CrowdStrike SIEM Cases

Overview

Configuring a cloud source in Scope is a two-step process.

  • Generating CrowdStrike client credentials in the CrowdStrike Portal. Please refer to Section 1 – CrowdStrike SIEM Cases Setup

  • Setting up the CrowdStrike SIEM Cases cloud source in the Scope application. Please refer to Section 2 – Scope Setup

CrowdStrike SIEM Cases Setup

To get started, you’ll need to generate the following client credentials in the CrowdStrike portal –

  1. Client ID
  2. Client Secret
  3. Base URL

Step 1: Generate Client Credentials and Base URL

  • Sign in to the CrowdStrike instance.

  • Navigate to Support -> API Clients and Keys menu.

  • Click on Add new API Client.

  • Enter the Client Name and Description.

  • Ensure Read access is enabled for Cases & Case Templates.

  • Click the Add button.

  • The system displays the connection details – URL (Base URL), Client ID, and Client Secret. Copy all connection details and store them securely.

    Note: The Client Secret will only be visible while this window is open. Ensure you copy and save this token securely before closing the window.

The generated Client ID, Client Secret, and Base URL are to be configured in Scope Setup: Step 1 for initiating the CrowdStrike SIEM Cases log ingestion.

Scope Setup

Step 1: CrowdStrike SIEM Cases Cloud Source Registration in the Scope Application

Once the credentials are generated, they must be configured in the Scope application to establish the connection and enable data ingestion from the CrowdStrike environment.

In the Scope application, to register a CrowdStrike SIEM Cases cloud source, navigate to the cloud source registration page –

  • Log into the Scope application

  • Select the required organization

  • Navigate to the Side menu -> Administration

  • Navigate to the Cloud sources tab

  • Click on the +Add Source button

  • In the Create New Source pop-up, provide the parameters below.

    • Source: Select the “CrowdStrike SIEM Cases” source from the Source dropdown.

    • Site: The user defined name for the CrowdStrike SIEM Cases cloud source.

    • Base URL: The Base URL of the respective customer’s account generated in Step 1.

    • Client ID: The Client ID generated in Step 1.

    • Client Secret: The Client Secret generated in Step 1.

    • Contact Email: The email address of the person who registers the CrowdStrike SIEM Cases cloud source in Scope.

    • Category: Select the log types from the dropdown. By default, all supported log types are selected. Based on the selection of the log type, the APIs will request the CrowdStrike API service, and the respective types of logs will be ingested.

Once the required connection parameters are entered, the CrowdStrike SIEM Cases cloud source registration is complete in Scope and is ready for ingestion of CrowdStrike SIEM Cases logs.