Skip to main content

Overview

The UTMStack CrowdStrike Falcon plugin is a connector developed in Golang that receives real-time events from CrowdStrike Falcon Event Streams and sends them to the UTMStack processing server for advanced threat detection and analysis.

How It Works

The CrowdStrike integration:
  • Uses the CrowdStrike GoFalcon SDK to communicate with Falcon Event Streams API
  • Provides real-time security event streaming from your CrowdStrike environment
  • Automatically discovers and processes available event streams
  • Connects to UTMStack via GRPC through a Unix socket
PrerequisitesYou need valid CrowdStrike Falcon credentials:
  • Client ID: OAuth2 Client ID for CrowdStrike Falcon API
  • Client Secret: OAuth2 Client Secret for CrowdStrike Falcon API
  • Cloud Region: Your Falcon cloud region (us-1, us-2, eu-1, us-gov-1)
  • Member CID (Optional): For MSSP/multi-tenant environments

Features

  • Real-time event streaming from CrowdStrike Falcon
  • Automatic stream discovery and processing
  • Error handling and retry mechanisms
  • Event batching for optimized performance
  • Timeout controls to prevent blocking
  • Structured JSON event formatting

Configuration Steps

1. Create API Credentials in CrowdStrike

  1. Log in to the CrowdStrike Falcon Console
  2. Navigate to Support > API Clients and Keys
  3. Click Add new API client
  4. Enter a descriptive name (e.g., “UTMStack Integration”)
  5. Add a description
  6. Assign the following API scopes:
    • Event streams: READ
    • Detections: READ (optional, for detection data)
    • Hosts: READ (optional, for host information)
  7. Click Add to create the client
  8. Copy the Client ID and Client Secret immediately (the secret is only shown once)

2. Identify Your Cloud Region

Determine your CrowdStrike cloud region based on your console URL:
  • https://falcon.crowdstrike.comus-1
  • https://falcon.us-2.crowdstrike.comus-2
  • https://falcon.eu-1.crowdstrike.comeu-1
  • https://falcon.laggar.gcw.crowdstrike.comus-gov-1

3. Configure in UTMStack

  1. Navigate to Integrations in the UTMStack console
  2. Select CrowdStrike Falcon
  3. Enter the required credentials:
    • Client ID: Your API client ID
    • Client Secret: Your API client secret
    • Cloud Region: Select your region (us-1, us-2, eu-1, or us-gov-1)
    • Member CID (optional): Only for MSSP accounts managing multiple tenants
  4. Click Test Connection to verify credentials
  5. Click Save to activate the integration

4. Verify Integration

Once configured, the plugin will:
  1. Authenticate with CrowdStrike Falcon using OAuth2
  2. Discover available event streams
  3. Begin streaming real-time security events
  4. Forward events to UTMStack for correlation and analysis
Verify the integration by:
  • Checking the integration status in UTMStack console
  • Viewing incoming CrowdStrike events in the Events dashboard
  • Monitoring the plugin logs for stream status

Event Types Collected

The integration collects various event types from CrowdStrike Falcon:

Detection Events

  • Malware detections
  • Exploit attempts
  • Suspicious behavior
  • Machine learning detections

Authentication Events

  • User logon/logoff activities
  • Failed authentication attempts
  • Privilege escalations

Network Events

  • Network connections
  • DNS requests
  • HTTP/HTTPS traffic

Process Events

  • Process creation and termination
  • Process injection
  • Command-line execution

File Events

  • File creation, modification, deletion
  • File downloads
  • Executable file activity

MSSP Configuration

For Managed Security Service Provider (MSSP) deployments:
  1. Use the parent CID credentials for authentication
  2. Specify the Member CID for the child tenant you want to monitor
  3. Create separate integration instances for each child tenant
Example:
  • Parent CID: 1234567890ABCDEF
  • Member CID: ABCDEF1234567890 (child tenant)

Troubleshooting

Authentication Errors

  • Verify Client ID and Client Secret are correct
  • Ensure the API client has not been disabled or deleted
  • Check if the API client credentials have been rotated
  • Confirm the cloud region setting matches your Falcon instance

No Data Received

  • Verify the API client has Event Streams READ permission
  • Ensure endpoints are actively reporting to CrowdStrike
  • Check that detections or events are being generated
  • Review plugin logs for stream connection errors

Connection Timeouts

  • Verify network connectivity to CrowdStrike cloud
  • Check firewall rules allow outbound HTTPS to CrowdStrike
  • Ensure proxy settings (if applicable) are correctly configured

MSSP Issues

  • Verify the Member CID is correct
  • Ensure the parent CID has permission to access child tenant data
  • Check that the child tenant is actively reporting

API Rate Limits

CrowdStrike enforces API rate limits:
  • The plugin implements automatic retry with exponential backoff
  • Event streams are designed for continuous consumption
  • Rate limit errors are logged and automatically handled

Security Best Practices

  • Store API credentials securely
  • Regularly rotate Client Secrets (recommended every 90 days)
  • Use dedicated API clients for each integration
  • Enable IP allowlisting in CrowdStrike if supported
  • Monitor API client usage in the CrowdStrike console
  • Review and audit API client permissions periodically
  • Disable or delete unused API clients

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us