Connecting your CrowdStrike Account Once streaming is enabled, you need to add a new API client: Sign in to the Falcon console Go to Support > API Clients and Keys Click "Add new API client" Enter a descriptive client name that identifies your API client in Falcon and in API action logs (for example, "Datadog") CrowdStrike's cloud-native endpoint security platform combines Next-Gen Av, EDR, Threat Intelligence, Threat Hunting, and much more. Go to Host setup and management > Sensor downloads and copy your Customer ID. Select Add. CrowdStrike Falcon Endpoint Protection | Sumo Logic Docs How to Setup the CrowdStrike Falcon SIEM Connector After we execute the request, it will pull up the sha256 hash of the IOC that we created earlier and list it in the details section below. There is plenty of additional information in the CrowdStrike API Swagger UI, as well as in the Custom IOC APIs Documentation accessible through the Falcon console Docs menu. Each CrowdStrike cloud environment has a unique Swagger page. In this article. Support portal (requires entitlement) here. To do so, click the Authorize button at the top of the page and add your client credentials to the OAuth2 form, and again click Authorize. When we receive the response, we can see that the only IOC still listed is the domain. The CrowdStrike Falcon SIEM Connector (SIEM Connector) runs as a service on a local Linux server. This framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed. Open a terminal and run the installation command where is the installer that you had downloaded : The last step before starting the SIEM Connector is to pick an output configuration. We can now replicate this method of ensuring our Resources and Credentials are included in any Action that needs to make authenticated calls to the CrowdStrike API. How to Integrate with your SIEM. As briefly mentioned above there is OAuth2.0 authentication and key-based authentication (but key-based is now deprecated). Incident Response & Proactive Services Retainer Data Sheet, Falcon Endpoint Protection Pro Data Sheet, Securing Your Devices with Falcon Device Control, Using Falcon Spotlight for Vulnerability Management, Managed Threat Hunting and the Value of the 'Human Detection Engine', Falcon Complete: Proven, Professional Managed Detection and Response, Law Firm Webcast: Incident Response Under Privilege, Seizing Control of Software Supply Chain Security, The 1/10/60 Minute Challenge: A Framework for Stopping Breaches Faster, CrowdStrike CEO George Kurtz: Commitment in Business and on the Race Track, How Real Time Response Empowers Incident Response, How Falcon Sandbox Improves Threat Response, Active Directory Security Assessment Data Sheet, Stakeholder Action Against Botnets Data Sheet, Cybersecurity Maturity Assessment Data Sheet, CrowdStrike Falcon for Financial Services, Understanding the GDPR and How It Will Impact Your Organization, Cyber Threat Intelligence: Advancing Security Decision Making, The GDPR General Data Protection Regulation and Cybersecurity, Protecting HIPAA PHI in the Age of Advanced Targeted Cyber Threats, CrowdStrike Falcon MalQuery The Faster, More Complete Malware Search Engine, How to Block Zero Day and Fileless Exploits with CrowdStrike Falcon, Ransomware Defense: The Dos and Donts, Who Needs Malware? To configure a CrowdStrike FDR Source: In Sumo Logic, select Manage Data > Collection > Collection . You can also generate a static documentation file based on a schema file or GraphQL endpoint: npm install -g graphql-docs graphql-docs-gen http://GRAPHQL_ENDPOINT documentation.html Share Under the Devices section, find the /devices/queries/devices-scroll/v1 API endpoint, click it to expand, then click Try it Out, and finally Execute.