> ## Documentation Index > Fetch the complete documentation index at: https://docs.rad.security/llms.txt > Use this file to discover all available pages before exploring further. # CrowdStrike Falcon NextGen SIEM > Configure CrowdStrike Falcon NextGen SIEM integration with RAD Security for unified threat intelligence. # CrowdStrike Falcon NextGen SIEM Integration Setup This guide walks you through integrating CrowdStrike Falcon NextGen SIEM with RAD Security for unified security event management and threat intelligence, enabling bi-directional data flow between the platforms. CrowdStrike Falcon NextGen SIEM provides advanced threat detection, investigation, and response capabilities with native threat intelligence integration. ## Prerequisites Before you begin, ensure you have: * Admin access to CrowdStrike Falcon Console * CrowdStrike NextGen SIEM subscription * Access to RAD Security workspace with integration permissions **Administrative Privileges Required:** You must have administrative privileges in CrowdStrike Console to create API clients and configure data connections. *** ## Understanding Integration Components CrowdStrike NextGen SIEM integration supports two data flow directions: **Purpose:** Query security data from CrowdStrike into RAD Security **Use Case:** Pull CrowdStrike threat intelligence, detections, and events into RAD Security for correlation. **Authentication:** OAuth2 Client ID and Secret with NGSIEM scopes **Scopes Required:** * **Read** - Required to read query results * **Write** - Required to create search queries **Purpose:** Send RAD Security events to CrowdStrike for analysis **Use Case:** Forward RAD Security runtime security events to CrowdStrike for unified threat detection. **Authentication:** HTTP Event Collector (HEC) API URL and Key **Configuration:** Data connector with JSON parser **Both Scopes Needed:** The NGSIEM client requires both Read and Write scopes. Write is needed to create search queries, and Read is needed to retrieve the query results. *** ## Step 1: Create OAuth Client Log in to your CrowdStrike Falcon Console with administrative privileges Open the main menu and go to: **Support and resources > Resources and tools > API clients and keys** Click the **Create API client** button In the modal dialog: 1. **Client name:** Enter a descriptive name (e.g., "RAD Security SIEM Integration") 2. **Description:** (Optional) Add details about this integration Under **NGSIEM** section, select both: * ☑️ **Read** * ☑️ **Write** **Both scopes are required!** Write scope is needed to create search queries, and Read scope is needed to read the query results. The integration will not function properly without both. Click the **Create** button The modal will display your new credentials. **Copy these immediately:** * **Client ID** * **Client Secret** * **Base URL** **Save these values now!** You will not be able to view the Client Secret again. Store them securely in a password manager or secrets vault. **Adjusting Scopes Later:** If you need to modify scopes, click the three dots (⋮) to the right of the client listing on the API clients and keys page. *** ## Step 2: Generate HEC Credentials (Optional) This step is only necessary if you plan to ingest RAD Security events into CrowdStrike NextGen SIEM. Skip this step if you only need to query CrowdStrike data. Configure this if you want to send RAD Security events to CrowdStrike. Open the main menu and go to: **Data connectors > Data connections** In the **Connections** section, click the **+ Add connection** button 1. Click the **Filter by connector name** dropdown 2. Type "HTTP" 3. Click **Apply** 1. Find **HEC / HTTP Event Connector** in the filtered list 2. Click on it to select 3. Click the **Configure** button Fill in the form with the following values: | Field | Value | | ------------------ | ------------------------------------------------------ | | **Data source** | Your desired data source name (e.g., "RAD Security") | | **Data Type** | JSON | | **Connector Name** | Your desired connector name (e.g., "RAD Security HEC") | | **Parsers** | json (Generic Source) | The JSON parser is required to properly parse RAD Security events in CrowdStrike. Check the box to affirm your adherence to the **CrowdStrike Terms and Conditions** Click **Save** 1. A modal will appear indicating the connector is being set up 2. Close the modal 3. Wait for the connector setup to finish 4. You'll see a notification bar at the top when ready Connector setup typically takes 1-2 minutes. Wait for the "ready to receive data" notification before proceeding. Once the connector is ready, click the **Generate API Key** button on the right side of the notification bar A modal will appear with your credentials. **Copy these immediately:** * **API URL** (HEC endpoint) * **API Key** (HEC credential) Store these values securely. You'll need them for the integration configuration. *** ## Step 3: Configure in RAD Security Navigate to your RAD Security workspace and configure the CrowdStrike Falcon NextGen SIEM integration with the appropriate parameters: ### Configuration Scenarios **Use Case:** Pull CrowdStrike threat intelligence and events into RAD Security | Parameter | Description | Example | | ---------------- | ------------------------- | ----------------------------- | | **URL** | Base URL from Step 1 | `https://api.crowdstrike.com` | | **ClientId** | Client ID from Step 1 | `abc123def456...` | | **ClientSecret** | Client Secret from Step 1 | `xyz789abc123...` | This configuration allows querying CrowdStrike data but does not send RAD Security events to CrowdStrike. **Use Case:** Send RAD Security events to CrowdStrike for analysis | Parameter | Description | Example | | ------------------------- | ------------------- | ----------------------------------------- | | **HEC URL** | API URL from Step 2 | `https://ingest.us-1.crowdstrike.com/...` | | **HEC Credential Secret** | API Key from Step 2 | `your-hec-api-key-here` | This configuration allows sending events to CrowdStrike but does not enable querying CrowdStrike data. **Use Case:** Both query CrowdStrike data and send RAD Security events | Parameter | Description | Example | | ------------------------- | ------------------------- | ----------------------------------------- | | **URL** | Base URL from Step 1 | `https://api.crowdstrike.com` | | **ClientId** | Client ID from Step 1 | `abc123def456...` | | **ClientSecret** | Client Secret from Step 1 | `xyz789abc123...` | | **HEC URL** | API URL from Step 2 | `https://ingest.us-1.crowdstrike.com/...` | | **HEC Credential Secret** | API Key from Step 2 | `your-hec-api-key-here` | This is the recommended configuration for full integration capabilities and unified threat visibility. ### Regional Base URLs Your Base URL will vary by region. Common CrowdStrike regions: | Region | Base URL | | -------- | ---------------------------------------- | | US-1 | `https://api.crowdstrike.com` | | US-2 | `https://api.us-2.crowdstrike.com` | | EU-1 | `https://api.eu-1.crowdstrike.com` | | US-GOV-1 | `https://api.laggar.gcw.crowdstrike.com` | *** ## Verify Integration After completing the setup, verify your integration is working: ### Verify Query Capability 1. Run a test query from RAD Security 2. Verify CrowdStrike threat data appears correctly 3. Check that results are properly formatted ### Verify Data Ingestion 1. Trigger a test event in RAD Security 2. Search for the event in CrowdStrike NextGen SIEM 3. Verify the event appears with correct JSON formatting Your CrowdStrike Falcon NextGen SIEM integration is now configured! RAD Security can query CrowdStrike threat intelligence and/or send events based on your configuration. ## What Data is Synced RAD Security can query the following from CrowdStrike: * Threat detections and alerts * Endpoint activity and behavior * Threat intelligence indicators * Investigation data * Historical security events * Custom search results RAD Security forwards the following to CrowdStrike: * Runtime security events * Container and cloud activity * Policy violations * Threat detections * Incident data * Custom security events ## Use Cases Correlate CrowdStrike's threat intelligence with RAD Security's runtime insights for comprehensive threat detection. Detect threats that span endpoints and containerized infrastructure using unified data sources. Leverage CrowdStrike's investigation tools with RAD Security's container runtime context. Use CrowdStrike as a central SIEM for all security events including container and cloud workloads. ## Troubleshooting **Possible causes:** * Client ID or Secret incorrect * OAuth client was deleted or disabled * Missing NGSIEM scopes * Wrong regional Base URL **Solution:** * Verify Client ID and Secret are copied correctly * Check the OAuth client still exists in CrowdStrike * Ensure both Read and Write scopes are selected * Verify you're using the correct regional Base URL * Try creating a new OAuth client if needed **Possible causes:** * Only one scope selected instead of both * Scopes were modified after creation **Solution:** * Verify both NGSIEM Read and Write scopes are checked * Click the three dots next to the client listing * Edit the client to add the missing scope * Remember: Write is for creating queries, Read is for retrieving results **Possible causes:** * HEC URL incorrect * API Key invalid or expired * Connector not fully set up * Data type mismatch **Solution:** * Verify HEC URL is copied exactly as shown * Check API Key has no extra spaces * Ensure connector shows "ready to receive data" status * Confirm Data Type is set to JSON * Verify json (Generic Source) parser is selected **Possible causes:** * Wrong parser configuration * JSON format issues * HEC connector not active * Data not being sent from RAD Security **Solution:** * Verify json (Generic Source) parser is configured * Check that Data Type is JSON * Ensure HEC connector status is active * Test with a simple JSON payload using curl * Review CrowdStrike data connector logs * Check RAD Security integration logs **Possible causes:** * Invalid search query syntax * Missing Write scope * Missing Read scope * Query timeout **Solution:** * Verify query syntax is correct for CrowdStrike * Ensure both Read and Write scopes are enabled * Try simplifying the query * Check CrowdStrike API rate limits * Review query logs in CrowdStrike **Possible causes:** * Using wrong regional Base URL * Account not in expected region * HEC URL region mismatch **Solution:** * Verify your CrowdStrike account region * Use correct Base URL for your region (US-1, US-2, EU-1, etc.) * Check that HEC URL matches your data region * Contact CrowdStrike support to confirm your region ## Security Best Practices Periodically rotate OAuth client secrets and HEC API keys as part of security hygiene. Only grant the NGSIEM scopes. Avoid adding unnecessary additional scopes to the client. Store Client Secrets and API Keys in a secure password manager or secrets vault. Regularly review API client activity in CrowdStrike to detect anomalous behavior. Create separate HEC connectors for different data sources to simplify management and troubleshooting. Periodically review OAuth clients and ensure unused clients are removed. ## Additional Resources Official CrowdStrike Falcon API documentation Configure CrowdStrike for vulnerability management Integrate CrowdStrike EDR capabilities ## Next Steps Explore other SIEM integration options Learn what runtime events are sent to CrowdStrike Understand how threats are detected and classified Configure alert rules to forward to CrowdStrike