# NG SIEM - CrowdStrike Integration

### CrowdStrike Integration

The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization and incident response

##### **Requirements** 

**API - Steps to Get Client ID and Client Secret in CrowdStrike Falcon (Recomended)**

1. **Log in to the Falcon Console**
    
    
    - Go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/)
    - Use your admin credentials to log in.
2. **Navigate to API Clients and Keys**
    
    
    - Click on the **"Support"** (question mark icon) or your **User avatar** on the top right.
    - Select **"API Clients and Keys"** from the dropdown.  
        Alternatively, go to: `https://falcon.crowdstrike.com/support/api-clients-and-keys`
3. **Create a New API Client**
    
    
    - Click on **“Add new API client”**.
    - **Name** your client and optionally add a **description**.
    - Under **API Scopes**, select the required **permissions** based on what you need (e.g., read access to Hosts, Alerts, IOCs, etc.).
4. **Click** **Save**
5. **Copy the Client ID and Client Secret**
    
    
    - After saving, the **Client ID** and **Client Secret** will be displayed **once**.
    - Copy them immediately and store them securely (e.g., in a password manager or secrets vault).
6. **Token URL**

**<span class="TextRun SCXW161465391 BCX8" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Collect CrowdStrike Falcon Data </span></span>Data Replicator Logs (input: aws-s3)**

1. Go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com)
2. Log in with your CrowdStrike account
3. In the left menu, click **Support &amp; Resources** → **Falcon Data Replicator** (or directly **FDR Access**)
4. You will immediately see a section called **AWS-S3 (Option 1)** with the three fields already filled in for your customer account:
    
    
    - **AWS: Access Key ID** → copy this
    - **AWS: Secret Access Key** → copy this (it’s shown only here; you can’t retrieve it again)
    - **AWS: Queue URL** → copy this exact SQS URL

<p class="callout info"><span class="TextRun SCXW161465391 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Please provide the following information to </span><span class="NormalTextRun SpellingErrorV2Themed SCXW161465391 BCX8" data-ccp-charstyle="eop">CyTech</span><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">:</span></span><span class="EOP SCXW161465391 BCX8" data-ccp-props="{"201341983":0,"335559685":720,"335559739":160,"335559740":259}"> </span></p>

**<span class="TextRun SCXW161465391 BCX8" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Collect CrowdStrike Falcon Data</span></span> Replicator Logs (input: aws-s3)**

- **AWS: Access Key ID**
- **AWS: Secret Access Key**
- **AWS: Queue URL**

**API - Steps to Get Client ID and Client Secret in CrowdStrike Falcon**

- **Client ID: <span class="TextRun SCXW161465391 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Client ID for the CrowdStrike.</span></span><span class="EOP SCXW161465391 BCX8" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span>**
- **Client Secret: <span class="TextRun SCXW161465391 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Client Secret for the CrowdStrike.</span></span><span class="EOP SCXW161465391 BCX8" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span>**
- **URL: <span class="TextRun SCXW161465391 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW161465391 BCX8" data-ccp-charstyle="eop">Token URL of CrowdStrike.</span></span><span class="EOP SCXW161465391 BCX8" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span>**

<div class="ListContainerWrapper SCXW161465391 BCX8" id="bkmrk-"></div>