CrowdStrike Flacon Endpoint Protection Integration

Blumira Module: CrowdStrike (OAuth2-Based APIs)

Note: this integration pertains to the newer CrowdStrike “OAuth2-Based APIs” [1], not the legacy “Streaming APIs,” which CrowdStrike is retiring.

CrowdStrike provides an API that allows for relaying event data into the Blumira platform. If you are using CrowdStrike, please follow this guide to begin ingesting its data. (Note: currently the Blumira module only supports CS “Detections,” but additional API feeds may be enabled as new features are released.)

Preparing CrowdStrike

Before Blumira can retrieve event logs from CrowdStrike, you will first need to obtain credentials for access to the CrowdStrike API via your CrowdStrike Console.

To obtain these credentials, follow these instructions:

1. Log in to the CrowdStrike Falcon Console via: https://falcon.crowdstrike.com
2. Go to Falcon Menu: Support → API Clients and Keys
3. In the “OAuth2 API Clients” section, click Add new API client
4. Enter “Blumira Events” in the Client Name field, and enter a description that makes sense to your organization.
5. Select Read permissions to match the permission set seen in the below screenshot. If you do not have a given product, like Falcon X, it’s OK to skip.

1. Click “Add“
2. In the “API client created” window that pops up, you’ll be given the client ID and secret. Copy these to a safe place for use in the below steps, and click “Done.”

Configuring Blumira

Next, you’ll need to configure your Blumira sensor to connect to the CrowdStrike API, using the credentials you obtained above.

1. Here’s how to add the Blumira CrowdStrike module:
2. Once you have chosen an existing or installed a new sensor that you would like to add CrowdStrike log collection to, access that sensor’s detail page through the sensor UI (Infrastructure > Sensors).
3. In the Modules section for your sensor, click on the Add Module button. In the Module drop-down, find the CrowdStrike (OAuth2) Module, and select the latest available version.
4. Fill in the Add New Module form, shown here:
   
   • CrowdStrike Client ID is the client ID you obtained and copied above
   • CrowdStrike Client Secret is the secret you obtained and copied above
5. If you are a CrowdStrike “GovCloud” or other non-US-commercial cloud environment customer, you may need to enter an alternate API URL into the CrowdStrike Cloud URL field. Most organizations can leave this blank, but you should check with CrowdStrike support if you’re unsure. Currently, the supported values for the Cloud URL are:
   • Commercial cloud (the default if left blank): api.crowdstrike.com
   • GovCloud: api.laggar.gcw.crowdstrike.com
   • EU cloud: api.eu-1.crowdstrike.com
   • US-2: api.us-2.crowdstrike.com
6. You can leave Log Source Name blank, or, optionally, set it to a short, alphanumeric string, without spaces, that will help identify this instance of the CrowdStrike integration, in case you later have multiple (e.g. “production” or “primary,” etc.).
7. Click Install and wait a few seconds for the system to process your request.

The Add New Module window should close, and, back in your sensor detail page view, you should now see the CrowdStrike (OAuth2) Module listed in the table of modules.

Within minutes, the module will be operational, and will ingest CrowdStrike logs from the last 30 days into the Blumira platform. It will then poll CrowdStrike continuously for the latest available event logs.

[1] https://falcon.crowdstrike.com/support/documentation/46/crowdstrike-oauth2-based-apis