You can integrate CrowdStrike Falcon with Sophos Central so that the service sends data to Sophos for analysis.
This integration is API-based.
The key steps are as follows:
- Get details of your CrowdStrike Falcon service.
- Add a new API client to CrowdStrike Falcon.
- Configure an integration in Sophos Central.
Get details of CrowdStrike Falcon service
You'll need the following details:
- The base URL for CrowdStrike Falcon.
- Your CrowdStrike Falcon API client and key.
- A Client ID and Client Secret that you generate in the CrowdStrike Falcon console.
Generate an application secret
To generate an application secret do as follows:
- Sign in to the CrowdStrike Falcon management console.
- Click Support and resources > API Clients and keys > Add new API client.
- In Add new API client enter a CLIENT NAME and DESCRIPTION.
- Select the Read API scope for Detections.
You're shown the Client ID, Client Secret, and base URL for your new client. You must copy these to use later in Sophos Central.
The Client Secret is only shown once. Make sure you keep it somewhere safe.
Configure an integration
To integrate CrowdStrike Falcon with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
Click CrowdStrike Falcon.
The CrowdStrike Falcon page opens. You can configure integrations here and see a list of any you've already configured.
In Data Ingest (Security Alerts), click Add Configuration.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
In Integration steps, you configure an API to collect data from CrowdStrike Falcon.
- Enter a name and a description for the integration.
- Enter the Base URL you got from CrowdStrike Falcon.
Enter the following information you found in the CrowdStrike Falcon console.
- Client ID
- Client secret
Complete any other fields.
We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.