CrowdStrike API Data Connector (via Codeless Connector Framework)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Connector ID	`CrowdStrikeAPIConnector`
Publisher	Microsoft
Used in Solutions	CrowdStrike Falcon Endpoint Protection
Collection Method	CCF
Connector Definition Files	CrowdStrikeAPI_Definition.json
CCF Configuration	CrowdStrikeAPI_PollingConfig.json
CCF Capabilities	`OAuth2`, `Paging`, `Nested`

The CrowdStrike Data Connector allows ingesting logs from the CrowdStrike API into Microsoft Sentinel. This connector provides the capability to ingest CrowdStrike Alerts, Detections, Hosts, Cases, and Vulnerabilities into Microsoft Sentinel. This connector is built on the Microsoft Sentinel Codeless Connector Platform and uses the CrowdStrike API to fetch logs. It supports DCR-based ingestion time transformations so that queries can run more efficiently. Refer to CrowdStrike API documentation for more information.

Tables Ingested

This connector ingests data into the following tables:

Table	Transformations	Ingestion API	Lake-Only
`CrowdStrikeAlerts`	✓	✓	?
`CrowdStrikeCases`	✓	✓	?
`CrowdStrikeDetections`	✓	✓	?
`CrowdStrikeHosts`	✓	✓	?
`CrowdStrikeVulnerabilities`	✓	✓	?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions: - Workspace (Workspace): Read and Write permissions are required.

Custom Permissions: - Crowdstrike OAuth2 API Client and Scopes: Alerts, API Integrations, App Logs, Cases, Correlation Rules, Detections, Hosts, Assets, Incidents, Quarantined Files, Vulnerabilities are required for REST API. See the documentation to learn more about API.

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

1. Connect CrowdStrike to Microsoft Sentinel

ℹ️ Important Notice: The Incidents API is fully decommissioned. Use the new Cases data type instead. To gather data from CrowdStrike, you need to provide the following resources 1. Base API URL - To gather data from CrowdStrike, you'll need the Base API URL. 2. Client ID - To gather data from CrowdStrike, you'll need the Client ID. 3. Client Secret - To gather data from CrowdStrike, you'll need the Client Secret. For detailed instructions on retrieving the Base API URL, Client ID, and Client Secret, please refer to the Connector Tutorial. Connector Management Interface

This section is an interactive interface in the Microsoft Sentinel portal that allows you to manage your data collectors.

📊 View Existing Collectors: A management table displays all currently configured data collectors with the following information: - Data Type

➕ Add New Collector: Click the "Add new collector" button to configure a new data collector (see configuration form below).

🔧 Manage Collectors: Use the actions menu to delete or modify existing collectors.

💡 Portal-Only Feature: This configuration interface is only available when viewing the connector in the Microsoft Sentinel portal. You cannot configure data collectors through this static documentation.

Configure CrowdStrike API Connection

Connect to CrowdStrike to ingest security data

When you click the "Add Connection" button in the portal, a configuration form will open. You'll need to provide:

Required API Scopes

In your CrowdStrike Falcon console, go to Support and resources > API clients and keys, select your API client, and enable the following scopes with Read access: Alerts, Cases, Detections, Hosts, Spotlight Vulnerabilities.

1. Retrieve API URL

2. Retrieve Client Credentials

Obtain your Client ID and Client Secret from the API credentials section in your CrowdStrike account.

Base API URL (required): https://api.us-2.crowdstrike.com
Client ID (required): Your Client ID
Client Secret (required): Your Client Secret

💡 Portal-Only Feature: This configuration form is only available in the Microsoft Sentinel portal.

2. Querying Detections (after successful connection) Once logs are ingesting, the CrowdStrikeDetections table contains individual alert records grouped by aggregate_id. To view true detection-level behavior, use the following KQL query to aggregate alerts by their detection group:

CrowdStrikeDetections
| summarize
    AlertCount = count(),
    FirstSeen = min(CreatedTimestamp),
    LastSeen = max(CreatedTimestamp),
    MaxSeverity = max(Severity)
by AggregateId

Additional Documentation

📄 Source: CrowdStrike Falcon Endpoint Protection\Data Connectors\CrowdStrikeAPI_ccp\README.md

CrowdStrike Falcon – API Data Connector (CCP Framework)

Summary

This Microsoft Sentinel data connector enables ingestion of security data from CrowdStrike Falcon Platform. The connector captures alerts, detections, incidents, host information, and vulnerability data from the CrowdStrike Falcon platform, providing comprehensive endpoint protection visibility.

This solution helps security teams monitor endpoints for threats, track security incidents, and maintain visibility into their security posture by sending normalized security data to Microsoft Sentinel in near real-time.

Features

Connects to the CrowdStrike Falcon REST API using OAuth2 authentication.
Ingests five types of security data into custom Log Analytics tables:
CrowdStrikeAlerts - Security alerts and threat notifications
CrowdStrikeCases - Case management that include security incident and investigations
CrowdStrikeDetections - Threat detections and behavioral analysis
CrowdStrikeIncidents(Deprecated) - Security incidents and investigations
CrowdStrikeHosts - Endpoint device information and status
CrowdStrikeVulnerabilities - Vulnerability data from Falcon Spotlight
Uses secure OAuth 2.0 Client Credentials for authentication with automatic token refresh.
Supports DCR-based ingestion time transformations for optimized query performance.
Integrates seamlessly with Sentinel analytics, hunting queries, and incident detection.

Prerequisites

A valid CrowdStrike Falcon tenant with administrative access.
An API Client configured in CrowdStrike Falcon with:
- Client ID - Client Secret - Base URL (region-specific)
Appropriate API scopes assigned to the client (see scope requirements below).
Access to an Azure subscription with Microsoft Sentinel enabled and permissions to deploy Data Connectors.
Permissions to create and configure Data Collection Rules (DCR) in the target workspace.

Generating CrowdStrike Falcon API Credentials

1. Access the Falcon Console

Sign into the CrowdStrike Falcon console.
Navigate to Support & Resources → API clients and keys.

2. Create API Client

Click Create/Add new API client.
Provide a descriptive name and description for the connector.
Select the required scopes based on the data types you want to ingest:

Required API Scopes by Data Type

Data Type	CrowdStrike Scope	Description
Alerts	`alerts:read`	Read access to security alerts
Cases	`cases:read`	Read access to case management
Detections	`detects:read`	Read access to threat detections
Hosts	`hosts:read`	Read access to endpoint device information
Incidents	`incidents:read`	Read access to security incidents
Vulnerabilities	`spotlight-vulnerabilities:read`	Read access to Falcon Spotlight vulnerability data

Note: You can grant only the scopes for the data types you need. If you want all data types, grant all scopes listed above.

3. Configure API Client

After creating the client, note the Client ID and Client Secret (the secret is displayed only once).
Identify your Base URL based on your CrowdStrike cloud region:

Base URLs by Region

Region	Base URL
US-1	`https://api.crowdstrike.com`
US-2	`https://api.us-2.crowdstrike.com`
EU-1	`https://api.eu-1.crowdstrike.com`
US-GOV-1	`https://api.laggar.gcw.crowdstrike.com`

4. Save Credentials

Save the following values for connector deployment: - Client ID - Client Secret - Base URL (from the table above)

Deployment Parameters

When deploying the connector, you'll need to provide:

Base API URL: Your region-specific CrowdStrike API endpoint
Client ID: The API client identifier from CrowdStrike
Client Secret: The API client secret from CrowdStrike

Example Configuration

Base API URL: https://api.us-2.crowdstrike.com
Client ID: a1b2c3d4e5f6g7h8i9j0
Client Secret: [Your secure client secret]

Deployment Instructions

1. Deploy the Connector

Go to Microsoft Sentinel → Data Connectors.
Search for "CrowdStrike API Data Connector (via Codeless Connector Framework)".
Click Open connector page.
Under Configuration, enter your CrowdStrike credentials: - Base API URL (region-specific) - Client ID - Client Secret
Click Connect.

2. Verify Connection

The connector status should show as Connected within a few minutes.
Data ingestion typically begins within 5-10 minutes of successful connection.

Post-Deployment Steps

1. Verify Data Ingestion

After deployment, verify that data is flowing into Microsoft Sentinel:

Go to Microsoft Sentinel → Logs.
Run sample queries to check for data in each table:

// Check CrowdStrike Alerts
CrowdStrikeAlerts
| take 10

// Check Crowdstrike Cases
CrowdStrikeCases
| take 10

// Check CrowdStrike Detections  
CrowdStrikeDetections
| take 10

// Check CrowdStrike Incidents
CrowdStrikeIncidents
| take 10

// Check CrowdStrike Hosts
CrowdStrikeHosts
| take 10

// Check CrowdStrike Vulnerabilities
CrowdStrikeVulnerabilities
| take 10

2. Monitor Connector Health

Check the connector status regularly in the Data Connectors page.
Monitor ingestion metrics and error logs for any issues.

Troubleshooting

Common Issues and Solutions

1. Authentication Errors (403 Forbidden)

Cause: Insufficient API scopes or incorrect credentials.
Solution:
Verify the Client ID and Client Secret are correct.
Ensure all required scopes are granted to the API client.
Check that the API client is enabled in CrowdStrike.

2. No Data Ingestion

Cause: Incorrect Base URL or network connectivity issues.
Solution:
Confirm the Base URL matches your CrowdStrike region.
Verify outbound connectivity to the CrowdStrike API endpoints.
Check for any firewall or proxy restrictions.

3. Token Expiry Errors

Cause: Normal OAuth2 token lifecycle (tokens expire ~30 minutes).
Solution:
This is expected behavior; the connector automatically refreshes tokens.
Ensure system time synchronization is accurate.
Verify continuous outbound access to the token endpoint.

Support Resources

CrowdStrike API Documentation: Available in the Falcon console under API documentation
Microsoft Sentinel Documentation: Microsoft Learn - Sentinel Connectors
Connector Logs: Available in the Azure portal under the data connector monitoring section

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Connectors Index