MENU
      Contents x
      CrowdStrike Falcon Cloud
      • 06 Jun 2025
      • 3 Minutes to read
      • Print
      • Dark
      Contents

      CrowdStrike Falcon Cloud

      • Updated on 06 Jun 2025
      • 3 Minutes to read
      • Print
      • Dark
      Article summary

      Overview

      This Adapter allows you to connect to CrowdStrike Falcon Cloud to stream events as they happen in the CrowdStrike Falcon Console.

      Deployment Configurations

      All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

      • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
      • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
      • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
      • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

      Adapter-specific Options

      Adapter Type: falconcloud

      • client_id: your CrowdStrike Falcon Cloud client ID

      • client_secret: your CrowdStrike Falcon Cloud client secret

      Manual Deployment

      Adapter downloads can be found here.

      chmod +x /path/to/lc_adapter

/path/to/lc_adapter falconcloud client_options.identity.installation_key=$INSTALLATION_KEY \
client_options.identity.oid=$OID \
client_options.platform=json \
client_options.sensor_seed_key=$SENSOR_NAME \
client_options.hostname=$SENSOR_NAME \
client_options.mappings.event_type_path=metadata/eventType \
client_id=$CLIENT_ID \
client_secret=$CLIENT_SECRET
      Bash

      Infrastructure as Code Deployment

      # CrowdStrike Falcon ("falconcloud") Specific Docs: https://docs.limacharlie.io/docs/adapter-types-crowdstrike

falconcloud:
  # CrowdStrike Falcon Event Streaming API
  write_timeout_sec: 10 # (optional) Timeout in seconds for writing data. e.g., 10 or null.
  client_id: "YOUR_CROWDSTRIKE_FALCON_API_CLIENT_ID" # (required) Your CrowdStrike Falcon API Client ID for event streaming.
  client_secret: "YOUR_CROWDSTRIKE_FALCON_API_CLIENT_SECRET" # (required) Your CrowdStrike Falcon API Client Secret. Store securely.
  # Optional: cloud_region (us-1, us-2, eu-1, us-gov-1), app_id.
  # cloud_region: "us-1"
  # app_id: "my-limacharlie-falcon-stream"
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_FALCONCLOUD" # (required) Installation key associated with the OID.
    hostname: "crowdstrike-falcon-adapter-prod-01.example.com" # (required if not using sensor_hostname_path)
    platform: "saas_api_crowdstrike_falcon" # (required) Indicates the source is CrowdStrike Falcon API.
    architecture: null # (optional) Not applicable for SaaS API.
    mapping:
      # Falcon Event Streaming API provides JSON events.
      parsing_re: null
      # (optional) Path to uniquely ID the original Falcon event. Falcon events usually have a unique 'id' or 'event_id'.
      sensor_key_path: "event.event_id" # Or just "id" depending on the event structure.
      # (optional) If client_options.hostname is NOT static, or to use the actual agent hostname from the event.
      sensor_hostname_path: "event.ComputerName" # Falcon events often include 'ComputerName'.
      # (optional) Example: "FALCON_DETECTION_SUMMARY_EVENT", "FALCON_AUTH_ACTIVITY_LOGIN". Based on 'event_simpleName' or similar.
      event_type_path: "FALCON_{{ .metadata.eventType | token | upper | default \"GENERIC\" }}_{{ .event_simpleName | token | upper }}" # Using 'event_simpleName' is common.
      # (optional) JSON path to the event's occurrence time. Falcon events usually have a 'timestamp' (epoch millis).
      event_time_path: "metadata.eventCreationTime" # Or "event.Timestamp" depending on the event wrapper.
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "event.DetectId" # For detection events.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+endpoint_security_vendor": "CrowdStrikeFalcon"
        "+falcon_agent_id": "{{ .event.AgentId }}"
        "+falcon_user_id": "{{ .event.UserId }}"
        "+process_name_parent": "{{ .event.ParentProcessName }}"
        "+process_name_target": "{{ .event.TargetProcessName }}"
        "-event.FalconHostLink": null # Remove if not needed or too specific for general telemetry
      # (optional) A list of field paths to drop.
      drop_fields:
      - "event.SensorSpecificData" # Can be very verbose
      - "metadata.offset"
      sid_replication_path: null # (optional)
    # mappings: null
    indexing:
      enabled: true
      default_index: "falcon-events-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional) Falcon event stream is typically JSON, not further compressed at this layer.
    sensor_seed_key: "SEED_KEY_FALCONCLOUD_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      API Doc

      See the official documentation and additional docs on the library used to access the Falcon APIs.

      Was this article helpful?
      Related articles
      What's Next