Crowdstrike Falcon Endpoint for Security Incident - API Rate Limit being crossed

Community Alums · ‎04-22-2024

We are trying to integrate ServiceNow with Crowdstrike Falcon Endpoint for Security Incident but integration gets disabled each day or so. Integration works for sometime but then it fails. In logs we are receiving error that Rate Limit has increased.

We raised a case with Crowdstrike as plugin is supported by them. Their answer was that all ServiceNow customers connecting through this plugin is striking same CrowdStrike endpoint hence API RATE Limit is being crossed. They suggested us to use Mid Server for API Call.

This seems ridiculous design to me but anyway we configured OAuth authentication to go through Mid Server but I do not think there is any way to send actual REST API calls (to get Detections/Incidents/Behaviors) through Mid Server. Our customer contends that ServiceNow must send all API Calls through Mid Server for this integration to work. Please correct me , If my udnerstanding is wrong

My thinking is that CrowdStrike being major player on Security Scan side and ServiceNow being major player on Ticketing side, There would be many customers who use this integration and might have faced this issue. Is there anyone who can help me in solving this puzzle ?

vilmarsteur · ‎05-30-2024

@Community Alums

Thank you for posting this question, we are also contemplating to use this integration. Is the issue solved in mean time?

Milindsecops · ‎06-02-2024

Just adding:
We had our issue resolved- CS team had pushed a updated version around Mid of May , which includes to disable the connection timeout logic - which i believe was the issue from the start within our environment.

eviljack · ‎07-13-2024

Same problem here, I use mid server and it is ok. After installing that mentioned update I had to reconfigure all application to correct endpoints from api.crowd to our api.eu-1. because it didnt reflected. Looks ok now.