What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    CrowdStrike Falcon Integration

    Juan Romero

    26-May-2025

    CrowdStrike Falcon Integration

    Intro

    Crowdstrike integration leverages the Falcon Integration Gateway (FIG) developed by the vendor.

    The Falcon Integration Gateway (FIG) can forward threat detection findings and audit events from the CrowdStrike Falcon platform to our SIEM.

    Events and Alerts available in your SIEM

    Detection findings and audit events generated by CrowdStrike Falcon platform inform you about suspicious files and behaviors in your environment. You will see detections on a range of activities from the presence of a bad file (indicator of compromise (IOC)) to a nuanced collection of suspicious behaviors (indicator of attack (IOA)) occurring on one of your hosts or containers. You can learn more about the individual detections in Falcon documentation.

    This project facilitates the export of the individual detections and audit events from CrowdStrike Falcon to third-party security dashboards (so called backends). The export is useful in cases where security operation team workflows are tied to given third-party solution to get early real-time heads-up about malicious activities or unusual user activities detected by CrowdStrike Falcon platform.

     

    Requirements and info required for this integration

    NOTE: For full information on how to generate an API client, refer to the CrowdStrike API documentation.

    API clients are granted one or more API scopes. Scopes allow access to specific CrowdStrike APIs and describe the actions that an API client can perform.

    The Falcon Integration Gateway (FIG) requires the following API scopes at a minimum:

    • Event streams: [Read]
    • Hosts: [Read]

    After that, specific event types and alerts can be selected abd available for collection via API. These will be the Falcon events and alerts that will be available for analysis in your SIEM.

     

    FIG requires the authentication of an API client ID and client secret, along with its associated cloud region, to establish a connection with the CrowdStrike API.

    FIG supports auto-discovery of the Falcon cloud region. If you do not specify a cloud region, FIG will attempt to auto-discover the cloud region based on the API client ID and client secret provided.

    After provisioning the API access with the required permissions please upload the following info to Onehub (txt file):

     

    • cloud_region
    • client_id = YOUR_CLIENT_ID
    • client_secret = YOUR_CLIENT_SECRET
    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.