Configure CrowdStrike EDR integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Before you can use the CrowdStrike Falcon EDR integration, you must download it from the ServiceNow Store Store and add the appropriate Client ID and Client Secret.

    Before you begin

    Role required: sn_sec_tisc.admin

    Important:
    • Threat Intelligence Security Center application must be installed and activated.
    • Obtain the API Client ID and API Client Secret from CrowdStrike Falcon console.
    • In the CrowdStrike Falcon portal API Scopes, enable the IOC Management: read and write access.

    Procedure

    1. In your instance, access Threat Intelligence Security Center.
    2. Download the integration from the ServiceNow Store.
    3. Select Integrations > Security Tools > EDR.
    4. Select Configure New Security Tool to configure CrowdStrike Falcon EDR integration.
    5. Select CrowdStrike Falcon EDR.
    6. On the Configure new security tool form, fill in the fields.
      Table 1. Create Enrichment Integration
      Field Description
      Name Name for the new security tool integration. For example, CrowdStrike Falcon EDR.
      Vendor Name Name of the vendor. The details of the selected vendor are populated by default. For example, CrowdStrike Falcon EDR.
      Description Description for the new security tool integration.
      Integration Type Integration type.
      Integration Category Integration category.
      Integration Configuration
      Base URL CrowdStrike API base URL. The default value is https://api.crowdstrike.com. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis#k9578c40
      Client ID Client ID from CrowdStrike. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis.
      Client Secret Client secret key from CrowdStrike. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis.
      Expiration period in days for any type of observables Expiry period in days applied to observables sent to CrowdStrike EDR.
      Note:
      This option is a fall back expiration period when the expiration time is not set for any specific observable type.
      IP Observable Expiration Time Expiry period in days applied to IP observables sent to CrowdStrike EDR.
      Domain Observable Expiration Time Expiry period in days applied to domain observables sent to CrowdStrike EDR.
      Hash Observable Expiration Time Expiry period in days applied to Hash observables sent to CrowdStrike EDR.
    7. Select Save.
      The integration details are validated, and by default the CrowdStrike EDR integration's status is turned off.
    8. Select Enable to enable the CrowdStrike EDR integration.
      Note:
      Multiple configurations are allowed for CrowdStrike Falcon EDR integration.