CrowdStrike Identity integration

With a CrowdStrike Identity integration, you can receive advanced identity enrichment for Investigator detections. The integration extends existing CrowdStrike EDR capabilities by blending Identity Protection data with Investigator network detections. It correlates Corelight network activity with CrowdStrike’s user information, providing a comprehensive User History and Identity Alerts associated with the host.

With this integration, detection details include valuable identity context—such as recent user sign-ins, risk scores, and identity-related incidents—helping analysts assess threats and make informed decisions during triage.

Note

The Microsoft EntraID integration also works on top of the CrowdStrike EDR integration, with or without Identity Protection enabled.

To configure the integration, you must have a CrowdStrike Falcon Identity Protection subscription. Your CrowdStrike OAuth2 API client requires read access to Identity Protection scopes in addition to the standard host permissions.

Prerequisites

You need the following prerequisites in order to use the CrowdStrike Identity integration:

  • Active Subscription: An active and configured CrowdStrike Falcon Identity Protection subscription. This must be connected to your Identity Provider (IdP) Entra ID directory in order for CrowdStrike to be able to correlate hosts and identities.

  • Access: Administrative access to the Falcon Console and/or a CrowdStrike API key.

CrowdStrike client setup

Your CrowdStrike Client must include the required permissions to access Identity Protection data. To generate the API key, use the following steps:

  1. Navigate to Falcon Console ‣ Support and Resources ‣ API Clients & Keys.

  2. Ensure that the following permissions are enabled:

    • Identity Protection GraphQL (Write)

    • Identity Protection Entities (Read)

    • Identity Protection Detections (Read & Write)

    • Identity Protection Timeline (Read)

    • Identity Protection Assessment (Read)

    • Incidents (Read)

    • User Management (Read)

    • Alerts (Read or Read & Write)

    • Assets (Read)

  3. After creating the API client, securely store the Client ID and Client Secret.

Integrate CrowdStrike Identity with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the CrowdStrike card.

  3. Click Configure.

Tip

If you have already configured CrowdStrike EDR, you can edit the existing connection to update your API credentials with the new required scopes.

  1. Ensure your CrowdStrike API Client has the following Read permissions enabled in the Falcon Console: Identity Protection (or Identity Protection Entities), User Management, and Alerts.

  2. Enter (or update) your Client ID and Client Secret Key. These values are available from the CrowdStrike Falcon Console.

  3. Set the Polling Time for EDR services. For Identity Protection, the default polling interval is 1 hour.

  4. Click Verify Connection to ensure Investigator can access your CrowdStrike Identity data.

  5. Click Save.

Note

  • If validation fails, please verify the API scope meets the requirements listed above.

  • CrowdStrike Identity and Identity Alert polling happens every hour regardless of the EDR Polling time configuration.

Viewing Identity data

With CrowdStrike Identity configured, the detection details page will display a User History section. This section provides a timeline of users associated with the entity, including:

  • User Principal Name (UPN) and Display Name.

  • CrowdStrike Risk Score.

  • Email Address.

  • CrowdStrike Identity Alerts.

Note

Investigator alerts do not affect the Identity Risk Score. It is completely independent and maintained only by CrowdStrike.

Managing the integration

  • To Pause: Toggle the integration setting to Disabled.

  • To Remove: Click the Delete icon to disable the integration and delete connection details.