Integrate with CrowdStrike to ingest the following events:

  • Detection Summary
  • Firewall Match
  • Identity Protection
  • Idp Detection Summary
  • Incident Summary
  • Authentication Events
  • Detection Status Updates
  • Uploaded IoCs
  • Network Containment Events
  • IP Allowlisting Events
  • Policy Management Events
  • CrowdStrike Store Activity
  • Real Time Response Session Start/End
  • Event stream start/stop



No installation is required.


Enabling event streaming

Before you can connect to event streams, you must contact the CrowdStrike support team to enable the streaming APIs on your customer account.

Connecting your CrowdStrike Account

Once streaming is enabled, you need to add a new API client:

  • Sign in to the Falcon console
  • Go to Support > API Clients and Keys
  • Click “Add new API client”
  • Enter a descriptive client name that identifies your API client in Falcon and in API action logs (for example, “Datadog”)
  • Optionally, enter a description such as your API client’s intended use
  • Select “Read” access for all API scopes
  • Click “Add”
  • Back in Datadog click “Connect a CrowdStrike Account”
  • Copy over your API client-id and client-secret
  • Optionally, enter a list of tags separated by comma


Wait five minutes to see logs coming in under the source crowdstrike.

Data Collected


CrowdStrike falcon events will show up as logs under the source crowdstrike.


The CrowdStrike integration does not include any metrics.

Service Checks

The CrowdStrike integration does not include any service checks.


Need help? Contact Datadog support.