CrowdStrike Falcon Streaming v2

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Overview

Use CrowdStrike Falcon Streaming v2 integration to connect to CrowdStrike Falcon stream and fetch events as incidents to demisto.

Define CrowdStrike API client

In order to use the integration, an API client need to be defined, and its ID and secret should be configured in the integration instance.

Follow this article in order to get access to CrowdStrike API, and generate client ID and client secret.

The required scope is Event streams.

Configure CrowdStrike Falcon Streaming v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for CrowdStrike Falcon Streaming v2
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Cloud Base URL (e.g. https://api.crowdstrike.com)
    • Client ID
    • Client Secret
    • Event type to fetch
    • Offset to fetch events from
    • Incident type
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Important Notes

  • If you're using Falcon's commercial cloud, use the default value of the Cloud base URL. If you use another CrowdStrike cloud environment, use one of the following:

  • Offset to fetch events from should have an integer value, in order to fetch all events set it to 0 (as the default value).

    Only events starting from this offset will be fetched

    For example, if set to 10: the event with offset 9 will not be fetched, and events with offsets 10 and 11 will be fetched.

  • Event type to fetch parameter accepts multiple values, so choose as many as you want to fetch.

    In order to fetch all events of all types, you can leave it empty.

    You can also add event type that is not listed, by entering it in the parameter value.

Fetched Incidents Data

Event metadata will be fetched as the incident details, which contain the following:

  • Type
  • Offset
  • Creation time
  • Used ID
  • Service Name
  • Detection Name
  • Detection Description
  • Severity