For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/integrations/crowdstrike.md. A documentation index is available at /llms.txt.

CrowdStrike

Integration version2.0.0

To find out if this integration is available in your organization, see your Datadog Integrations page or ask your organization administrator.

To initiate an exception request to enable this integration for your organization, email support@ddog-gov.com.

CrowdStrike Overview Dashboard

Overview

CrowdStrike is a single agent solution to stop breaches, ransomware, and cyber attacks with comprehensive visibility and protection across endpoints, workloads, data, and identity.

The CrowdStrike integration allows you to:

  • Collect real-time CrowdStrike detection events and alerts as Datadog logs.
  • Enrich logs with CrowdStrike Threat Intelligence by collecting domain, hash, and IP indicators.

Setup

Installation

No installation is required.

Configuration

Enabling event streaming

Note: This step is only required if you want to collect CrowdStrike event stream logs. If you only want to use Threat Intelligence, you can skip this step.

Before you can connect to the Event Stream, contact the CrowdStrike support team to enable the streaming of APIs on your customer account.

In CrowdStrike

Add a new API client in CrowdStrike:

  1. Sign in to the Falcon console and navigate to Support → API Clients and Keys.
  2. Select Add new API client to create a new client for Datadog.
  3. Enter a descriptive client name, such as Datadog, to identify the API client in Falcon and in API action logs.
  4. Optionally, add a description that indicates the intended use of your API client.
  5. Set Read access for the appropriate API scopes based on what you want to collect:
    • Event Streams: Set Read access for all API scopes.
    • Threat Intelligence: Set Read access for Indicators (Falcon Intelligence) only.
    • Both: Set Read access for all API scopes (this covers Threat Intelligence as well).
  6. Select Connect Another CrowdStrike Account to initiate the connection.
  7. Copy the client ID and client secret from the Falcon console and paste them into Datadog.

In Datadog

Add the API client details on the CrowdStrike integration tile in Datadog:

  1. Add a name, your CrowdStrike account name, and your client ID and client secret.
  2. Select your CrowdStrike datacenter or cloud from the dropdown.
  3. Optionally, enter a list of tags separated by commas to categorize this integration in Datadog.
  4. Select which type of data you want to ingest using the toggles:
    • Collect domain indicators to enrich logs with threat intelligence from CrowdStrike.
    • Collect hash indicators to enrich logs with threat intelligence from CrowdStrike.
    • Collect IP indicators to enrich logs with threat intelligence from CrowdStrike.
  5. Click Save Changes.
  • For the logs integration, CrowdStrike logs will begin to appear in the Log Explorer the source crowdstrike.
  • To view logs enriched with CrowdStrike Threat Intelligence, use the @threat_intel.results.source.name:Crowdstrike filter in Log Explorer to see which of your logs have been enriched with threat intelligence data with a high malicious confidence.

Data Collected

Metrics

The CrowdStrike integration does not include any metrics.

Events

The CrowdStrike integration allows Datadog to ingest the following events:

  • Detection Summary
  • Firewall Match
  • Identity Protection
  • Idp Detection Summary
  • Incident Summary
  • Authentication Events
  • Detection Status Updates
  • Uploaded IoCs
  • Network Containment Events
  • IP Allowlisting Events
  • Policy Management Events
  • CrowdStrike Store Activity
  • Real Time Response Session Start/End
  • Event stream start/stop

These events appear on the CrowdStrike Log Overview dashboard.

Service Checks

The CrowdStrike integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.