CrowdStrike EDR integration¶

With a CrowdStrike EDR (Endpoint Detection and Response) integration, you can receive entity enrichment for Investigator detections.

The CrowdStrike integration seamlessly blends CrowdStrike EDR with Investigator network detection capabilities and maps Corelight IP addresses from detections to CrowdStrike’s host information. When integrated, detections show valuable entity context within the detection details. The expanded data provides additional context to analyze threats and helps analysts make informed decisions during the triage process.

To configure the integration, you need to have CrowdStrike OAuth2 API access with read access to the managed device information. Within Investigator, you need admin access. (Analyst users can view the integration but cannot make changes.)

If you want to enable the CrowdStrike Network Containment integration, you need read and write API access for the Hosts scope.

To integrate CrowdStrike with Investigator

From System Settings in the left navigation, choose Integrations.
In the Integrations tab, click the CrowdStrike card.
Click Configure.

An integration dialog box appears.
Toggle the integration value to Enabled.
If you want to allow admin users to isolate entities from the network, toggle the Isolate Entity slider to Enabled.

For hosts to enable Network Containment integration, your CrowdStrike API client needs write permissions so Investigator can enable the CrowdStrike Falcon Network Containment feature.
For the URL, enter the API URL for your region.

US-1: https://api.crowdstrike.com

US-2: https://api.us-2.crowdstrike.com

EU-1: https://api.eu-1.crowdstrike.com

US-GOV-1: https://api.laggar.gcw.crowdstrike.com

US-GOV-2: https://api.us-gov-2.crowdstrike.mil
Enter your CrowdStrike Client ID and Client Secret Key.

These values are available from the CrowdStrike Falcon Console. For more information on creating and obtaining these values from the CrowdStrike Falcon Console, see the documentation within the Falcon console or Getting Access to the CrowdStrike API.
Specify the Polling Time in minutes.

Use this field to customize the interval for updates to the EDR data. The minimum interval is 30 minutes.
Click Verify Connection to ensure Investigator can access your CrowdStrike data.

You cannot save your connection until you verify it.
Click Save.

With CrowdStrike configured and enabled, detection details show detailed entity information and indicate that CrowdStrike is the source of the content.

If you want to pause the integration, toggle the integration setting to Disabled. This preserves your connection details.

If you want to disable the integration and delete your connection details, click the Delete icon.

Firewall configuration¶

If needed, update your firewall rules to allow network traffic from Investigator. The source IP address for Investigator is fixed for regions as listed below. For endpoint details, see the AWS help topic Amazon Kinesis Data Streams endpoints and quotas.

Important

Investigator is transitioning to dedicated IP ranges. To ensure uninterrupted service, you must perform two steps:

Update your firewall allowlist with the new CIDR.

Retain the legacy IP until April 3, 2026, as defined in the table below.

Region

Step 1: Add New CIDR

Step 2: Retain Legacy IP (until April 3, 2026)

North America (us-west-2)

198.29.17.0/29

35.81.184.144

Europe (eu-central-1)

198.29.22.0/29

35.157.240.249

Middle East (me-central-1)

198.29.23.0/29

40.172.28.44

Region	Step 1: Add New CIDR	Step 2: Retain Legacy IP (until April 3, 2026)
North America (us-west-2)	`198.29.17.0/29`	`35.81.184.144`
Europe (eu-central-1)	`198.29.22.0/29`	`35.157.240.249`
Middle East (me-central-1)	`198.29.23.0/29`	`40.172.28.44`