CrowdStrike FDR Connector

Configure the CrowdStrike FDR connector to stream endpoint detection and response data into Edge Delta Pipelines for security analysis.

5 minute read

Overview

The CrowdStrike FDR connector streams endpoint detection and response data from CrowdStrike Falcon Data Replicator into Edge Delta Pipelines. It collects security telemetry from your endpoints via AWS S3, where CrowdStrike replicates the data, and makes it available for AI teammates to query through the Edge Delta MCP connector.

When you add this streaming connector, it appears as a CrowdStrike FDR source in your selected pipeline. AI teammates access this data by querying the Edge Delta backend with the Edge Delta MCP connector.

Add the CrowdStrike FDR Connector

To add the CrowdStrike FDR connector, you select a pipeline to receive the security data and configure AWS S3 access to your CrowdStrike FDR bucket.

Prerequisites

Before configuring the connector, ensure you have:

CrowdStrike Falcon Data Replicator (FDR) enabled with an AWS S3 bucket configured for data delivery
AWS credentials (access keys or IAM role) with S3 read permissions to the FDR bucket
AWS SQS queue URL configured to receive S3 event notifications from the FDR bucket
AWS region information for both the S3 bucket and SQS queue

Configuration Steps

Navigate to AI Team > Connectors in the Edge Delta application
Find the CrowdStrike FDR connector in Streaming Connectors
Click the connector card
Select the pipeline (environment) to receive this security data
Configure AWS S3 and SQS access options (see below)
Click Save

The connector is now streaming CrowdStrike security data into your pipeline.

CrowdStrike FDR connector configuration showing AWS S3 and SQS settings

Configuration Options

Connector Name

Name to identify this CrowdStrike FDR connector instance. Choose a descriptive name like “CrowdStrike EDR Production” to differentiate it from other connectors.

SQS URL

AWS Simple Queue Service (SQS) URL for CrowdStrike event notifications. This is the SQS queue that receives S3 event notifications when CrowdStrike writes new data to your FDR bucket.

AWS Region

AWS region where your SQS queue and S3 bucket are located. This is typically the same region for both resources.

AWS Access Key ID

AWS access key ID for authenticating to S3 and SQS. Used together with the AWS Secret Key to access your CrowdStrike FDR data in S3.

AWS Secret Key

AWS secret access key corresponding to the access key ID. This credential is stored encrypted.

Role ARN

AWS IAM role ARN to assume for S3 access. This is an alternative to using access keys and is recommended for secure, temporary credential access. Format: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

External ID

External ID for IAM role assumption. Required when using Role ARN. This provides additional security to prevent confused deputy attacks.

Compression

Compression format of files in the S3 bucket. CrowdStrike FDR data is typically compressed. Valid options: gzip, zstd, snappy, or uncompressed.

Default: uncompressed

S3 Configuration (Optional)

AWS service-specific configuration for S3 access. This is optional—only configure it when your S3 bucket is in a different region than your SQS queue or requires different authentication credentials than the base AWS configuration. When provided, these settings override the base-level region and authentication parameters for S3 operations only.

Click Add New in the S3 Configuration section to add service-specific settings:

Region: AWS region for S3 bucket access
AWS Key ID: AWS access key ID for S3 (optional if using role-based authentication)
AWS Secret Key: AWS secret access key for S3 (optional if using role-based authentication)
Role ARN: IAM role ARN for S3 access (alternative to access keys). Format: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
External ID: External ID for S3 role assumption (required when role_arn is specified)

For cross-region configuration examples, see the CrowdStrike FDR source documentation.

SQS Configuration (Optional)

AWS service-specific configuration for SQS access. This is optional—only configure it when your SQS queue is in a different region than your S3 bucket or requires different authentication credentials than the base AWS configuration. When provided, these settings override the base-level region and authentication parameters for SQS operations only.

Click Add New in the SQS Configuration section to add service-specific settings:

Region: AWS region for SQS queue access
AWS Key ID: AWS access key ID for SQS (optional if using role-based authentication)
AWS Secret Key: AWS secret access key for SQS (optional if using role-based authentication)
Role ARN: IAM role ARN for SQS access (alternative to access keys). Format: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
External ID: External ID for SQS role assumption (required when role_arn is specified)

For cross-region configuration examples, see the CrowdStrike FDR source documentation.

Target Environments

Select the Edge Delta pipeline (environment) where you want to deploy this connector.

Troubleshooting

Authentication errors: Verify that your AWS credentials are correct and that the IAM user or role has S3 read permissions (s3:GetObject, s3:ListBucket) for the CrowdStrike FDR bucket and SQS permissions (sqs:ReceiveMessage, sqs:DeleteMessage) for the notification queue.

SQS connection errors: Ensure the SQS URL is correctly formatted and that the queue is in the specified AWS region. Verify that S3 event notifications are configured to send to this SQS queue.

No data appearing: Check that CrowdStrike FDR is actively replicating data to the S3 bucket. Verify the compression format matches the actual compression used by CrowdStrike.

Next Steps

Learn about creating custom teammates that can use CrowdStrike security data
Explore the Edge Delta MCP connector for querying security data

For additional help, visit AI Team Support.