How CrowdStrike simplifies the ingestion of high-quality data into the Falcon platform

At CrowdStrike, we have long recognized how difficult it is to detect attacks using stolen credentials. We themed the CrowdStrike 2024 Global Threat Report “The Year of Stealth” to highlight how attackers are moving away from malware and malicious attachments and toward more subtle and effective methods like credential phishing, password spraying, and social engineering to achieve their goals.

Source: CrowdStrike 2024 Global Threat Report

The AI-native CrowdStrike Falcon® cybersecurity platform is the industry’s only platform that unifies identity protection and endpoint security to proactively stop hybrid identity-based threats through real-time prevention, behavioral baselining, and 60+ highly accurate first-party detections for Active Directory, Okta, Entra, Ping, and ADFS. But some security teams also need third-party data—like Okta logs to create their own detections—for SIEM use cases.

In this blog, you’ll learn how to consolidate on the Falcon platform and transform your SOC with CrowdStrike Falcon® Next-Gen SIEM to further strengthen your defenses against identity-based attacks. Read on to learn why we’re offering 10GB/day of free third-party data ingestion from tools like Okta to start your next-generation SIEM journey.

Detect identity-based attacks with Falcon Next-Gen SIEM

Falcon Next-Gen SIEM lets you easily extend the power of the Falcon platform to third-party data sources. Many CrowdStrike customers already have endpoint and identity protection data in Falcon. Now, with our robust ecosystem of data connectors and parsers, customers can gain visibility into third-party data like Okta logs to get a more complete picture of an attack.

Figure 1. Falcon Next-Gen SIEM offers a growing number of connectors for integrating third-party data.

Falcon Next-Gen SIEM easily ingests rich identity data to pull user events such as logins, authentication attempts, MFA challenges, and account lockouts. Out-of-the-box correlation rules also highlight particularly suspicious activity, such as when a user or group is assigned an Okta administrator role.

Unlike traditional SIEMs that are riddled with generic, low-precision rules that require significant effort to fine-tune, Falcon Next-Gen SIEM delivers precise detections carefully refined by industry-leading attacker research and record-breaking MDR teams. Data can also be correlated with native Falcon data such as endpoint telemetry or used in custom rules built with a unified language for search, parsing, and dashboards.

Figure 2: Easily create and optimize Falcon Next-Gen SIEM correlation rules by using the same common language for all third-party data.

In Falcon Next-Gen SIEM, you can view alert severity and group alerts into incidents to help prioritize triage and analysis efforts. The incident shown below was automatically mapped to the MITRE ATT&CK® framework and shows an attacker attempting to obtain user credentials using an MFA fatigue attack.

Figure 3. Falcon Next-Gen SIEM unifies alerts from all data sources with the ability to quickly sort and filter by severity, source, MITRE technique, and more.

Monitoring with live dashboards

You can also use templates or create your own dashboards to simplify reporting and real-time monitoring. With Okta data, you may want to know where, when, and how often logins are occurring across your various applications, as well as what prompts are occurring for MFA challenges.

Figure 4. Understand identity events in near real-time with Falcon Next-Gen SIEM.

Investigate and respond

With Falcon Next-Gen SIEM, you can seamlessly switch to Incident Workbench to easily view incident details such as associated hosts and processes in a sleek visual diagram. You can also leverage suggestions from Charlotte AI to further enrich the event and ensure you have a complete picture of an attack.

Figure 5. Incident Workbench allows you to view the entire scope of an incident, including hosts, identities, and associated processes, in a single console.

You can also easily view the raw log and event details with just one click without having to manually write additional queries.

Figure 6. Advanced incident search enables lightning-fast and hassle-free investigations with a direct link from the incident to a pre-populated query.

To respond at machine speed, you can upgrade to a paid Falcon Next-Gen SIEM subscription and leverage automated workflows and apply policies that mitigate the most common identity-based attacks, such as deleting session tokens if a user’s session has been compromised. Okta also lets you run a playbook to automatically revoke access, reset MFA factors, and force a password reset—a process that could take dozens of hours per week of analyst time if done manually.

Figure 7. Falcon Fusion SOAR accelerates incident investigation and response through workflow automation and orchestration across the Falcon platform and third-party tools.

Transform your SOC with Falcon Next-Gen SIEM and Identity Data

Start your journey with Falcon Next-Gen SIEM and identity data like Okta logs today to unlock powerful detection, investigation, and response capabilities. Existing CrowdStrike Falcon® Insight XDR customers can ingest up to 10 GB of third-party data per day at no additional cost. Make the most of this offering by ingesting high-value data like identity logs into the Falcon platform to stop identity-based threats.

Contact your sales representative or technical account manager to learn more about this offer.

Additional resources