Configure CrowdStrike Falcon Endpoint for Arctic Wolf monitoring

You can configure CrowdStrike Falcon® endpoint to send the necessary logs to Arctic Wolf® for security monitoring.

Note: If you are configuring log monitoring for CrowdStrike Falcon endpoint and CrowdStrike Falcon Identity Protection, you only need to complete these instructions once.

These resources are required:

  • A Falcon Administrator role for the CrowdStrike Falcon environment that you want Arctic Wolf to monitor.
  • A CrowdStrike Falcon Enterprise license.

    For more information about pricing, see CrowdStrike pricing.

After configuring Arctic Wolf monitoring of your CrowdStrike Falcon environment, you can configure CrowdStrike Falcon to contain possibly compromised hosts. For more information, see Configure CrowdStrike Falcon for Arctic Wolf Active Response.

Create the API client

  1. Sign in to the CrowdStrike Falcon platform.
  2. Navigate to Support and resources > API clients and keys Support and resources.
  3. Click Create API client.
  4. In the Create API client dialog, configure these settings:
    • Client name — Enter a name for the API client.
    • Description — (Optional) Enter a description.
  5. In the API client scopes section, select Read access for all scopes, including the Alerts scope.
  6. Click Create.
  7. Copy these values, and then save them in a safe, encrypted location to provide to Arctic Wolf later:
    • Client ID
    • Secret
    • Base URL
      Note:

      The API client secret is only available to view during the API client creation. If this information is lost before you provide it to Arctic Wolf, you must create a new client to get a new API client secret.

  8. Click Done.

Provide CrowdStrike Falcon credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click CrowdStrike.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Client ID — Enter the client ID from Create the API client.
    • Client Secret — Enter the secret from Create the API client.
    • API Hostname — Enter base URL from Create the API client.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.