new connector card, provide the details that this form asks for and then click Create Connection.

    Data Details: Specify the Data Source details.

    Connector Details:

    Specify Connector name

    Parser Details: Parser is pre-filled to Druva’s custom parser - druva-securitycloud(Druva Security Cloud). The Druva Parser processes Druva events received by CrowdStrike, structuring them and populating essential mandatory fields into the required format.

    Select the checkbox for Terms and Conditions

    Once you click Create Connection, an API url and an API key is generated which is used for Druva to push events to CrowdStrike. The API and URL and API Key retrieved is inserted while configuration within the Integration Center of your Cloud Platform console.

Step 2 Configuration in Cloud Platform console > Integration Center

Druva, in its Integration Center, lists services that you can integrate with the Druva platform.

CrowdStrike is one of the services that you can integrate with Druva. You can provide a webhook URL from CrowdStrike, and Druva will post events to that URL. Druva can send events such as alerts, unusual data activity, backup jobs, restore jobs, API access, and more.

To integrate CrowdStrike with Druva

  1. From the hamburger menu on the top left of the Druva Console, select Integration Center.

  2. On the Integration Center page, click Add Webhook on the CrowdStrike card.


    ​The Add Webhook form appears.
    Provide the details that this form asks for:


📝Note:
CrowdStrike supports API Key-based authorization type only.


  • Select the events that our platform should send to the webhook that you specify here.

3. Click Test and Save.

The integration can be verified from the hamburger menu on the top left of CrowdStrike’s Next-Gen SIEM platform dashboard.

Navigate to Advanced event search. Select Third Party from the first dropdown. You’ll be able to see an event - Webhook configured. Now, try out some actions on Druva like login, initiate backups. Events from Druva start flowing into CrowdStrike.

Events supported for different Druva Workloads

Details processed by Parser

The druva-securitycloud parser normalizes the following details:

Event

Event Category

Event Type

Admin Audit Trail

api

admin

Admin Login

authentication

start

User Event

iam

user

User Audit Trail

api

user

API Login

api and authentication

user and access

WebDAV Login

authentication

start

Bulk Export WebDAV Login

authentication

start

PST Converter WebDAV Login

authentication

start

Backup

process

info

Restore

process

info

Download

process

info

AD Sync

process

info

Alert

process

info

Alert Resolution

process

info

Notification

process

info

Data Source

database

info

Client Upgrade

process

change

Additional Data Collection

process

access

Device Replace

process

change

System Event

process

info

User Restore

process

info

Admin Download

file

access

Admin Restore

process

info

User Download

file

access

API Restore

process

info

Malicious File Scan (Restore Scan)

file

info

Curated Snapshot

process

info

Scan Settings updated

configuration

change

Snapshot Deleted

process

change

Quarantine Ranges Created

configuration

creation

Quarantine Ranges Deleted

configuration

deletion

Quarantine Ranges Updated

configuration

change

Added to Quarantine Bay

configuration

creation

Removed from Quarantine Bay

configuration

deletion

Updated Quarantine Ranges

configuration

change

File Hash Added

file

creation

File Hash Deleted

file

deletion

  • Syslog Severity to Event match value mapping

    Syslog Severity levels are mapped to specific event match values, where a higher severity corresponds to a lower numerical value:

    • 90 corresponds to value 0 (Highest Severity)

    • 80 corresponds to value 1

    • 70 corresponds to value 2

    • 60 corresponds to value 3

    • 50 corresponds to value 4

    • 40 corresponds to value 5

    • 20 corresponds to value 6

    • 10 corresponds to value 7 (Least Severity)

  • Vendor Product ID to Event module mapping

    Every Druva product is mapped to a specific event module ID:

    • 4097 corresponds to Realize (Cyber Resiliency)

    • 8193 corresponds to inSync

    • 12289 corresponds to Phoenix (Enterprise Workloads)

Did this answer your question?