CrowdStrike Falcon
Integrate CrowdStrike Falcon to retrieve endpoint protection data
The CrowdStrike Falcon connector allows you to retrieve inventory and detection data from your CrowdStrike platform directly into OverSOC for a consolidated view of your security posture.
Objective
The CrowdStrike Falcon connector retrieves the following information:
- Inventory of hosts (CrowdStrike sensors) in real-time
- Security detections and incidents
- Vulnerabilities identified on endpoints
Prerequisites
- Access to the CrowdStrike Falcon console
- Administrator permissions to create API keys
- Valid certificates or credentials for authentication
Information to Provide in OverSOC
| Field | Description |
|---|---|
| API Base URL | Base URL of the CrowdStrike Falcon API (e.g., https://api.crowdstrike.com) |
| Client ID | Client identifier for OAuth2 authentication |
| Client Secret | Client secret key for OAuth2 authentication |
Procedure
Create an API Key in CrowdStrike
- Sign in to the CrowdStrike Falcon console.
- Go to Support > API Clients and Keys.
- Click Add new API client.
- Give it a descriptive name (e.g., "OverSOC Integration").
- Select the required permissions:
- Hosts: Inventory access
- Detections: Incident access
- Prevention policies: Policy access
- Click Create.
- Copy the Client ID and Client Secret immediately.
Retrieve the API URL
The API URL depends on your region:
- US-1: https://api.crowdstrike.com
- US-2: https://api.us-2.crowdstrike.com
- EU: https://api.eu-1.crowdstrike.com
Verify your region in your console settings.
Configure the Connector in OverSOC
- In OverSOC, go to Data Sources Settings > Sources.
- Select CrowdStrike Falcon and click Configure.
- Fill in the required fields:
- API Base URL
- Client ID
- Client Secret
- Click Save Configuration.
View CrowdStrike API documentation
Required Permissions
The API client must have the following scopes:
- Hosts: To access endpoint inventory
- Detections: To access detections and incidents
- Prevention policies: To access policy data