CrowdStrike
Overview
Section titled “Overview”Integrate your Incident Register with CrowdStrike Falcon. This integration allows organizations to import alerts from NGSiem, CWPP, and EPP as Incidents. All records will be in the Incident module. Records will have the Opened By field set to “CrowdStrike Integration”.
The integration can be enabled directly from your Adversarial tenant via Settings > Integrations. The necessary details to connect your CrowdStrike environment are the API Client ID and Client Secret, which must have read permissions for alerts and incidents.
Data Flow
Section titled “Data Flow”Real-time updates with async data flow — this process creates incident records in Adversarial automatically from the CrowdStrike platform.
Adversarial only ingests information. When a new record gets created in CrowdStrike, it syncs to Adversarial. Any updates in CrowdStrike are reflected in the associated Adversarial Incident record.
Status Mapping
Section titled “Status Mapping”CrowdStrike alert statuses are mapped to Adversarial incident statuses:
| CrowdStrike Status | Adversarial Status |
|---|---|
new | New |
in_progress / assigned | In Progress |
closed | Closed |
| (unrecognized) | New |
Severity Mapping
Section titled “Severity Mapping”CrowdStrike alert severity maps to Adversarial incident severity:
| CrowdStrike Severity | Adversarial Severity |
|---|---|
| Critical | SEV-1 |
| High | SEV-2 |
| Medium | SEV-3 |
| Low | SEV-4 |
| Informational | SEV-5 |
Fields
Section titled “Fields”| CrowdStrike Field | Adversarial Field | Notes |
|---|---|---|
name | Title | |
description | Description | Enriched with product context and MITRE info during aggregation |
created_date | Created Date | |
created_date | Detected Date | |
timestamp | Occurred Date | Falls back to created_date if missing |
seconds_to_triaged | Responded Date | Computed as created_date + seconds_to_triaged |
seconds_to_resolved | Contained Date | Computed as created_date + seconds_to_resolved |
| (static) | Source | Always “EDR” |
Sync Behavior
Section titled “Sync Behavior”On subsequent syncs, only the following fields are updated on existing incidents: severity, detected date, occurred date, responded date, and contained date. Title, description, and status are not overwritten to avoid clobbering aggregated data.