Skip to main content

CrowdStrike

The Files.com integration with CrowdStrike Next-Gen SIEM sends Files.com audit and activity logs directly into your CrowdStrike environment. You choose which log types are forwarded.

Logs are sent in JSON format over HTTP using CrowdStrike's HEC-compatible ingestion endpoint. Once ingested, Files.com logs appear alongside native Falcon telemetry in CrowdStrike Next-Gen SIEM, where they become searchable and available for correlation with endpoint activity, identity events, and threat intelligence. Security teams can use the combined data to detect suspicious file access patterns, investigate incidents that span file transfers and endpoint behavior, and build detection rules or dashboards that include Files.com activity.

Getting Started with CrowdStrike Integration

Before configuring Files.com, you need two things from the CrowdStrike Falcon console: your HEC ingestion endpoint URL and an API key (token). Both come from the same connector setup flow.

In the Falcon console, go to Next-Gen SIEM > Data ingestion > Data connectors, select Add data connector, and choose the HEC / HTTP Event Data Connector. Click Configure, fill in the connector name and optional description, and save.

After saving, CrowdStrike displays the connector's HEC endpoint URL and API key. The HEC endpoint URL is what you enter as the Destination URL in Files.com. The API key is what you enter as the CrowdStrike Token. Copy the API key at this point, as it is shown only once; you can view the endpoint URL later on the connector's detail page.

See CrowdStrike's data ingestion documentationExternal LinkThis link leads to an external website and will open in a new tab for details.

Configuring Files.com for CrowdStrike Integration

When configuring the CrowdStrike integration in Files.com, provide a Name for the integration for your records. Enter the HEC endpoint URL from your Falcon console connector as the Destination URL. Enter the API key generated during connector setup as the CrowdStrike Token.

Additional headers are needed when your environment requires proxy authentication, custom routing, or other HTTP-level configuration beyond the standard token authentication. Configure them by entering each Header Name and Header Value in the Key and Value fields.

Verifying the Integration

After saving, confirm that logs are reaching CrowdStrike by going to Next-Gen SIEM > Data ingestion > Data connectors and checking that the connector status shows Active. You can also verify ingestion by selecting Show events on the connector or searching in Advanced Event Search using the connector's associated tag.

Choosing Log Types to Forward to CrowdStrike

You can select which types of logs are forwarded to each CrowdStrike instance. By default, all log types are enabled, and you can customize the log types collected for different instances. See the Log Types section for the available options.

Troubleshooting

If logs are not being forwarded or received in CrowdStrike, verify that your HEC endpoint URL and API key are accurate and correctly configured in Files.com as the Destination URL and CrowdStrike Token.

If the problem continues, check for network connectivity problems or firewall rules blocking communication between Files.com and your CrowdStrike environment. Check SIEM events under External Logs to help identify problems in the log forwarding process. If the problem persists, refer to CrowdStrike's Next-Gen SIEM documentationExternal LinkThis link leads to an external website and will open in a new tab.