Crowdstrike Falcon Endpoint for Security Incident - API Rate Limit being crossed

Community Alums
Not applicable

We are trying to integrate ServiceNow with Crowdstrike Falcon Endpoint for Security Incident but integration  gets disabled each day or so. Integration works for sometime but then it fails. In logs we are receiving error that Rate Limit has increased.

 

We raised a case with Crowdstrike as plugin is supported by them. Their answer was that all ServiceNow customers connecting through this plugin is striking  same CrowdStrike endpoint hence API RATE Limit is being crossed. They suggested us to use Mid Server for API Call.

 

This seems  ridiculous design to me but anyway we  configured OAuth authentication to go through Mid Server but I do not think there is any way to send actual REST API calls (to get Detections/Incidents/Behaviors) through Mid Server. Our customer contends that ServiceNow must send all API Calls through Mid Server for this integration to work. Please correct me , If my udnerstanding is wrong

 

My thinking is that CrowdStrike being major player on Security Scan side and ServiceNow being major player on Ticketing side, There would  be many customers who use this integration and might have faced this issue. Is there anyone who can help me in solving this puzzle ? 

7 REPLIES 7

vilmarsteur
Tera Contributor

@Community Alums 

Thank you for posting this question, we are also contemplating to use this integration. Is the issue solved in mean time? 

 

Milindsecops
Tera Contributor

Just adding:
We had our issue resolved- CS team had pushed a updated version around Mid of May , which includes to disable the connection timeout logic - which i believe was the issue from the start within our environment.

Same problem here, I use mid server and it is ok. After installing that mentioned update I had to reconfigure all application to correct endpoints from api.crowd to our api.eu-1. because it didnt reflected. Looks ok now.