CrowdStrike Falcon NextGen SIEM Integration Setup
This guide walks you through integrating CrowdStrike Falcon NextGen SIEM with RAD Security for unified security event management and threat intelligence, enabling bi-directional data flow between the platforms. CrowdStrike Falcon NextGen SIEM provides advanced threat detection, investigation, and response capabilities with native threat intelligence integration.Prerequisites
Before you begin, ensure you have:- Admin access to CrowdStrike Falcon Console
- CrowdStrike NextGen SIEM subscription
- Access to RAD Security workspace with integration permissions
Administrative Privileges Required: You must have administrative privileges in CrowdStrike Console to create API clients and configure data connections.
Understanding Integration Components
CrowdStrike NextGen SIEM integration supports two data flow directions:Query CrowdStrike Data (OAuth Client)
Query CrowdStrike Data (OAuth Client)
Purpose: Query security data from CrowdStrike into RAD SecurityUse Case: Pull CrowdStrike threat intelligence, detections, and events into RAD Security for correlation.Authentication: OAuth2 Client ID and Secret with NGSIEM scopesScopes Required:
- Read - Required to read query results
- Write - Required to create search queries
Ingest Data into CrowdStrike (HEC)
Ingest Data into CrowdStrike (HEC)
Purpose: Send RAD Security events to CrowdStrike for analysisUse Case: Forward RAD Security runtime security events to CrowdStrike for unified threat detection.Authentication: HTTP Event Collector (HEC) API URL and KeyConfiguration: Data connector with JSON parser
Both Scopes Needed: The NGSIEM client requires both Read and Write scopes. Write is needed to create search queries, and Read is needed to retrieve the query results.
Step 1: Create OAuth Client
1
Log in to CrowdStrike Console
Log in to your CrowdStrike Falcon Console with administrative privileges
2
Navigate to API Clients
Open the main menu and go to:Support and resources > Resources and tools > API clients and keys
3
Create New Client
Click the Create API client button
4
Configure Client Settings
In the modal dialog:
- Client name: Enter a descriptive name (e.g., “RAD Security SIEM Integration”)
- Description: (Optional) Add details about this integration
5
Select API Scopes
Under NGSIEM section, select both:
- ☑️ Read
- ☑️ Write
Both scopes are required! Write scope is needed to create search queries, and Read scope is needed to read the query results. The integration will not function properly without both.
6
Create Client
Click the Create button
7
Copy Credentials
The modal will display your new credentials. Copy these immediately:
- Client ID
- Client Secret
- Base URL
Save these values now! You will not be able to view the Client Secret again. Store them securely in a password manager or secrets vault.
Adjusting Scopes Later: If you need to modify scopes, click the three dots (⋮) to the right of the client listing on the API clients and keys page.
Step 2: Generate HEC Credentials (Optional)
This step is only necessary if you plan to ingest RAD Security events into CrowdStrike NextGen SIEM.Skip this step if you only need to query CrowdStrike data. Configure this if you want to send RAD Security events to CrowdStrike.
1
Navigate to Data Connectors
Open the main menu and go to:Data connectors > Data connections
2
Add New Connection
In the Connections section, click the + Add connection button
3
Filter for HTTP Connector
- Click the Filter by connector name dropdown
- Type “HTTP”
- Click Apply
4
Select HEC Connector
- Find HEC / HTTP Event Connector in the filtered list
- Click on it to select
- Click the Configure button
5
Configure Connector
Fill in the form with the following values:
| Field | Value |
|---|---|
| Data source | Your desired data source name (e.g., “RAD Security”) |
| Data Type | JSON |
| Connector Name | Your desired connector name (e.g., “RAD Security HEC”) |
| Parsers | json (Generic Source) |
The JSON parser is required to properly parse RAD Security events in CrowdStrike.
6
Accept Terms
Check the box to affirm your adherence to the CrowdStrike Terms and Conditions
7
Save Configuration
Click Save
8
Wait for Setup
- A modal will appear indicating the connector is being set up
- Close the modal
- Wait for the connector setup to finish
- You’ll see a notification bar at the top when ready
Connector setup typically takes 1-2 minutes. Wait for the “ready to receive data” notification before proceeding.
9
Generate API Key
Once the connector is ready, click the Generate API Key button on the right side of the notification bar
10
Copy HEC Credentials
A modal will appear with your credentials. Copy these immediately:
- API URL (HEC endpoint)
- API Key (HEC credential)
Store these values securely. You’ll need them for the integration configuration.
Step 3: Configure in RAD Security
Navigate to your RAD Security workspace and configure the CrowdStrike Falcon NextGen SIEM integration with the appropriate parameters:Configuration Scenarios
- Query Only
- Ingest Only
- Bi-directional (Recommended)
Use Case: Pull CrowdStrike threat intelligence and events into RAD Security
| Parameter | Description | Example |
|---|---|---|
| URL | Base URL from Step 1 | https://api.crowdstrike.com |
| ClientId | Client ID from Step 1 | abc123def456... |
| ClientSecret | Client Secret from Step 1 | xyz789abc123... |
This configuration allows querying CrowdStrike data but does not send RAD Security events to CrowdStrike.
Regional Base URLs
Your Base URL will vary by region. Common CrowdStrike regions:| Region | Base URL |
|---|---|
| US-1 | https://api.crowdstrike.com |
| US-2 | https://api.us-2.crowdstrike.com |
| EU-1 | https://api.eu-1.crowdstrike.com |
| US-GOV-1 | https://api.laggar.gcw.crowdstrike.com |
Verify Integration
After completing the setup, verify your integration is working:Verify Query Capability
- Run a test query from RAD Security
- Verify CrowdStrike threat data appears correctly
- Check that results are properly formatted
Verify Data Ingestion
- Trigger a test event in RAD Security
- Search for the event in CrowdStrike NextGen SIEM
- Verify the event appears with correct JSON formatting
Your CrowdStrike Falcon NextGen SIEM integration is now configured! RAD Security can query CrowdStrike threat intelligence and/or send events based on your configuration.
What Data is Synced
Data Queried from CrowdStrike
Data Queried from CrowdStrike
RAD Security can query the following from CrowdStrike:
- Threat detections and alerts
- Endpoint activity and behavior
- Threat intelligence indicators
- Investigation data
- Historical security events
- Custom search results
Data Sent to CrowdStrike (HEC)
Data Sent to CrowdStrike (HEC)
RAD Security forwards the following to CrowdStrike:
- Runtime security events
- Container and cloud activity
- Policy violations
- Threat detections
- Incident data
- Custom security events
Use Cases
Unified Threat Intelligence
Correlate CrowdStrike’s threat intelligence with RAD Security’s runtime insights for comprehensive threat detection.
Cross-Platform Detection
Detect threats that span endpoints and containerized infrastructure using unified data sources.
Enhanced Investigation
Leverage CrowdStrike’s investigation tools with RAD Security’s container runtime context.
Centralized SIEM
Use CrowdStrike as a central SIEM for all security events including container and cloud workloads.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- Client ID or Secret incorrect
- OAuth client was deleted or disabled
- Missing NGSIEM scopes
- Wrong regional Base URL
- Verify Client ID and Secret are copied correctly
- Check the OAuth client still exists in CrowdStrike
- Ensure both Read and Write scopes are selected
- Verify you’re using the correct regional Base URL
- Try creating a new OAuth client if needed
Missing Read or Write Scope
Missing Read or Write Scope
Possible causes:
- Only one scope selected instead of both
- Scopes were modified after creation
- Verify both NGSIEM Read and Write scopes are checked
- Click the three dots next to the client listing
- Edit the client to add the missing scope
- Remember: Write is for creating queries, Read is for retrieving results
HEC Connection Failed
HEC Connection Failed
Possible causes:
- HEC URL incorrect
- API Key invalid or expired
- Connector not fully set up
- Data type mismatch
- Verify HEC URL is copied exactly as shown
- Check API Key has no extra spaces
- Ensure connector shows “ready to receive data” status
- Confirm Data Type is set to JSON
- Verify json (Generic Source) parser is selected
Events Not Appearing in CrowdStrike
Events Not Appearing in CrowdStrike
Possible causes:
- Wrong parser configuration
- JSON format issues
- HEC connector not active
- Data not being sent from RAD Security
- Verify json (Generic Source) parser is configured
- Check that Data Type is JSON
- Ensure HEC connector status is active
- Test with a simple JSON payload using curl
- Review CrowdStrike data connector logs
- Check RAD Security integration logs
Query Errors
Query Errors
Possible causes:
- Invalid search query syntax
- Missing Write scope
- Missing Read scope
- Query timeout
- Verify query syntax is correct for CrowdStrike
- Ensure both Read and Write scopes are enabled
- Try simplifying the query
- Check CrowdStrike API rate limits
- Review query logs in CrowdStrike
Regional Endpoint Issues
Regional Endpoint Issues
Possible causes:
- Using wrong regional Base URL
- Account not in expected region
- HEC URL region mismatch
- Verify your CrowdStrike account region
- Use correct Base URL for your region (US-1, US-2, EU-1, etc.)
- Check that HEC URL matches your data region
- Contact CrowdStrike support to confirm your region
Security Best Practices
Rotate Credentials Regularly
Periodically rotate OAuth client secrets and HEC API keys as part of security hygiene.
Least Privilege Scopes
Only grant the NGSIEM scopes. Avoid adding unnecessary additional scopes to the client.
Secure Credential Storage
Store Client Secrets and API Keys in a secure password manager or secrets vault.
Monitor API Usage
Regularly review API client activity in CrowdStrike to detect anomalous behavior.
Dedicated Connectors
Create separate HEC connectors for different data sources to simplify management and troubleshooting.
Audit Client Access
Periodically review OAuth clients and ensure unused clients are removed.
Additional Resources
CrowdStrike API Documentation
Official CrowdStrike Falcon API documentation
CrowdStrike Falcon Spotlight
Configure CrowdStrike for vulnerability management
CrowdStrike Falcon Insight (EDR)
Integrate CrowdStrike EDR capabilities