Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=CrowdStrikeFalcon

CrowdStrike Falcon

API

You can integrate CrowdStrike Falcon with Sophos Central so that the service sends data to Sophos for analysis.

This integration is API-based.

The key steps are as follows:

  • Get details of your CrowdStrike Falcon service.
  • Add a new API client to CrowdStrike Falcon.
  • Configure an integration in Sophos Central.

Get details of CrowdStrike Falcon service

You'll need the following details:

  • The base URL for CrowdStrike Falcon.
  • Your CrowdStrike Falcon API client and key.
  • A Client ID and Client Secret that you generate in the CrowdStrike Falcon console.

Generate an application secret

To generate an application secret do as follows:

  1. Sign in to the CrowdStrike Falcon management console.
  2. Click Support and resources > API Clients and keys > Add new API client.
  3. In Add new API client enter a CLIENT NAME and DESCRIPTION.
  4. Select the Read API scope for Detections.

  5. Click ADD.

    You're shown the Client ID, Client Secret, and base URL for your new client. You must copy these to use later in Sophos Central.

    Note

    The Client Secret is only shown once. Make sure you keep it somewhere safe.

  6. Click DONE.

Configure an integration

To integrate CrowdStrike Falcon with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click CrowdStrike Falcon.

    The CrowdStrike Falcon page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

  4. In Integration steps, you configure an API to collect data from CrowdStrike Falcon.

    1. Enter a name and a description for the integration.
    2. Enter the Base URL you got from CrowdStrike Falcon.

    3. Enter the following information you found in the CrowdStrike Falcon console.

      • Client ID
      • Client secret

  5. Complete any other fields.

  6. Click Save.

We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.