Blumira’s cloud SIEM platform integrates with CrowdStrike Falcon Endpoint Protection to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.
When configured, the Blumira integration with CrowdStrike Falcon Endpoint Protection will stream server and workstation endpoint security event logs and alerts to the Blumira service for threat detection and actionable response.
Note: this integration pertains to the newer CrowdStrike “OAuth2-Based APIs” [1], not the legacy “Streaming APIs,” which CrowdStrike is retiring.
CrowdStrike provides an API that allows for relaying event data into the Blumira platform. If you are using CrowdStrike, please follow this guide to begin ingesting its data. (Note: currently the Blumira module only supports CS “Detections,” but additional API feeds may be enabled as new features are released.)
Before Blumira can retrieve event logs from CrowdStrike, you will first need to obtain credentials for access to the CrowdStrike API via your CrowdStrike Console.
To obtain these credentials, follow these instructions:
Next, you’ll need to configure your Blumira sensor to connect to the CrowdStrike API, using the credentials you obtained above.
The Add New Module window should close, and, back in your sensor detail page view, you should now see the CrowdStrike (OAuth2) Module listed in the table of modules.
Within minutes, the module will be operational, and will ingest CrowdStrike logs from the last 30 days into the Blumira platform. It will then poll CrowdStrike continuously for the latest available event logs.
[1] https://falcon.crowdstrike.com/support/documentation/46/crowdstrike-oauth2-based-apis
Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.