Overview
This integration uses the Falcon Integration Gateway (FIG) developed by CrowdStrike to forward threat detection findings and audit events from the CrowdStrike Falcon platform to your SIEM.
Events and Alerts Forwarded to SIEM
The integration provides visibility into:
Detection findings (e.g., Indicators of Compromise - IOCs)
Behavioral analysis events (e.g., Indicators of Attack - IOAs)
Audit events
These events help identify:
Known malicious files
Suspicious activity patterns
Anomalous user behavior
All detections are documented in the CrowdStrike Falcon documentation and are streamed in near real-time for early awareness and threat response.
This export is particularly valuable when your security operations workflows depend on a third-party dashboard or SIEM to centralize and act upon alerts.
Requirements for Integration
To complete the integration, you must configure an API client in your CrowdStrike Falcon console.
1. API Scopes Required
Create an API client with the following minimum scopes:
Event streams: [Read]Hosts: [Read]
Once created, you will be able to select which detection and audit event types are available for API collection.
2. Authentication Details
The Falcon Integration Gateway (FIG) requires the following to authenticate:
Client ID
Client Secret
Cloud Region
FIG supports auto-discovery of your Falcon cloud region. If you do not manually specify it, FIG will attempt to determine the region based on the client ID and secret.
Submission Instructions
Once the API client is provisioned and the required scopes are applied, please submit a ticket for provisioning on the SIEM.
cloud_region = YOUR_CROWDSTRIKE_REGIONclient_id = YOUR_CLIENT_IDclient_secret= YOUR_CLIENT_SECRET
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article