CrowdStrike Falcon

Version: 1.14
Updated: April 23, 2025

The CrowdStrike Falcon integration allows you to pull and update Detections/Incidents, and search Incidents/Devices/Detections.

Actions

• Close CrowdStrike Incident (Containment) - Close the state of the CrowdStrike Incident.
• Create Indicators (Containment) - Create the Indicators.
• Detections CrowdStrike Falcon Daemon (Daemon) - Daemon to pull CrowdStrike Detections.
• Device Actions (Containment) - Take various actions on the hosts in your environment.
• Get Browser History (Enrichment) - Get user Browser history.
• Get Endpoint (Enrichment) - Get details on one or more hosts by providing agent IDs.
• Get Incident Info (Enrichment) - Get details for a specific Crowdstrike Incident.
• Get Indicators (Containment) - Get Indicators By IDs.
• Get User ID By Mail (Enrichment) - Search for a specific User ID with a given email address.
• Get IDP Device Info (Enrichment) - Retrieve detailed information about a devices from IDP. Requires IDP rights and relevant IDP-related API scopes.
• Incidents CrowdStrike Falcon Daemon (Daemon) - Daemon to pull CrowdStrike Incidents.
• List Endpoints (Enrichment) - Search for hosts in your environment by platform, hostname, IP.
• Search into Detections (Enrichment) - Search for Detections that match a given query.
• Search into Incidents (Enrichment) - Search for incidents by providing an FQL filter, sorting, and paging details.
• Update Detections (Containment) - Modify the state or assignee of Detections.
• Update Alerts (Containment) - Perform actions on Alerts identified by composite ID(s) in request.
• Search into Alerts (Enrichment) - Retrieves all Alerts IDs that match a given query.
• Alerts CrowdStrike Falcon Daemon (Daemon) - Daemon to pull CrowdStrike Alerts.

Category

EDR

Configure CrowdStrike Falcon in Automation Service and Cloud SOAR

Before you can use the integration, you must configure it so that the vendor can communicate with Sumo Logic. For general guidance, see Configure Authentication for Integrations.

1. Access App Central and install the integration.
2. Select the installed integration in the Integrations page.
   Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
   New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations.
3. Select the integration.
4. Hover over the resource name and click the Edit button that appears.
   
5. In the Add Resource dialog, enter the authentication needed by the resource. When done, click TEST to test the configuration, and click SAVE to save the configuration.

For information about CrowdStrike Falcon, see CrowdStrike documentation.

Change Log

• June 3, 2021 - First upload
• July 8, 2022 - Added new action
  • Device Actions
• November 10, 2022 - Added new action:
  • Get Browser History
• January 31, 2020 - Action updated: Get Report Summary
• December 30, 2022 - Action updated
  • Detections CrowdStrike Falcon Daemon (Added FQL-based filter and Pagination to Daemon)
• February 17, 2023 - Refactoring
• February 23, 2023 (v1.3)
  • List Endpoints: Updated API Endpoint
  • Incidents CrowdStrike Falcon Daemon: Duplicate Removed
• March 7, 2023 (v1.4)
  • List Endpoints: Updated Fields Hints
• March 21, 2023 (v1.5) - Logo updated
• July 12, 2023 (v1.8) - Changed fields visibility
• March 4, 2024 (v1.9) - Updated code for compatibility with Python 3.12
• October 16, 2024 (v1.10) - Added new actions
  • Create Indicators
  • Get Indicators
• November 28, 2024 (v1.12) - Added new actions
  • Update Alerts
  • Search into Alerts
  • Alerts CrowdStrike Falcon Daemon
• February 21, 2025 (v1.13) - Added new action
  • Get IDP Device Info
• April 23, 2025 (v1.14) - Updated the Integration
  • Refactored the code to improve performance and maintainability.