CrowdStrike

Overview

CrowdStrike is a single agent solution to stop breaches, ransomware, and cyber attacks with comprehensive visibility and protection across endpoints, workloads, data, and identity.

The CrowdStrike integration allows you to collect real-time CrowdStrike detection events and alerts as Datadog logs.

Setup

Installation

No installation is required.

Configuration

Enabling event streaming

Before you can connect to the Event Stream, contact the CrowdStrike support team to enable the streaming of APIs on your customer account.

Connecting your CrowdStrike Account

Once streaming is enabled, add a new API client in CrowdStrike:

  1. Sign in to the Falcon console.
  2. Go to Support > API Clients and Keys.
  3. Click Add new API client.
  4. Enter a descriptive client name that identifies your API client in Falcon and in API action logs (for example, Datadog).
  5. Optionally, enter a description such as your API client’s intended use.
  6. Select Read access for all API scopes.
  7. Click Add.

Enabling log collection

Add the API client details on the CrowdStrike integration tile in Datadog:

  1. Click Connect a CrowdStrike Account.
  2. Copy over your API client ID, client secret, and API domain.
  3. Optionally, enter a list of tags separated by comma.
  4. Click Submit.

After a few minutes, logs with the source crowdstrike appear on the Crowdstrike Log Overview dashboard.

Data Collected

Metrics

The CrowdStrike integration does not include any metrics.

Events

The CrowdStrike integration allows Datadog to ingest the following events:

  • Detection Summary
  • Firewall Match
  • Identity Protection
  • Idp Detection Summary
  • Incident Summary
  • Authentication Events
  • Detection Status Updates
  • Uploaded IoCs
  • Network Containment Events
  • IP Allowlisting Events
  • Policy Management Events
  • CrowdStrike Store Activity
  • Real Time Response Session Start/End
  • Event stream start/stop

These events appear on the Crowdstrike Log Overview dashboard.

Service Checks

The CrowdStrike integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.