Overview
Integrate with CrowdStrike to ingest the following events:
- Detection Summary
- Firewall Match
- Identity Protection
- Idp Detection Summary
- Incident Summary
- Authentication Events
- Detection Status Updates
- Uploaded IoCs
- Network Containment Events
- IP Allowlisting Events
- Policy Management Events
- CrowdStrike Store Activity
- Real Time Response Session Start/End
- Event stream start/stop
Setup
Installation
No installation is required.
Configuration
Enabling event streaming
Before you can connect to event streams, you must contact the CrowdStrike support team to enable the streaming APIs on your customer account.
Connecting your CrowdStrike Account
Once streaming is enabled, you need to add a new API client:
- Sign in to the Falcon console
- Go to Support > API Clients and Keys
- Click “Add new API client”
- Enter a descriptive client name that identifies your API client in Falcon and in API action logs (for example, “Datadog”)
- Optionally, enter a description such as your API client’s intended use
- Select “Read” access for all API scopes
- Click “Add”
- Back in Datadog click “Connect a CrowdStrike Account”
- Copy over your API client-id and client-secret
- Optionally, enter a list of tags separated by comma
Results
Wait five minutes to see logs coming in under the source crowdstrike.
Data Collected
Logs
CrowdStrike falcon events will show up as logs under the source crowdstrike.
Metrics
The CrowdStrike integration does not include any metrics.
Service Checks
The CrowdStrike integration does not include any service checks.
Troubleshooting
Need help? Contact Datadog support.
