CrowdStrike

CrowdStrike / Validia Integration Documentation

Connecting Validia to CrowdStrike

Connecting CrowdStrike to the Validia platform enables you to share Validia location, deepfake detection, and identity logs directly to your CrowdStrike instance! To get started, visit the Next-Gen SIEM Data Onboarding Page through the Falcon Menu:

Once you arrive, click on "Add Connection", and Search for "Cribl Data Connector":

Click on this option, and choose "Configure". This will take you to the following page, where you will enter the details outlined below:

Option

Value

Connection Name

Validia_Stream

Vendor

Linux

Vendor Product

LinuxSyslog

Description (Optional)

Validia Deepfake, Identity, and Location Logs

Timezone

Your Local Timezone!

After this, we will need to create a Validia Log Parser. Click on "Create New Parser" and name it "validia-parser", and choose import. Then visit this link: https://github.com/idai-paul/Validia-CrowdStrike-Parser/blob/main/validia-parser.yaml, and upload it.

You'll then be taken to a page after creating the Data Collector, which looks like the following:

Here, you will need to retrieve two key items:

Your API URL: Shown here on the right side of the page
Your API Key: You will be prompted to generate this on completion

Next, you'll want to visit the API Credentials Page which you can find under "Support and Resources" Here:

Once you're in here, you'll want to create a new API key called "Validia Integration" with an Optional Description and choose the following Scopes:

All NGSIEM Scopes
IOCs (Indicators of Compromise)

After clicking create, you'll be presented with:

A Client ID
A Client Secret
API URL

Be sure to save all of these for Validia Integration Flow!

Now we can move over to the Validia Platform to tie everything together! Visit https://app.validia.ai/integrations, where you'll find an option to connect CrowdStrike. Click on the "Add Integration" Button and you'll be prompted for everything we created here:

Once you click enable integration, you'll see CrowdStrike populated on your connected integrations page!

In the next section, we'll discuss where you can view your logs coming in and some recommended alerts and queries we recommend you start with!

Viewing Logs

Once you connect Validia to your CrowdStrike NGSIEM, you'll get three new log types!

Name

What they are?

Biometric Logs

Identity Authentications

Deepfake Detection Logs

Deepfake Alerts

Precall Logs

Location / VPN / Proxy Anomalies

The biometric logs include real-time identity authentications direct from platforms like Zoom, Microsoft Teams, and Google Meet. The logs have the following structure:

{
  "validia": {
    "meeting": {
      "id": "<botId_g>"
    },
    "confidence": <confidence_s>,
    "modality": "<modality_s>",
    "verified_identity": "<verifiedAs_s>",
    "authentication": {
      "success": true | false
    }
  }
}

Precall Logs include IP, Geolocation Data, and Proxy/VPN Detection from our Precall Meeting Screen. These logs have the following structure:

{
  "validia": {
    "organization": {
      "id": "<org_id_s>"
    },
    "participant": {
      "name": "<fullName_s>",
      "ip": "<ip_s>",
      "type": "<type_s>"  // e.g., user role
    },
    "proxy": {
      "detected": true | false
    }
  }
}

Deepfake Detection logs are both deepfake and non-deepfake alert logs from our proprietary deepfake detection model. These logs have the following structure:

{
  "validia": {
    "meeting": {
      "id": "<botId_g>"
    },
    "confidence": <confidence_s>,
    "modality": "<modality_s>",  // "Video" or "Audio"
    "verified_identity": "<verifiedAs_s>",
    "deepfake": {
      "detected": true | false
    }
  }
}

You can view all of these in the CrowdStrike NGSIEM Platform, by visiting the "Event Search" Tab under NGSIEM. To start seeing relevant logs, we recommend querying first by #event.dataset with the following values:

Match

Operator

Value

#event.dataset

is equal to

validia.authentication

#event.dataset

is equal to

validia.precall

#event.dataset

is equal to

validia.deepfake_detection

See below for an example query on Validia Authentications:

Triaging!

In this section, we'll walk through a short overview of what you can do with your new data in the CrowdStrike platform and how it may serve helpful when triaging! Scenario #1: Validia flags a meeting participant as suspicious, and your security team wants to determine if the participant's IP address has been actively targeting company systems. First, you can search in Event Logs for the suspicious IP with as little as the participant's name!

All events (#event.dataset = validia.precall and user.name = Paul Vann)

This query will showcase all Validia logs for participant: "Paul Vann" and associated IP address, and VPN detections. With this IP, we can then run another query to look for this IP across other Event Logs.

To check if it's a company registered device for example:

All events (aip = 34.68.15.79)

Or to look more broadly outside of just employees, you can try:

All events (Any field = 34.68.15.79)

Scenario #2: Let's now imagine that your company board meets for a board meeting virtually, and your security team needs to maintain audit logs for who was in the meeting. You can utilize Validia's authentication logs to do this! Simply pull your associated meeting ID from the Validia platform, and you can run a query like the one below:

All events (#event.dataset = validia.authentication and event.id = 5ac07ac4-d515-4d20-95c1-b10e58572c08)

These examples just scratch the surface of what is possible with the Validia integration! Stay tuned for more examples, and some built in searches in the Validia platform.

PreviousSIEM NextMicrosoft Sentinel

Last updated 1 month ago

Was this helpful?