CrowdStrike EDR integration

With a CrowdStrike EDR (Endpoint Detection and Response) integration, you can receive entity enrichment for Investigator detections.

The CrowdStrike integration seamlessly blends CrowdStrike EDR with Investigator network detection capabilities and maps Corelight IP addresses from detections to CrowdStrike’s host information. When integrated, detections show valuable entity context within the detection details. The expanded data provides additional context to analyze threats and helps analysts make informed decisions during the triage process.

To configure the integration, you need to have CrowdStrike OAuth2 API access with read access to the managed device information. Within Investigator, you need admin access. (Analyst users can view the integration but cannot make changes.)

If you want to enable the CrowdStrike Network Containment integration, you need read and write API access.

To integrate CrowdStrike with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the CrowdStrike card.

    An integration dialog box appears.

  3. Toggle the integration value to Enabled.

  4. If you want to allow admin users to isolate entities from the network, toggle the Isolate Entity slider to Enabled.

    For hosts to enable Network Containment integration, your CrowdStrike API client needs write permissions so Investigator can enable the CrowdStrike Falcon Network Containment feature.

  5. For the URL, enter the API URL for your region.

    US-1: https://api.crowdstrike.com

    US-2: https://api.us-2.crowdstrike.com

    EU-1: https://api.eu-1.crowdstrike.com

    US-GOV-1: https://api.laggar.gcw.crowdstrike.com

    US-GOV-2: https://api.us-gov-2.crowdstrike.mil

  6. Enter your CrowdStrike Client ID and Client Secret Key.

    These values are available from the CrowdStrike Falcon Console. For more information on creating and obtaining these values from the CrowdStrike Falcon Console, see the documentation within the Falcon console or Getting Access to the CrowdStrike API.

  7. Specify the Polling Time in minutes.

    Use this field to customize the interval for updates to the EDR data. The minimum interval is 5 minutes.

  8. Click Verify Connection to ensure Investigator can access your CrowdStrike data.

    You cannot save your connection until you verify it.

  9. Click Save.

With CrowdStrike configured and enabled, detection details show detailed entity information and indicate that CrowdStrike is the source of the content.

If you want to pause the integration, toggle the integration setting to Disabled. This preserves your connection details.

If you want to disable the integration and delete your connection details, click the Delete icon.