CrowdStrike Falcon

Overview

CrowdStrike Falcon is a cloud-based endpoint protection platform that provides real-time detection, prevention, and response capabilities.

The CrowdStrike Event Streams API integration allows you to collect Falcon detection and audit events and ingest them into the product for long-term storage, advanced analysis, and compliance reporting.

This integration allows you to centralize CrowdStrike event logs across your environment providing features such as:

• Extended log retention

  Store CrowdStrike audit and detection events for long-term compliance and auditing needs.

• Advanced correlation

  Combine CrowdStrike alerts with logs from other sources to reduce false positives and gain broader incident context.

• Prebuilt analytics

  Leverage out-of-the-box reports, alert profiles, dashboards, and detection rules tailored for CrowdStrike data.

• Centralized security insights

  Analyze CrowdStrike activity alongside endpoint, network, and user events for a comprehensive view of threats.

Supported event types

The integration ingests a variety of Falcon events, including:

• Detection Summary Events
• Authentication Audit Events
• User Activity Audit Events
• Firewall Match Events
• Remote Response Session Events

By integrating CrowdStrike Event Streams, security teams can centralize the CrowdStrike logs for advanced analytics, correlation with SIEM (Security Information and Event Management) events, and compliance reporting.

Prerequisites

• Falcon API credentials

  You must have a CrowdStrike Falcon account with Administrator privileges to create the API credentials.

• Create API client
  • In the Falcon console, navigate to Support → API Clients and Keys and add a new OAuth2 API client.
  • Assign a name and description, then enable the following read scopes:
    • Detections
    • Hosts
    • Event Streams.
  • After creation, record the Client ID and Client Secret securely (the secret is shown only once). These credentials will be later used to authenticate the product to the CrowdStrike API.
• Network connectivity

  Ensure that the outbound access from the product/agent to the CrowdStrike Event Streams API endpoints is allowed.

Workflow architecture

Configuration steps

1. Add CrowdStrike Falcon Application
   • In the product console, go to Settings > Applications > Other Applications.
   • Click +Add Other Applications and select CrowdStrike Falcon from the log source list.
2. Enter API Details

   Provide the following information:

   • Name: A display name for this configuration to help identify the log source.
   • Cloud environment: Select the appropriate Falcon cloud environment (for example, US Commercial Cloud). The available options from this field drop-down are:
     • EU Cloud
     • US GovCloud
     • US Commercial Cloud
     • US Commercial Cloud 2
   • Client ID: The OAuth2 Client ID obtained from the CrowdStrike Falcon console.
   • Client Secret: The corresponding client secret associated with the Client ID.
   • Application ID: Each Event Stream request must include an Application ID. This ID is mandatory on the CrowdStrike Falcon application and is used to uniquely identify each active event stream. It enables CrowdStrike to monitor individual streams, detect performance delays, and troubleshoot issues by clearly distinguishing one stream from another. The field input must be an alphanumeric string with a maximum length of 32 characters.
   • Ingest from: Specifies whether data collection should retrieve the oldest available historical logs or start collecting logs only from the first event generated at the time of the initial API connection. (This option can be selected only during initial configuration. ) The available options from this field drop-down are:
     • Oldest Available Event (Historical)
     • Configured Time (Starting Now)
   NOTE Each active event stream must have a unique AppID. Using a duplicate AppID for a second stream will result in authentication errors.
3. Save and Start Collection

   Complete the setup in the product. The system will use the provided credentials and AppID to connect to the CrowdStrike Event Streams API and begin collecting events.

Once configured, the product will continuously ingest CrowdStrike detection and audit events for further analysis and reporting.

Outcome of the integration

• Log management and Auditing
  • All the CrowdStrike Falcon events like the detections, logins, API sessions, etc, are centralized in the product.
  • Logs are retained for a long-term to meet the necessary compliance and auditing requirements.
• Advanced correlation
  • CrowdStrike events are correlated with other SIEM data, for example- network logs and other endpoint events.
  • This helps reduce false positives and uncovers the broader context of security incidents.
  • For example: Linking a Falcon detection with a suspicious login from another system.
• Prebuilt analytics
  • You will be provided with dedicated reports, alert profiles, dashboards, and detection rules for CrowdStrike data.
  • These out-of-the-box tools enable faster threat detection and investigation without the need to build custom analytics from scratch.
• Incident workbench widgetsInteractive widgets like Device Summary, Recent Detections allow security analysts to pivot on CrowdStrike events during incident investigations.

Reports

You will be provided with a comprehensive set of built-in reports for CrowdStrike Falcon data. These include:

These preconfigured reports allow security teams to quickly access key CrowdStrike Falcon data including events, detections, user activities, etc for monitoring and compliance purposes.

Alert profiles

The product includes several default alert profiles for CrowdStrike Falcon to notify on important conditions. Below are some of the predefined alert profiles:

These alert profiles automatically monitor CrowdStrike policy and configuration statuses, notifying administrators if key protections are off or critical roles are granted.

Dashboard widgets

The product provides prebuilt dashboard widgets for visualizing CrowdStrike Falcon data. Some of the available widgets include:

• All CrowdStrike Events
• Total CrowdStrike Detections
• Allowed CrowdStrike Detections
• Blocked CrowdStrike Detections
• Top 5 Devices with CrowdStrike Detections
• Top 10 Files with CrowdStrike Detections
• Recent CrowdStrike Detections
• Top 5 Users with CrowdStrike Detections
• Top 10 CrowdStrike Detections by Name
• CrowdStrike Events Over Time
• CrowdStrike Detections by Objective
• CrowdStrike Detections by Tactic
• CrowdStrike Detection by Type

These widgets can be added to the product dashboard for real-time monitoring of CrowdStrike activity and detection trends.

Detection rules

Several detection rules are provided to detect complex attack patterns by combining CrowdStrike events with SIEM events:

• Concurrent Login By Same UserDetects if the same CrowdStrike user account logs in from two different machines/endpoints at the same time.
• Memory Heist Preparation Detected
  • Combines SIEM and EDR (Endpoint Detection and Response) criteria to catch preparation for credential theft.
  • For example, SIEM looks for registry changes that disable LSA credential protections or enable shadow copy deletion:Event ID 13/4657 with specific Object Names like Control\lsa, LocalDumps\lsass.exe, or wdigest\UseLogonCredential being modified.
  • Simultaneously, the EDR rule watches for a CrowdStrike detection named “credential theft.”
• GhostUAC Using Trusted Binary
  • Identifies potential UAC bypass using Windows binaries. This rule has two parts:
    • EDR Detection: Triggers when CrowdStrike detects a “privilege escalation” involving trusted binaries (reg.exe or regedit.exe) launching the ms-settings\shell\open\command.
    • SIEM Event: Triggers on Windows process creation events (Event ID 1 or 4688) where a parent process (fodhelper.exe or Computerdefaults.exe) spawns a child process not matching itself, indicating potential silent execution.
• LOLBin Escalation Vector
  • Detects use of living-off-the-land binaries (LOLbins) for privilege escalation. It has two actions:
    • SIEM Event: Triggers on processes such as PsExec.exe, PsExec64.exe, nircmd.exe, paexec.exe, etc., being executed (Event IDs 1 or 4688).
    • EDR Detection: Triggers on any CrowdStrike “suspicious activity” detection with tactic = “privilege escalation” and technique = “abuse elevation control mechanism”, especially if the process is run by a system account (user name ending with $).
  NOTE If the executed binary's hash is known malicious, the alert is high priority. If not, a medium priority alert is triggered to review the use of that tool.
• Trusted Binary Weaponized (CrowdStrike detection)
  • Triggers on a CrowdStrike “suspicious activity” event involving trusted binaries (e.g., regsvr32.exe) with network access.
  • Specifically, it looks for execution (command line contains http) with tactic = “command and control” or “execution”.
  • If a URL is detected, it should be checked against ATA (Advanced Threat Analytics)- Default threat feeds.
• Fileless/Obfuscated LOLBin Attack Chain Detected
  • Detects advanced file-less attack chains. It combines:
    • EDR Detection: A high-severity “attacker methodology” detection with tactic = “Execution” or “AI Powered IOA” and severity above 60.
    • SIEM Event: A process creation event for regsvr32.exe (Event ID 1 or 4688) with a command line invoking scrobj.dll (which is commonly used to silently execute scripts).

These detection rules leverage both CrowdStrike EDR detections and Windows event logs to identify sophisticated threats like credential theft, UAC bypasses, and fileless attacks. To learn more about this extension-specific detection rules, refer to the Rule Library page.

Incident workbench widgets

In the Incident Workbench, the following CrowdStrike-specific widgets help analysts investigate alerts:

These widgets give analysts quick visibility into CrowdStrike activity when handling security incidents.

If data ingestion or connectivity issues occur, refer to the Troubleshooting CrowdStrike Falcon extension errors page for detailed resolution steps and error explanations.

Pre-requisites

• Before creating a connection for a pre-defined service, ensure that the corresponding integration/extension is installed in Log360 Cloud.
• Only after installing the extension, the service will appear in the Connections page for connection setup.

Configuring VirusTotal integration via Connections

To enable communication between Log360 Cloud and Crowdstrike, a connection must be configured.

1. Log in to the product console.
2. Navigate to the Settings tab and select Admin.
3. Under Integrations, select Connections.

   

4. From the list of available integrations, select Crowdstrike.
5. In the window that opens, click Create Connection.
6. In the Create Connection - Crowdstrike window, provide the following details:
   • Authentication Type: This is preselected based on the integration.
   • Connection Name: Enter a name to identify the connection.
   • Cloud Environment: Specify the data region associated with your Crowdstrike account.
     NOTE For detailed steps on creating API key, refer to this document.
   • Client ID: Enter the Client ID generated from the Crowdstrike Admin portal.
   • Client Secret: Enter the corresponding Client Secret.
   • Application ID: Provide the Tenant ID from the Crowdstrike portal.
   • Ingest from: Specify whether log collection should start from historical data or only from live events at the time of configuration.
7. Under Select Scope(s), choose the required scope. You can also use the search bar to locate the required scope.
8. Click Authorize and Save to complete authentication and create the connection.

Supported SOAR functionalities

The CrowdStrike Falcon extension provides a comprehensive set of custom functions that enable playbooks to interact with CrowdStrike APIs. These functions allow security teams to retrieve host and alert data, manage users and policies, perform endpoint containment, and execute real-time response actions across endpoints.

The integration supports both read (investigation) and write (response/remediation) operations, enabling automated threat detection, enrichment, and containment directly from the product console.

1. crowdstrike_searchDevice

Reference link: POST /devices/entities/devices/v2

2. crowdstrike_searchAlerts

Reference link: POST /alerts/entities/alerts/v2

3. crowdstrike_searchMLExclusions

Reference link: GET /policy/entities/ml-exclusions/v1

4. crowdstrike_endpointInformation

Reference link: GET /devices/entities/devices/v2

5. crowdstrike_getAvailableRoleIds

Reference link: GET /user-management/queries/roles/v1

6. crowdstrike_getHostGroups

Reference link: GET /devices/entities/host-groups/v1

7. crowdstrike_getRuleGroupDetails

Reference link: GET /fwmgr/entities/rule-groups/v1

8. crowdstrike_getRuleGroups

Reference link: GET /fwmgr/queries/rule-groups/v1

9. crowdstrike_getDetectionforIncident

Reference link: POST /incidents/entities/incidents/GET/v1

10. crowdstrike_getQuarantinedFiles

Reference link: POST /quarantine/entities/quarantined-files/GET/v1

11. crowdstrike_queryODSScanHosts

Reference link: GET /ods/entities/scan-hosts/v1

12. crowdstrike_retrieveDetection

Reference link: GET /alerts/queries/alerts/v2

13. crowdstrike_retrieveUserInfo

Reference link: POST /user-management/entities/users/GET/v1

14. crowdstrike_retrieveUserUuid

Reference link: GET /user-management/queries/users/v1

15. crowdstrike_getUserRoleId

Reference link: GET /user-management/combined/user-roles/v2

16. crowdstrike_queryODSScan

Reference link: GET /ods/entities/scans/v2

17. crowdstrike_queryODSMaliciousFiles

Reference link: GET /ods/entities/malicious-files/v1

18. crowdstrike_queryCombinedSensorUpdatePolicy

Reference link: GET /policy/combined/sensor-update/v2

19. crowdstrike_createHostGroups

Reference link: POST /devices/entities/host-groups/v1

20. crowdstrike_updateHostGroup

Reference link: PATCH /devices/entities/host-groups/v1

21. crowdstrike_deleteHostGroups

Reference link: DELETE /devices/entities/host-groups/v1

22. crowdstrike_isolateEndpoint

Reference link: POST /devices/entities/devices-actions/v2

23. crowdstrike_unisolateEndpoints

Reference link: POST /devices/entities/devices-actions/v2

24. crowdstrike_createFirewallPolicy

Reference link: POST /policy/entities/firewall/v1

25. crowdstrike_updateFirewallPolicy

Reference link: PUT /fwmgr/entities/policies/v2

26. crowdstrike_performFirewallPolicyAction

Reference link: POST /policy/entities/firewall-actions/v1

27. crowdstrike_createIOC

Reference link: POST /iocs/entities/indicators/v1

28. crowdstrike_createMLExclusion

Reference link: POST /policy/entities/ml-exclusions/v1

29. crowdstrike_updateMLExclusion

Reference link: PATCH /policy/entities/ml-exclusions/v1

30. crowdstrike_deleteMLExclusion

Reference link: DELETE /policy/entities/ml-exclusions/v1

31. crowdstrike_updateDetects

Reference link: PATCH /alerts/entities/alerts/v3

32. crowdstrike_refreshSession

Reference link: POST /real-time-response/entities/refresh-session/v1

33. crowdstrike_deleteSession

Reference link: DELETE /real-time-response/entities/sessions/v1

34. crowdstrike_createBatchSession

Reference link: POST /real-time-response/combined/batch-init-session/v1

35. crowdstrike_getScript

Reference link: GET /real-time-response/entities/scripts/v1

36. crowdstrike_deleteScript

Reference link: DELETE /real-time-response/entities/scripts/v1

37. crowdstrike_runCommand

Reference link: POST /real-time-response/entities/admin-command/v1

38. crowdstrike_runBatchcommand

Reference link: POST /real-time-response/combined/batch-admin-command/v1

39. crowdstrike_listNetworkStats

Reference link: POST /real-time-response/entities/active-responder-command/v1

40. crowdstrike_killProcess

41. crowdstrike_listProcesses

Reference link: POST /real-time-response/entities/active-responder-command/v1

42. crowdstrike_getCloudRequestIdResponse

Reference link: GET /real-time-response/entities/active-responder-command/v1

43. crowdstrike_listAllSessions

Reference link: GET /real-time-response/queries/sessions/v1

44. crowdstrike_createSession

Reference link: POST /real-time-response/entities/sessions/v1

45. crowdstrike_readRegistry

Reference link: POST /real-time-response/entities/active-responder-command/v1

46. crowdstrike_createRuleGroup

Reference link: POST /fwmgr/entities/rule-groups/v1

47. crowdstrike_updateRuleGroup

Reference link: PATCH /fwmgr/entities/rule-groups/v1

48. crowdstrike_revokeUserRole

Reference link: POST /user-management/entities/user-role-actions/v1

49. crowdstrike_createSensorPolicy

Reference link: POST /policy/entities/sensor-update/v2

50. crowdstrike_applyQuarantineFileAction

Reference link: PATCH /quarantine/entities/quarantined-files/v1

51. crowdstrike_createODSScan

Reference link: POST /ods/entities/scans/v1

52. crowdstrike_deleteODSScheduledScan

Reference link: DELETE /ods/entities/scheduled-scans/v1

53. crowdstrike_createODSScheduledScan

Reference link: POST /ods/entities/scheduled-scans/v1

54. crowdstrike_updatePreventionPolicy

Reference link: PATCH /policy/entities/prevention/v1

55. crowdstrike_performSensorUpdatePolicyAction

Reference link: POST /policy/entities/sensor-update-actions/v1

56. crowdstrike_updateSensorPolicy

Reference link: PATCH /policy/entities/sensor-update/v2

57. crowdstrike_resetUserPassword

Reference link: POST /user-management/entities/user-actions/v1

58. crowdstrike_deleteFile

Reference link: DELETE /real-time-response/entities/file/v1

59. crowdstrike_getAvailableDeviceIds

Reference link: GET /devices/queries/devices/v1

Read also

This page explained how to integrate CrowdStrike Falcon Event Streams with the product to collect and analyze Falcon detection and audit events. To explore related integrations and advanced analytics, refer to the following pages:

• Installing Extensions
• Compliance Extensions
• Nginx
• Veeam
• MariaDB
• Okta
• Dropbox
• MikroTik
• MongoDB
• Topsec
• Sangfor
• Bitdefender GravityZone