CrowdStrike

Overview

Integrate your Incident Register with CrowdStrike Falcon. This integration imports alerts from NGSiem, CWPP, and EPP as Incident records. Alerts are aggregated by correlation ID before being synced.

• Source: EDR
• Opened By: “CrowdStrike Integration”

Setup

The integration can be enabled directly from your Adversarial tenant via Settings > Integrations. The necessary details to connect your CrowdStrike environment are the API Client ID and Client Secret, which must have read permissions for alerts and incidents.

Status Mapping

CrowdStrike alert statuses are mapped to Adversarial incident statuses:

CrowdStrike Status	Adversarial Status
new	New
in_progress / assigned	In Progress
closed	Closed
(unrecognized)	New

Severity Mapping

CrowdStrike alert severity maps to Adversarial incident severity. All severity levels are imported.

CrowdStrike Severity	Adversarial Severity
Critical	SEV-1
High	SEV-2
Medium	SEV-3
Low	SEV-4
Informational	SEV-5

Fields

CrowdStrike Field	Adversarial Field	Notes
name	Title
description	Description	Enriched with product context and MITRE info during aggregation
created_date	Created Date
created_date	Detected Date
timestamp	Occurred Date	Falls back to created_date if missing
seconds_to_triaged	Responded Date	Computed as created_date + seconds_to_triaged
seconds_to_resolved	Contained Date	Computed as created_date + seconds_to_resolved
(static)	Source	Always “EDR”

Note

On subsequent syncs, only severity, detected date, occurred date, responded date, and contained date are updated on existing incidents. Title, description, and status are not overwritten to preserve aggregated data. Because severity always comes from the CrowdStrike alert, automatic AI rescoring does not apply to CrowdStrike incidents.