Skip to main content

CrowdStrike

Updated

Step-by-step guide to integrate Qevlar AI with CrowdStrike Falcon EDR using OAuth2 API credentials.

Connect CrowdStrike Falcon to Qevlar AI to stream endpoint telemetry and detections directly into your investigations workspace.

info

You will create one CrowdStrike API client and reuse the same credentials for both the Data Source (raw events) and Alert Source (detections) connectors.

Prerequisites

  • CrowdStrike Falcon role that can Create API clients and keys
  • Qevlar AI tenant Admin permissions
  • Outbound HTTPS access from Qevlar AI to https://api.crowdstrike.com (or the regional URL returned in your credentials)

1. Create an API client in CrowdStrike Falcon

  1. In the Falcon console open ☰ Support and resources -> API clients and keys.
CrowdStrike - open API clients menu
  1. Click Create API client.
CrowdStrike - create API client button

  1. Complete the form:

    FieldValue
    Client nameQevlar AI
    DescriptionQevlar AI integration key
    ScopesPermissions
    AlertsREAD
    HostsREAD
    ThreatgraphREAD
CrowdStrike - API client form
  1. Select Create.

  2. Copy the Client IDSecret and Base URL shown once.

    CrowdStrike - copy credentials
    warning

    Store the secret in a password-manager, it cannot be retrieved later.

  3. Confirm the new client appears in the list.
CrowdStrike - API client created

2. Add CrowdStrike as a Data Source in Qevlar AI

  1. In Qevlar AI open Integrations.
Qevlar AI - integrations view
  1. Locate CrowdStrike and click +.
  2. In the dialog paste the Client IDSecret, and Base URL you copied earlier.
Qevlar AI - credential modal
  1. Choose the datasets you wish to ingest.
  2. Click Save, Qevlar AI validates the key and starts the first sync.

Related articles