--- title: CrowdStrike description: Collect CrowdStrike real-time detection events as Datadog logs breadcrumbs: Docs > Integrations > CrowdStrike --- # CrowdStrike Integration version2.0.0 {% callout %} # Important note for users on the following Datadog sites: us2.ddog-gov.com {% alert level="info" %} To find out if this integration is available in your organization, see your [Datadog Integrations](https://app.datadoghq.com/integrations) page or ask your organization administrator. To initiate an exception request to enable this integration for your organization, email [support@ddog-gov.com](mailto:support@ddog-gov.com). {% /alert %} {% /callout %} CrowdStrike Overview Dashboard ## Overview{% #overview %} [CrowdStrike](https://www.crowdstrike.com/) is a single agent solution to stop breaches, ransomware, and cyber attacks with comprehensive visibility and protection across endpoints, workloads, data, and identity. The CrowdStrike integration allows you to: - Collect real-time CrowdStrike detection events and alerts as Datadog logs. - Enrich logs with CrowdStrike Threat Intelligence by collecting domain, hash, and IP indicators. ## Setup{% #setup %} ### Installation{% #installation %} No installation is required. ### Configuration{% #configuration %} #### Enabling event streaming{% #enabling-event-streaming %} **Note:** This step is only required if you want to collect CrowdStrike event stream logs. If you only want to use Threat Intelligence, you can skip this step. Before you can connect to the [Event Stream](https://docs.datadoghq.com/service_management/events/explorer.md), [contact the CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable the streaming of APIs on your customer account. #### In CrowdStrike{% #in-crowdstrike %} Add a new API client in CrowdStrike: 1. Sign in to the Falcon console and navigate to **Support → API Clients and Keys**. 1. Select **Add new API client** to create a new client for Datadog. 1. Enter a descriptive client name, such as **Datadog**, to identify the API client in Falcon and in API action logs. 1. Optionally, add a description that indicates the intended use of your API client. 1. Set Read access for the appropriate API scopes based on what you want to collect: - **Event Streams:** Set Read access for all API scopes. - **Threat Intelligence:** Set Read access for Indicators (Falcon Intelligence) only. - **Both:** Set Read access for all API scopes (this covers Threat Intelligence as well). 1. Select **Connect Another CrowdStrike Account** to initiate the connection. 1. Copy the **client ID** and **client secret** from the Falcon console and paste them into Datadog. #### In Datadog{% #in-datadog %} Add the API client details on the [CrowdStrike integration tile](https://app.datadoghq.com/integrations/crowdstrike) in Datadog: 1. Add a name, your CrowdStrike account name, and your **client ID** and **client secret**. 1. Select your CrowdStrike datacenter or cloud from the dropdown. 1. Optionally, enter a list of tags separated by commas to categorize this integration in Datadog. 1. Select which type of data you want to ingest using the toggles: - **Collect domain indicators** to enrich logs with threat intelligence from CrowdStrike. - **Collect hash indicators** to enrich logs with threat intelligence from CrowdStrike. - **Collect IP indicators** to enrich logs with threat intelligence from CrowdStrike. 1. Click **Save Changes**. - For the logs integration, [CrowdStrike logs](https://app.datadoghq.com/logs/) will begin to appear in the [Log Explorer](https://app.datadoghq.com/dash/integration/32115/crowdstrike-overview) the source `crowdstrike`. - To view logs enriched with CrowdStrike Threat Intelligence, use the `@threat_intel.results.source.name:Crowdstrike` filter in [Log Explorer](https://app.datadoghq.com/logs/) to see which of your logs have been enriched with threat intelligence data with a high malicious confidence. ## Data Collected{% #data-collected %} ### Metrics{% #metrics %} The CrowdStrike integration does not include any metrics. ### Events{% #events %} The CrowdStrike integration allows Datadog to ingest the following events: - Detection Summary - Firewall Match - Identity Protection - Idp Detection Summary - Incident Summary - Authentication Events - Detection Status Updates - Uploaded IoCs - Network Containment Events - IP Allowlisting Events - Policy Management Events - CrowdStrike Store Activity - Real Time Response Session Start/End - Event stream start/stop These events appear on the [CrowdStrike Log Overview dashboard](https://app.datadoghq.com/dash/integration/32115/crowdstrike-overview). ### Service Checks{% #service-checks %} The CrowdStrike integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).