CrowdStrike Falcon Integration¶

CrowdStrike Falcon integrates with Parapet Security through the Falcon Event Streams API (Streaming API) or Falcon LogScale. This guide covers both methods.

Prerequisites¶

• CrowdStrike Falcon subscription
• API credentials with appropriate scopes
• Your Parapet Security webhook URL and token

Integration Methods¶

Method 1: SIEM Connector (Streaming API)¶

Step 1: Create API Credentials¶

1. Log in to the Falcon Console
2. Go to Support → API Clients and Keys
3. Click Add new API client
4. Configure the client:

1. Save the Client ID and Secret

Step 2: Get Your Parapet Credentials¶

1. Log in to app.parapetsecurity.com
2. Go to Settings → Service Tokens
3. Click Generate New Token
4. Save both:
   • Webhook URL: https://webhook-{region}.parapetsecurity.com/webhook/{tenant-id}
   • Service Token: pst_... (shown only once)

Step 3: Deploy SIEM Connector¶

CrowdStrike provides a SIEM Connector that forwards events to webhooks.

Option A: Docker Deployment¶

docker run -d \
  --name falcon-siem-connector \
  --restart unless-stopped \
  -e FALCON_CLIENT_ID=YOUR_CLIENT_ID \
  -e FALCON_CLIENT_SECRET=YOUR_CLIENT_SECRET \
  -e OUTPUT_TYPE=webhook \
  -e WEBHOOK_URL=https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID \
  -e WEBHOOK_TOKEN=pst_YOUR_TOKEN \
  crowdstrike/falcon-siem-connector:latest

Option B: Direct Script¶

Download and configure the SIEM Connector:

# Download connector
curl -O https://github.com/CrowdStrike/falcon-integration-gateway/releases/latest/download/fig_linux_amd64

# Make executable
chmod +x fig_linux_amd64

# Create config file
cat > config.ini << EOF
[CrowdStrike]
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET
cloud = us-1

[Webhook]
url = https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID
authorization = Bearer pst_YOUR_TOKEN

[Filter]
severity_threshold = 3
detection_types = all
EOF

# Run connector
./fig_linux_amd64 -config config.ini

Step 4: Configure Event Filtering¶

Filter which detections are forwarded:

[Filter]
# Minimum severity (1-5, where 5 is Critical)
severity_threshold = 3

# Detection types to include
detection_types = all
# Or specific types: detection_types = malware,exploit,ransomware

# Exclude specific detection names (regex)
exclude_patterns = Test.*,Benign.*

Method 2: Falcon LogScale (Humio)¶

If you're using Falcon LogScale:

Step 1: Create a Webhook Action¶

1. Go to Settings → Actions
2. Click New Action → Webhook
3. Configure:

1. Add header:
2. Name: Authorization
3. Value: Bearer pst_YOUR_TOKEN

Step 2: Create an Alert¶

1. Go to Alerts → New Alert
2. Create a query for detections:

#event_simpleName=DetectionSummaryEvent
| severity >= 3

1. Attach the Parapet Security webhook action
2. Set trigger conditions (e.g., "on every event")

Step 3: Configure Payload Template¶

{
  "source": "crowdstrike",
  "timestamp": "{@timestamp}",
  "detection": {
    "id": "{DetectId}",
    "name": "{DetectName}",
    "description": "{DetectDescription}",
    "severity": "{Severity}",
    "severity_name": "{SeverityName}"
  },
  "host": {
    "name": "{ComputerName}",
    "platform": "{Platform}",
    "os_version": "{OSVersion}",
    "agent_id": "{AgentIdString}"
  },
  "user": {
    "name": "{UserName}",
    "domain": "{UserDomain}"
  },
  "tactic": "{Tactic}",
  "technique": "{Technique}",
  "ioc": {
    "type": "{IOCType}",
    "value": "{IOCValue}"
  },
  "file": {
    "name": "{FileName}",
    "path": "{FilePath}",
    "sha256": "{SHA256String}"
  },
  "command_line": "{CommandLine}"
}

Method 3: CrowdStrike Store App¶

Sample Alert Payload¶

Here's what CrowdStrike sends to Parapet Security:

{
  "source": "crowdstrike",
  "timestamp": "2026-01-28T15:30:00.000Z",
  "detection": {
    "id": "ldt:abc123:456",
    "name": "ProcessHollowing",
    "description": "Process hollowing technique detected",
    "severity": 4,
    "severity_name": "High"
  },
  "host": {
    "name": "DESKTOP-ABC123",
    "platform": "Windows",
    "os_version": "Windows 10",
    "agent_id": "1234567890abcdef"
  },
  "user": {
    "name": "jsmith",
    "domain": "CORP"
  },
  "tactic": "Defense Evasion",
  "technique": "T1055.012",
  "file": {
    "name": "suspicious.exe",
    "path": "C:\\Users\\jsmith\\Downloads\\suspicious.exe",
    "sha256": "abc123..."
  },
  "command_line": "suspicious.exe --hidden"
}

Parapet Security's AI normalizes this to extract:

• Severity: High (from severity 4)
• Category: Endpoint/Evasion
• MITRE ATT&CK: T1055.012 (Process Hollowing)
• Host: DESKTOP-ABC123
• User: CORP\jsmith
• IOC: File hash, path, command line

Configuration Options¶

Severity Mapping¶

CrowdStrike severity maps to Parapet Security:

Detection Filtering¶

Filter by detection type in your config:

[Filter]
# Include only specific types
detection_types = malware,exploit,ransomware,persistence

# Or exclude specific types
exclude_types = policy_violation,pup

Real-Time vs. Batch¶

Troubleshooting¶

No Events Received¶

1. Verify API credentials:

   curl -X POST "https://api.crowdstrike.com/oauth2/token" \
     -d "client_id=YOUR_ID&client_secret=YOUR_SECRET"
   

2. Check connector logs:

   docker logs falcon-siem-connector
   

3. Verify event stream access: Ensure API client has "Event streams: Read" scope

Missing Detections¶

1. Check severity threshold: Lower severity_threshold to capture more events

2. Verify detection types: Set detection_types = all to confirm events flow

3. Check Falcon console: Verify detections exist in Falcon → Activity → Detections

Authentication Errors¶

If you see 401 or 403 errors:

1. Regenerate API credentials in Falcon Console
2. Verify correct cloud URL (us-1, us-2, eu-1)
3. Check API client hasn't expired

Security Considerations¶

• Credential storage: Use secrets management (Vault, AWS Secrets Manager)
• Network security: Ensure connector can reach both CrowdStrike API and Parapet Security
• Rate limiting: CrowdStrike has API rate limits; connector handles this automatically

Next Steps¶

• Configure Slack notifications for real-time alerts
• Set up alert filters to focus on what matters
• Understand AI triage results