Skip to main content

CrowdStrike Data Connector: Enabling Seamless Event Ingestion

Using Torq’s CrowdStrike Data Connector for seamless event ingestion and automation.

Torq's CrowdStrike Data Connector enables seamless and automated ingestion of CrowdStrike events into Torq, allowing workflows to be triggered based on real-time data. Designed for performance, reliability, and ease of use, this connector streamlines event-driven automation for security and operations teams.

Key capabilities include:

  • Event setup made simple: An intuitive setup interface for defining event types, sources, and integration parameters

  • Advanced filtering: Apply JQ-based filtering to ingest only relevant events

  • Hands-free operation: Automatic event ingestion after initial configuration

  • Clean data guaranteed: Duplicate detection to ensure accuracy and reliability

  • Test before you go live: Manually trigger the connector to validate configurations

  • High-volume ready: Handle up to 500,000 events per minute

  • Built-in resilience: Prevent data loss with robust failover mechanisms

  • Always-on monitoring: Status checks and alerts keep you informed of connector health

High-availability failover and resilience

The CrowdStrike Data Connector is designed with robust failover mechanisms to ensure reliable event ingestion, even under unexpected conditions.

Rate limit handling

If the connector reaches the CrowdStrike API rate limit, it will:

  • Save the last successful offset of pulled data.

  • Disconnect the stream to prevent errors.

  • Wait until the next scheduled pull cycle to resume ingestion and fetch any missed events.

Integration health checks

The connector continuously verifies the health of the integration by:

  • Checking authentication status with CrowdStrike.

  • Notifying users if the connection becomes invalid or fails.

Connector failover

To prevent disruptions:

  • The connector ensures an active and valid connection with the integration.

  • If the connection is lost or unstable, it will automatically attempt to refresh and re-establish it.

Event replay on failure

If there’s a failure during data streaming, the system will resume ingestion from the last known good offset, ensuring that no events are lost or skipped

These failover mechanisms ensure that your event pipeline remains resilient, even in the face of API limits, network issues, or temporary failures.

Configure Torq CrowdStrike data connector

Integrate CrowdStrike with Torq to automate event response workflows using API key configurations.

Create a CrowdStrike API token

  1. Navigate to API clients and keys: Click the menu and go to Support > Resources and tools > API Clients and Keys.

  2. Create a client: Click Create API client.

    1. Give the client a unique and meaningful name. For example, TorqWorkflows.

    2. Give the client a relevant description. For example, This key is used in Torq workflows to automate investigations of CrowdStrike detections.

    3. Select one or more scopes for the key. You must apply relevant scopes to perform desired actions within Torq workflows. For example, if you want to modify or edit a detection within a workflow, you need to apply the Read and Write scope for Detections.

  3. Finalize: Click Create.

  4. Save information: Copy and save the values for the following fields, which you must enter when configuring the CrowdStrike steps integration in Torq. Be sure to save them somewhere, you cannot access them again.

    • CLIENT ID

    • SECRET

    • BASE URL

Add a CrowdStrike streaming instance in Torq

  1. Navigate to Integrations: In Torq, go to Build > Integrations > Steps.

  2. Activate the CrowdStrike streaming integration: Find the integration in your list and click its icon.

  3. Set up a streaming instance:

    1. Click Add Instance.

    2. Give the instance a unique and meaningful name, you cannot change this later.

    3. Add the Client ID created earlier.

    4. Add the Client Secret created earlier.

    5. Add the Base URL created earlier.

    6. For the Token URL, paste the Base URL and add /oauth2/token to the end of the URL.

    7. Define the Routing Destination to control where data from this integration instance is sent. Select at least one destination.

      • Auto-Triage sends supported alert types to the Auto-Triage pipeline for automatic analysis, enrichment, scoring, and verdict assignment.

      • Workflows routes events and alerts to workflow triggers so you can build custom automation.

    8. In the Events Filter field, enter a comma-separated list of CrowdStrike event types to include. Any events not listed will be excluded from the pull.
      By default, the following event types are collected: CSPMSearchStreamingEvent, CSPMIOAStreamingEvent, EppDetectionSummaryEvent, IdpDetectionSummaryEvent, DetectionSummaryEvent, CustomerIOCEvent, UserActivityAuditEvent, RemoteResponseSessionEndEvent.

  4. Finalize: Click Add to save.

You’ve successfully set up a CrowdStrike Streaming integration in Torq. With the instance configured, Torq can now securely connect to your CrowdStrike environment, pull the selected event types in real-time, and automatically trigger workflows based on those events.

Related Articles
CrowdStrike
CrowdStrike Streaming
CrowdStrike (Legacy)
CrowdStrike Identity Protection
Google Cloud Security Operations Data Connector
Did this answer your question?