CrowdStrike connector

Elastic Stack Serverless Observability Serverless Security

The CrowdStrike connector communicates with CrowdStrike Management Console via REST API.

To use this connector, you must have authority to run Endpoint Security connectors, which is an Actions and Connectors sub-feature privilege. Refer to Kibana privileges.

Create connectors in Kibana

You can create connectors in Stack Management > Connectors. For example:

Connector configuration

CrowdStrike connectors have the following configuration properties:

CrowdStrike API URL: The CrowdStrike tenant URL. If you are using the xpack.actions.allowedHosts setting, make sure the hostname is added to the allowed hosts.
CrowdStrike client ID: The CrowdStrike API client identifier.
Client secret: The CrowdStrike API client secret to authenticate the client ID.

Test connectors

You can test connectors as you’re creating or editing the connector in Kibana. For example:

The CrowdStrike action has the following configuration properties:

Agent IDs: Get details about one or more CrowdStrike agent IDs.