CrowdStrike Next-Gen SIEM Configuration Guide for SIEM

This guide walks you through creating a CrowdStrike OAuth client, and gathering the configuration needed to create a CrowdStrike NextGen SIEM integration.

Create a CrowdStrike OAuth Client

1. Log in to the console

Log in to your CrowdStrike Console instance with administrative privileges. Without administrative privileges you will not have access to create the client.

2. Create the client

Open the main menu and navigate to the Support and resources > Resources and tools > API clients and keys. Click the 'Create API client' button.

In the modal that pops up, give the client a name and select the following scopes:

NGSIEM
- Read
- Write

After selecting the scopes, click the Create button. The modal will present you with your new Client ID, Client Secret and Base URL. Copy these values down to a safe location.

The SIEM client does need both Read and Write scopes. The Write scope is required to create a search query, and the Read scope is required to read the query results. Note if you need to adjust the scopes later, you can click the three dots to the right of client listing on the main API clients and keys pages.

Configure the Integration

Create your integration by supplying all of the required values.

URL

This is the Base URL of you Falcon instance gathered in step 2.

ClientId

This is the Client Id gathered in step 2

ClientSecret

This is the Client Secret gathered in step 2

Note: The token_url should not be set/configured when configuration the Integration.

Create a CrowdStrike OAuth Client

1. Log in to the console

2. Create the client

Configure the Integration

Was this helpful?