Documentation
Start typing to searchā€¦
  1. Quick Start
  2. Connect Your Data Sources

Crowdstrike NGSIEM API

The Crowdstrike NGSIEM integration pulls Endpoint Event data and Alert data from Crowdstrike using the NGSIEM API.

šŸ“˜

Prerequisites

  • Ability to create API Clients in the Crowdstrike portal
    • Only users with theĀ Falcon AdministratorĀ role can view, create, or modify API clients in CrowdStrike
  • Access to NGSIEM via Crowdstrike subscriptions

  1. In your Crowdstrike portal, navigate to API clients and keys.

  2. Click Create API client, give it a name and description, and assign it the NGSIEM Read and Write permissions.

  3. After you click Create, be sure to copy the Client ID, Secret, and Base URL.

  4. In the Nebulock platform, go to Integrations and click Add Integration.

  5. Choose Crowdstrike from the Provider list, and paste the Client ID, Secret, and Base URL copied from your Crowdstrike portal into the textboxes. Only fill out the Optional fields if directed by Nebulock.

Optional - Limit count of Agent IDs

If you want to limit your integration to pull only certain systems (based on volume, or business segment), you can generate a list of agent IDs and paste them into Nebulock.

  1. To generate a list of IDs, navigate to Search in your Falcon console.

  2. For a general list of AIDs, run the following query:

    | groupBy(aid, limit=1000)
| collect(aid)
| concatArray(aid, separator=",")
    1. NOTE:(to generate a specific list, you can filter using the Crowdstrike Query Language)

  3. Export the search results in JSON format.

  4. Copy the JSON result into the Nebulock portal.


Updated 19 days ago

Whatā€™s Next