Getting started with the CrowdStrike Falcon Insight integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Getting started with the CrowdStrike Falcon Insight integration

    This guide explains how to activate and configure the CrowdStrike Falcon Insight integration with your ServiceNow AI Platform instance and Security Incident Response product. The integration enables enhanced security operations by connecting CrowdStrike Falcon's capabilities directly into ServiceNow for incident response and host management.

    Show full answer Show less

    Prerequisites and Roles

    • ServiceNow Roles: You must have the admin role to install the integration from the ServiceNow Store and assign necessary roles. The snsi.admin role configures the integration and manages profiles, while the snsi.analyst role handles incident response and can initiate host isolation or restoration requests.
    • CrowdStrike Roles: The Falcon administrator role manages API clients and keys. The Real Time Responder – Administrator and Active Responder roles are required to create and execute custom scripts used for enrichment within the integration.

    Required ServiceNow Components

    • Install and activate core applications and plugins in the following order for seamless integration:
      • ServiceNow Integration Hub Enterprise Pack Installer (enables IntegrationHub actions and flows)
      • Security Incident Response plugin (installs dependencies for Security Incident Response product)
      • Security operations applications such as Security Incident Response Dependency, Security Integration Framework, and related support applications
    • Set up an optional approval group to control actions like host isolation, network restoration, and sightings searches. Approval authority can be assigned to users with the snsi.admin role or reassigned to an approval group.

    CrowdStrike Falcon Platform Configuration

    • Verify custom script permissions by ensuring Real Time Responder – Administrator and Active Responder roles are enabled.
    • Confirm that the Default(Windows) policy and Real Time Response with Custom Scripts are enabled in the CrowdStrike Falcon UI.
    • Generate API clients and keys in CrowdStrike Falcon for use in the ServiceNow AI Platform integration setup.

    Key Outcomes

    By following this setup, ServiceNow customers can integrate CrowdStrike Falcon Insight to:

    • Enhance security incident response through automated and manual host isolation and restoration.
    • Utilize CrowdStrike's custom scripts for enriched security data and actions within ServiceNow.
    • Manage approval workflows for sensitive security actions to ensure proper governance.
    • Leverage seamless communication between CrowdStrike Falcon and ServiceNow AI Platform to improve operational efficiency and incident handling.

    You can activate and set up the CrowdStrike Falcon Insight to interface with your ServiceNow AI Platform instance and Security Incident Response product.

    Role required: admin

    Before you can use CrowdStrike Falcon Insight for the Security Operations integration, you must download it from the ServiceNow Store.

    Table 1. Checklist
    Setup task Description
    Assign and verify the required ServiceNow AI Platform and Security Incident Response roles. These roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_si.admin role.
    • The sn_si.admin role configures the integration, creates and activates profiles, and then assigns the sn_si.analyst role.
    • The sn_si.analyst role responds to security incidents, launches profiles manually, and can submit requests for such actions as isolating the host and removing the host isolation for an approved group.
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.

    The ServiceNow Integration Hub Enterprise Pack Installer [com.glide.hub.integrations.enterprise] plugin is required. This plugin enables the execution of IntegrationHub actions and flows:

    The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications are not already installed, you must install and activate each application one at a time in the following order to ensure a smooth installation:

    1. Security Incident Response Dependency (com.snc.si_dep)
    2. Security Integration Framework
    3. Security Support Common
    4. Security Support Orchestration
    5. Threat Intelligence Support Common
    6. Trusted Security Circles
    7. Security Operations Setup Assistant
    8. Security Incident Response
    Set up an approval group.

    An optional approval capability is available for isolating host machines, restoring them to the network, and initiating sightings searches.

    To enable this option, you require prior approval from the sn_si.admin role before host machines are isolated and restored to your network, or when sightings searches are performed. If you require an extra level of control over these actions, enable the Require approval option when configuring the profile. The approval authority is assigned to the user with the sn_si.admin role. You can also reassign this approval authority to an approval group.
    Assign and verify the CrowdStrike Falcon Platform roles. The following roles are required on the CrowdStrike Falcon Platform for the integration configuration:
    • The Falcon administrator role is required to view, create, or modify API clients or keys.
    • The Real Time Responder – Administrator role is required for creating and executing custom scripts.
    • The Real Time Responder – Active Responder role is required for creating and executing custom scripts.
    Verify that the custom scripts roles and permissions are enabled in the CrowdStrike Falcon Platform. This integration uses CrowdStrike's custom scripts for few of the enrichment capabilities.
    • Verify that the Real Time Responder – Administrator and the Real Time Responder – Active Responder roles are available.
    • Verify that the Default(Windows) policy option is enabled in Configuration > Response Policies in the CrowdStrike Falcon UI.
    • Verify that the Real Time Response and Custom Scripts under Real Time Functionality is enabled in the CrowdStrike Falcon UI.
    Generate API clients and keys in the CrowdStrike Falcon Platform. Create the CrowdStrike API clients or keys in the CrowdStrike Falcon Platform to use in the ServiceNow AI Platform integration configuration.