Skip to content

CrowdStrike Falcon

Overview

CrowdStrike events include critical security insights by aggregating and forwarding endpoint detection and response (EDR) data. It provides detailed information about malicious activity, behavioral anomalies, and system vulnerabilities, allowing organizations to quickly identify and mitigate potential threats. Forward CrowdStrike events into Coralogix to centralize your security data for advanced correlation and analysis across multiple data sources. This holistic security view allows you to become more efficient in detecting and investigating sophisticated threats and reduce time to respond to security incidents.

Prerequisites

Obtain the following parameters from CrowdStrike console:

  • API client with Read access for Event Streams

  • API client ID

  • API client secret

STEP 1. In the CrowdStrike Falcon console, navigate to Support and resources > Resources and tools > API clients and keys.

STEP 2. Create an API client with Read access for Event Streams.

STEP 3. Copy the API client ID and API client secret.

Configuration

STEP 1. From your Coralogix toolbar, navigate to Data Flow > Integrations, select CrowdStrike and click Connect.

STEP 2. Click Add New.

STEP 3. Define the integration settings:

  • Integration name. This field is automatically populated, but may be modified.

  • Application name. Select an application name.

  • Subsystem name. Select a subsystem name. This field will default to “CrowdStrike”, but may be modified.

  • CrowdStrike cloud. Organization-specific base URL, which will depend on your account type.

    • US-1 (https://api.crowdstrike.com/sensors/entities/datafeed/v2)

    • US-2 (https://api.us-2.crowdstrike.com/sensors/entities/datafeed/v2)

    • EU-1 (https://api.eu-1.crowdstrike.com/sensors/entities/datafeed/v2)

    • US-GOV-1 (https://api.laggar.gcw.crowdstrike.com/sensors/entities/datafeed/v2)

  • CrowdStrike API client ID. CrowdStrike API client ID created above.

  • CrowdStrike API client secret. CrowdStrike API client secret created above.

  • Event types. Choose which types of logs to monitor:

    • DetectionSummaryEvent

    • EppDetectionSummaryEvent

    • AuthActivityAuditEvent

    • UserActivityAuditEvent

    • HashSpreadingEvent

    • RemoteResponseSessionStartEvent

    • RemoteResponseSessionEndEvent

    • FirewallMatchEvent

    • CSPMSearchStreamingEvent

    • CSPMIOAStreamingEvent

    • IncidentSummaryEvent

    • CustomerIOCEvent

    • IDPDetectionSummaryEvent

    • IdentityProtectionEvent

    • ReconNotificationSummaryEvent

    • ScheduledReportNotificationEvent

    • MobileDetectionSummaryEvent

    • DataProtectionDetectionSummaryEvent

STEP 4. Click Create to finish.

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email to [email protected].

Previous Previous Office 365 Audit Logs
Next CrowdStrike Falcon SIEM Connector Next
Home
User Guides User Guides
Integrations Integrations
OpenTelemetry OpenTelemetry
Developer Portal Developer Portal