Getting started with the CrowdStrike Falcon Insight integration

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Getting Started with the CrowdStrike Falcon Insight Integration

    The CrowdStrike Falcon Insight integration allows you to connect your ServiceNow AI Platform instance with the Security Incident Response product. This integration enhances your ability to manage security incidents effectively.

    Show full answer Show less

    Key Features

    • Role Requirements: The integration requires various roles such as admin, snsi.admin, and snsi.analyst to ensure proper setup and functionality.
    • Essential Plugins: Installation of the ServiceNow Integration Hub Enterprise Pack Installer and the Security Incident Response plugin is necessary for integration support.
    • Approval Group: Optional approval capability to manage host isolation and network restoration actions, requiring the snsi.admin role or an assigned approval group.
    • CrowdStrike Roles: Specific roles like Falcon administrator and Real Time Responder roles are critical for API configurations and executing custom scripts.

    Key Outcomes

    By following the setup process, you ensure that all necessary components are configured, allowing for efficient handling of security incidents through the ServiceNow platform. This integration streamlines incident management and enhances your operational security posture.

    You can activate and set up the CrowdStrike Falcon Insight to interface with your ServiceNow AI Platform instance and Security Incident Response product.

    Role required: admin

    Before you can use CrowdStrike Falcon Insight for the Security Operations integration, you must download it from the ServiceNow Store.

    Table 1. Checklist
    Setup task Description
    Assign and verify the required ServiceNow AI Platform and Security Incident Response roles. These roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_si.admin role.
    • The sn_si.admin role configures the integration, creates and activates profiles, and then assigns the sn_si.analyst role.
    • The sn_si.analyst role responds to security incidents, launches profiles manually, and can submit requests for such actions as isolating the host and removing the host isolation for an approved group.
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.

    The ServiceNow Integration Hub Enterprise Pack Installer [com.glide.hub.integrations.enterprise] plugin is required. This plugin enables the execution of IntegrationHub actions and flows:

    The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications are not already installed, you must install and activate each application one at a time in the following order to ensure a smooth installation:

    1. Security Incident Response Dependency (com.snc.si_dep)
    2. Security Integration Framework
    3. Security Support Common
    4. Security Support Orchestration
    5. Threat Intelligence Support Common
    6. Trusted Security Circles
    7. Security Operations Setup Assistant
    8. Security Incident Response
    Set up an approval group.

    An optional approval capability is available for isolating host machines, restoring them to the network, and initiating sightings searches.

    To enable this option, you require prior approval from the sn_si.admin role before host machines are isolated and restored to your network, or when sightings searches are performed. If you require an extra level of control over these actions, enable the Require approval option when configuring the profile. The approval authority is assigned to the user with the sn_si.admin role. You can also reassign this approval authority to an approval group.
    Assign and verify the CrowdStrike Falcon Platform roles. The following roles are required on the CrowdStrike Falcon Platform for the integration configuration:
    • The Falcon administrator role is required to view, create, or modify API clients or keys.
    • The Real Time Responder – Administrator role is required for creating and executing custom scripts.
    • The Real Time Responder – Active Responder role is required for creating and executing custom scripts.
    Verify that the custom scripts roles and permissions are enabled in the CrowdStrike Falcon Platform. This integration uses CrowdStrike's custom scripts for few of the enrichment capabilities.
    • Verify that the Real Time Responder – Administrator and the Real Time Responder – Active Responder roles are available.
    • Verify that the Default(Windows) policy option is enabled in Configuration > Response Policies in the CrowdStrike Falcon UI.
    • Verify that the Real Time Response and Custom Scripts under Real Time Functionality is enabled in the CrowdStrike Falcon UI.
    Generate API clients and keys in the CrowdStrike Falcon Platform. Create the CrowdStrike API clients or keys in the CrowdStrike Falcon Platform to use in the ServiceNow AI Platform integration configuration.