CrowdStrike Falcon
You can integrate CrowdStrike Falcon with Sophos Central so that the service sends data to Sophos for analysis.
This integration is API-based.
The key steps are as follows:
- Get details of your CrowdStrike Falcon service.
- Add a new API client to CrowdStrike Falcon.
- Add an integration in Sophos Central.
Get details of CrowdStrike Falcon service
You'll need the following details:
- The base URL for CrowdStrike Falcon.
- Your CrowdStrike Falcon API client and key.
- A Client ID and Client Secret that you generate in the CrowdStrike Falcon console.
Generate an application secret
To generate an application secret do as follows:
- Sign in to the CrowdStrike Falcon management console.
- Click Support and resources > API Clients and keys > Add new API client.
- In Add new API client enter a CLIENT NAME and DESCRIPTION.
- Select the Read API scope for Detections.
-
Click ADD.
You're shown the Client ID, Client Secret, and base URL for your new client. You must copy these to use later in Sophos Central.
Note
The Client Secret is only shown once. Make sure you keep it somewhere safe.
-
Click DONE.
Add an integration
To integrate CrowdStrike Falcon with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center and click Integrations.
-
Click CrowdStrike Falcon.
If you've already set up integrations of this type, you see them here.
-
Click Add.
Note
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
-
In Integration steps, you configure an API to collect data from CrowdStrike Falcon.
- Enter a name and a description for the integration.
- Enter the Base URL you got from CrowdStrike Falcon.
-
Enter the following information you found in the CrowdStrike Falcon console.
- Client ID
- Client secret
-
Complete any other fields.
-
Click Save.
We create the integration and it appears in your list.
If your integration shows as Connected, your data should appear in the Sophos Data Lake after validation.