Skip to main content
Version: Next

Integration with CrowdStrike

Integrating NetFlow Optimizer (NFO) with CrowdStrike Falcon provides powerful network telemetry and enhanced visibility into your infrastructure. By leveraging CrowdStrike's unified security platform, organizations can correlate enriched flow data with endpoint telemetry to detect lateral movement, identify data exfiltration, and streamline incident response.

This integration allows you to forward processed and enriched network flow data from NFO to CrowdStrike Falcon LogScale or the Falcon platform for advanced search, visualization, and long-term retention.

Installation Steps

  1. Configure CrowdStrike Ingest
  2. Configure NFO Output

Configure CrowdStrike Ingest

To send data to CrowdStrike, you must first ensure you have the appropriate ingestion method configured in your Falcon console. Depending on your environment, you can send data directly to a Falcon LogScale HEC (HTTP Event Collector) or via a LogScale Collector (Agent).

Obtain Ingest Token

  1. Log in to your CrowdStrike Falcon console.
  2. Navigate to LogScale (formerly Humio) and select your Repository or View.
  3. Go to Settings > Ingest Tokens.
  4. Copy an existing token or create a new one to be used for NFO data.

Set Up the Parser

To ensure field names are correctly identified, use the json parser or a custom NFO-specific parser in LogScale. If sending via JSON, CrowdStrike will perform automatic field extraction for all enriched NFO fields.

Configure NFO Output

Once your ingest endpoint is ready, configure the output in the NFO GUI to forward the data.

  1. In the NFO GUI, go to Outputs on the left navigation bar.
  2. Click the plus sign (+) to create a new output.

  1. Set the following parameters:
  • Name (optional): CrowdStrike Falcon
  • Output Type: Select CrowdStrike Falcon LogScale HEC
  • Protocol: HTTP or HTTPS
  • Address: Enter your CrowdStrike LogScale HEC endpoint (e.g., cloud.crowdstrike.com).
  • Port: Typically 443 for HTTPS ingestion.
  • Token: Paste the Ingest Token obtained in the previous step.
  1. Formatting: Ensure the output format is set to JSON. This allows CrowdStrike LogScale to perform automatic field extraction on all enriched telemetry (such as GeoIP, User ID, and Application Name).
  2. Click Save.

Verifying the Integration

To verify that data is flowing correctly:

  1. Navigate to your CrowdStrike Falcon console and open the LogScale repository.
  2. Run a search query such as:
#repo = "your_repo_name" | nfc_id = "*"

  1. Confirm that flow records are appearing and that fields (e.g., src_ip, dest_ip, exp_ip) are correctly parsed.