CrowdStrike

Overview

Integrate with CrowdStrike to ingest the following events:

  • Detection Summary
  • Firewall Match
  • Identity Protection
  • Idp Detection Summary
  • Incident Summary
  • Authentication Events
  • Detection Status Updates
  • Uploaded IoCs
  • Network Containment Events
  • IP Allowlisting Events
  • Policy Management Events
  • CrowdStrike Store Activity
  • Real Time Response Session Start/End
  • Event stream start/stop

Setup

Installation

No installation is required.

Configuration

Enabling event streaming

Before you can connect to event streams, you must contact the CrowdStrike support team to enable the streaming APIs on your customer account.

Connecting your CrowdStrike Account

Once streaming is enabled, you need to add a new API client:

  • Sign in to the Falcon console
  • Go to Support > API Clients and Keys
  • Click “Add new API client”
  • Enter a descriptive client name that identifies your API client in Falcon and in API action logs (for example, “Datadog”)
  • Optionally, enter a description such as your API client’s intended use
  • Select “Read” access for all API scopes
  • Click “Add”
  • Back in Datadog click “Connect a CrowdStrike Account”
  • Copy over your API client-id and client-secret
  • Optionally, enter a list of tags separated by comma

Results

Wait five minutes to see logs coming in under the source crowdstrike.

Data Collected

Logs

CrowdStrike falcon events will show up as logs under the source crowdstrike.

Metrics

The CrowdStrike integration does not include any metrics.

Service Checks

The CrowdStrike integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.