CrowdStrike EDR Integration with WatchGuard Open MDR

This document describes the steps to integrate WatchGuard Open MDR with CrowdStrike EDR to enable the WatchGuard MDR team to monitor data from your CrowdStrike EDR environment.

Contents

• CrowdStrike EDR Integration with WatchGuard Open MDR
  • Contents
  • Before You Begin
  • Complete and Submit the CrowsdStrike MSP Authorization Form
  • Complete the WatchGuard Onboarding Form
  • Verify the Integration

Before You Begin

Before you complete the procedures in this document, make sure that:

• You have a Falcon Insight™ license from CrowdStrike.
• You have a WatchGuard Open MDR license allocated in WatchGuard Cloud.
• Your CrowdStrike EDR environment is hosted in either the US or Europe. WatchGuard MDR does cannot support migration between these regions or any mixed‑region configuration. Support for GOV Cloud and EU Sovereign Cloud is not available.

Complete and Submit the CrowsdStrike MSP Authorization Form

To enable WatchGuard MDR to monitor your endpoints in CrowdStrike EDR, you must complete and submit the MSP Authorization form to CrowdStrike. This form authorizes WatchGuard to access your CrowdStrike tenant and data stream.

To complete and submit the CrowdStrike MSP Authorization form:

1. Go to Download MSP Authorization Form to authorize WatchGuard MDR to Access CrowdStrike tenant in the WatchGuard Knowledge Base and download the MSP Authorization Form.PDF.
2. Complete the information requested and sign the form.
3. Open a support request with CrowdStrike to initiate MSP provisioning, submit the signed form, and request Falcon Data Replicator (FDR) provisioning for your Customer Identification (CID).

Complete the WatchGuard Onboarding Form

After you have allocated a WatchGuard Open MDR license in WatchGuard Cloud and submitted the MSP Authorization form to CrowdStrike, you must complete the WatchGuard Open MDR Onboarding Form (external link). To complete the form, you must have this information:

• Partner Company Name — CThe company name of the WatchGuard Partner.
• WatchGuard Partner ID — WatchGuard Cloud account ID of theThe Partner ID, in this formatformat is: ACC-XXXXXXX.
• Partner Contact Email Address — EThe Partner contact email address the WatchGuard deployment team can use to contact the Partner if they have questions.
• Customer Company Name — CThe company name of the customer account for this connector.
• CrowdStrike Falcon Region — RThe region associated with the CrowdStrike Falcon Customer ID (CID).
• CrowdStrike Falcon Administrator Email Address — The current Eemail address of your current CrowdStrike Falcon CID administrator.
• Customer/Subscriber WatchGuard Account ID — The WatchGuard Cloud Aaccount ID of the customer or subscriber account, in one of these formatsformat is: ACC-XXXXXXX or WGC-X-XXXXXXXXXXXXXXXXXXXX.
• CrowdStrike Falcon CID — The CrowdStrike Falcon CID for WatchGuard MDR to manage.

Verify the Integration

To verify the integration of WatchGuard Open MDR and your CrowdStrike environment, view the Connections > Endpoints page in the Managed Service portal in WatchGuard Cloud.

To verify the integration:

1. In WatchGuard Cloud, select Monitor > Managed Services.
   The Managed Services portal opens in a new browser tab.
2. If you are a Service Provider, select your Subscriber account from the drop-down list.
3. Select Connections > Endpoints.
   The Endpoints page opens.
4. Make sure that your connected CrowdStrike endpoints show in the list.