Configure Crowdstrike Falcon EDR integration

  • Release version: Washingtondc
  • Updated October 14, 2024
  • 1 minute to read

    • Before you can use the CrowdStrike Falcon EDR integration, you must download it from the ServiceNow Store Store and add the appropriate Client ID and Client Secret.

    Before you begin

    Role required: sn_sec_tisc.admin
    • Threat Intelligence Security Center application must be installed and activated.
    • Obtain the API Client ID and API Client Secret from CrowdStrike Falcon console.
    • In the CrowdStrike Falcon portal API Scopes, enable the IOC Management: read and write access.

    Procedure

    1. Using your instance, access Threat Intelligence Security Center.
    2. Download the integration from the ServiceNow Store.
    3. Select Integrations > Security Tools > EDR.
    4. Click Configure New Security Tool to configure CrowdStrike Falcon EDR integration.
    5. Select CrowdStrike Falcon EDR option.
    6. Fill in the fields on the Configure new security tool form.
      Table 1. Create New Enrichment Integration
      Field Description
      Name Enter a name for the new security tool integration. For example, CrowdStrike Falcon EDR.
      Vendor Name Name of the vendor. The details of the selected vendor is populated by default. For example, CrowdStrike Falcon EDR.
      Description Enter the description for the new security tool integration.
      Integration Type Option that displays the integration type.
      Integration Category Option that displays the integration category.
      Integration Configuration
      Base URL The base URL is the CrowdStrike API base URL. The default value is https://api.crowdstrike.com. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis#k9578c40
      Client ID The client ID that you obtained from CrowdStrike. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis.
      Client Secret The client secret key that you obtained from CrowdStrike. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis.
      Expiration period in days for any type of observables The expiry period in days that are applied for any type of observable(s) when they are sent to CrowdStrike EDR.
      Note:
      This option is a fall back expiration period when the expiration time is not set for any specific observable type.
      IP Observable Expiration Time The expiry period in days that are applied for the IP type of observable when they are sent to CrowdStrike EDR.
      Domain Observable Expiration Time The expiry period in days that are applied for the domain type of observable when they are sent to CrowdStrike EDR.
      Hash Observable Expiration Time The expiry period in days that are applied for the Hash type of observable when they are sent to CrowdStrike EDR.
    7. Click Save.
      The integration details are validated, and by default the CrowdStrike EDR integration's status is disabled.
    8. Click Enable to enable the CrowdStrike EDR integration.
      Note:
      Multiple configurations are allowed for CrowdStrike Falcon EDR integration.