CrowdStrike provides an API that allows Blumira to retrieve event data. When configured, the Blumira integration with CrowdStrike Falcon Endpoint Protection will stream server and workstation endpoint security event logs and alerts to the Blumira service for threat detection and actionable response. If you are using CrowdStrike, please follow this guide to begin ingesting its data.
Note: this integration pertains to the newer CrowdStrike OAuth2-Based APIs, not the legacy Streaming APIs, which CrowdStrike is retiring. Also, the Blumira module currently only supports CS Detections, but additional API feeds may be enabled as new features are released.
Before you begin
Before Blumira can retrieve event logs from CrowdStrike, you will first need to create a new API client and gather the Client ID and Client Secret, which are necessary for accessing the CrowdStrike API.
To obtain these credentials, follow these instructions:
- Log in to the CrowdStrike Falcon Console.
- Navigate to Support > API Clients and Keys.
- Click Add new API client in the OAuth2 API Clients section.
- Type Blumira Events in the Client Name field.
- In the Description field, type a description that makes sense to your organization.
- Select the Read check box next to each of the following (ignore any that you do not use):
- Actors (Falcon X)
- Reports (Falcon X)
- Host Groups
- Event Streams
- Click Add.
- In the API client created window, copy and save the Client ID and Client Secret.
Caution: the secret will only be shown once and should be stored in a secure place.
- Click Done.
Providing API credentials to Blumira
Next, configure your existing Blumira sensor with a new module to connect to the CrowdStrike API using the credentials you obtained in previous steps.
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the newest version of this integration’s module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
- Enter the credentials that you gathered in the “Before you begin” section above.
- (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
- Click Install.