Overview
This section outlines the process for integrating Druva event data directly into CrowdStrike's Next-Gen SIEM. This integration enables enhanced security monitoring and centralized visibility of your Druva environment within CrowdStrike.
The setup involves configurations in two key locations: the Cloud Platform console > Integration Center and the CrowdStrike console > Data Connector.
The process involves the following steps:
Setting up a Data Connector within your CrowdStrike console.
Retrieving the generated API URL and key from CrowdStrike.
Configuring this API key within the Integration Center of your Cloud Platform console.
Finally, testing the end-to-end flow to ensure Druva events are successfully being sent to CrowdStrike.
This integration provides a streamlined way to leverage Druva's rich event data within your broader CrowdStrike security ecosystem.
Step 1 Configuration in CrowdStrike console
This configuration is required to setup Data Connector within your CrowdStrike console and generate an API URL and an API key which is used for Druva to push events to CrowdStrike. The API and URL and API Key retrieved is inserted while configuration within the Integration Center of your Cloud Platform console.
Procedure
From the hamburger menu on the top left of CrowdStrike’s Next-Gen SIEM platform dashboard, navigate to Data Connector > Data Connectors page.
The existing connectors list appears. Click Add connection on the Connections page.
On the Add connection page, select Push as the Connector Type and then click Apply.
On the Add connection page, search for the connector name Druva Security Cloud Data Connector as criteria in the Filter by connector name and then click Druva Security Cloud Data Connector. Click Configure.
On the Add new connector card, provide the details that this form asks for and then click Create Connection.
Data Details: Specify the Data Source details.
Connector Details:
Specify Connector name
Parser Details: Parser is pre-filled to Druva’s custom parser - druva-securitycloud(Druva Security Cloud). The Druva Parser processes Druva events received by CrowdStrike, structuring them and populating essential mandatory fields into the required format.
Select the checkbox for Terms and Conditions
Once you click Create Connection, an API url and an API key is generated which is used for Druva to push events to CrowdStrike. The API and URL and API Key retrieved is inserted while configuration within the Integration Center of your Cloud Platform console.
Step 2 Configuration in Cloud Platform console > Integration Center
Druva, in its Integration Center, lists services that you can integrate with the Druva platform.
CrowdStrike is one of the services that you can integrate with Druva. You can provide a webhook URL from CrowdStrike, and Druva will post events to that URL. Druva can send events such as alerts, unusual data activity, backup jobs, restore jobs, API access, and more.
To integrate CrowdStrike with Druva
From the hamburger menu on the top left of the Druva Console, select Integration Center.
On the Integration Center page, click Add Webhook on the CrowdStrike card.
The Add Webhook form appears.
Provide the details that this form asks for:Crowdstrike is selected in the provider field.
Specify a name of the webhook.
Specify the webhook URL in the Endpoint field. While providing the API url, append “/raw” to it. For example, https://a0adc8ef4b6da433400a0b44ca9.ingest.us-2.crowdstrike.com/services/collector/raw.
Provide an API key for the webhook. While providing an API key, you must prefix it with "Bearer". For example, Bearer LCJNW37RB38.
📝Note:
CrowdStrike supports API Key-based authorization type only.
3. Click Test and Save.
The integration can be verified from the hamburger menu on the top left of CrowdStrike’s Next-Gen SIEM platform dashboard.
Navigate to Advanced event search. Select Third Party from the first dropdown. You’ll be able to see an event - Webhook configured. Now, try out some actions on Druva like login, initiate backups. Events from Druva start flowing into CrowdStrike.
Events supported for different Druva Workloads
Details processed by Parser
The druva-securitycloud parser normalizes the following details:
Event | Event Category | Event Type |
Admin Audit Trail | api | admin |
Admin Login | authentication | start |
User Event | iam | user |
User Audit Trail | api | user |
API Login | api and authentication | user and access |
WebDAV Login | authentication | start |
Bulk Export WebDAV Login | authentication | start |
PST Converter WebDAV Login | authentication | start |
Backup | process | info |
Restore | process | info |
Download | process | info |
AD Sync | process | info |
Alert | process | info |
Alert Resolution | process | info |
Notification | process | info |
Data Source | database | info |
Client Upgrade | process | change |
Additional Data Collection | process | access |
Device Replace | process | change |
System Event | process | info |
User Restore | process | info |
Admin Download | file | access |
Admin Restore | process | info |
User Download | file | access |
API Restore | process | info |
Malicious File Scan (Restore Scan) | file | info |
Curated Snapshot | process | info |
Scan Settings updated | configuration | change |
Snapshot Deleted | process | change |
Quarantine Ranges Created | configuration | creation |
Quarantine Ranges Deleted | configuration | deletion |
Quarantine Ranges Updated | configuration | change |
Added to Quarantine Bay | configuration | creation |
Removed from Quarantine Bay | configuration | deletion |
Updated Quarantine Ranges | configuration | change |
File Hash Added | file | creation |
File Hash Deleted | file | deletion |
Syslog Severity to Event match value mapping
Syslog Severity levels are mapped to specific event match values, where a higher severity corresponds to a lower numerical value:
90 corresponds to value 0 (Highest Severity)
80 corresponds to value 1
70 corresponds to value 2
60 corresponds to value 3
50 corresponds to value 4
40 corresponds to value 5
20 corresponds to value 6
10 corresponds to value 7 (Least Severity)
Vendor Product ID to Event module mapping
Every Druva product is mapped to a specific event module ID:
4097 corresponds to Realize (Cyber Resiliency)
8193 corresponds to inSync
12289 corresponds to Phoenix (Enterprise Workloads)