Integrating CrowdStrike with Kaseya SIEM

This article explains how to connect CrowdStrike Falcon to Kaseya SIEM using the CrowdStrike integration available in the SIEM interface. It describes the information required to establish the connection and where CrowdStrike telemetry may appear in Kaseya SIEM after ingestion.

Configuration fields and requirements for this integration are defined in the Kaseya SIEM interface. Always follow the options and guidance shown in the UI when completing the connection.

Requirements

Before starting, ensure you have the following:

  • CrowdStrike administrative access: You must have sufficient permissions in the CrowdStrike Falcon console to create OAuth 2.0 API clients.

  • CrowdStrike API credentials: A Client ID and Client Secret generated specifically for this integration.

  • CrowdStrike API region information: Your CrowdStrike environment is hosted in a specific region (for example, US‑1, US‑2, EU‑1, or GovCloud). This information is required when configuring the connection in Kaseya SIEM.

Creating an API client in CrowdStrike Falcon

CrowdStrike integrations use OAuth 2.0 API clients. To create an API client:

  1. Sign in to the CrowdStrike Falcon console.

  2. Navigate to Support and resources > Resources and tools > API Clients and Keys.

  3. Select Create API client.

  4. Enter a Client Name (for example, Kaseya SIEM) and an optional description.

  5. Assign the API scopes required by the Kaseya SIEM integration, as indicated in the Kaseya SIEM connection dialog.

  6. Create the API client.

After creation, CrowdStrike displays the Client ID and Client Secret. The secret is shown only once and must be copied and stored securely. The API client is associated with your CrowdStrike tenant and region.

Connecting CrowdStrike in Kaseya SIEM

Once the API client is created, configure the integration in Kaseya SIEM.

  1. In Kaseya SIEM, navigate to Settings > Integrations (partner level) or Organization > Applications (organization level), depending on where the integration is being created.

  2. Locate the CrowdStrike integration tile and select Connect.

  3. Enter the required information as prompted in the UI, such as:

    • API Base URL (CrowdStrike tenant region)

    • Client ID

    • Client Secret

After credentials are validated, the connection wizard prompts you to map CrowdStrike to one or more organizations.

Organization mapping determines:

  • Which organizations receive CrowdStrike telemetry

  • How endpoint activity is scoped for investigation and correlation

  • Where alerts and activity appear in the SIEM experience

Follow the organization‑mapping steps shown in the wizard to associate CrowdStrike with the appropriate organizations.

For an overview of how integrations are scoped and associated with organizations, see Connecting data sources and integrations.

Verifying the connection

After the integration is connected:

  • The CrowdStrike tile should reflect an active or connected status.

  • Endpoint‑related telemetry from CrowdStrike may become available for investigation, depending on configuration and available data.

  • CrowdStrike activity may appear alongside other endpoint, network, or SaaS sources during investigations.

  • The timing and type of data available can vary by environment and configuration.

After the integration is connected, alerts generated from CrowdStrike telemetry can be investigated within Kaseya SIEM.

Alerts generated from ingested telemetry can be delivered to external systems such as PSAs, depending on your notification and PSA configuration. For more information, see Notifications, PSA, and external communications.

Troubleshooting

If expected activity is not visible:

  • Confirm that the API client was created with the scopes required by the Kaseya SIEM integration.

  • Verify that the CrowdStrike tenant region entered in Kaseya SIEM matches your Falcon environment.

  • If credentials change or are regenerated, update the Client Secret in the Kaseya SIEM integration settings.

Relationship to other data sources

CrowdStrike is an endpoint security platform that provides host‑level telemetry. When connected, this data contributes to endpoint and infrastructure visibility in Kaseya SIEM and may be correlated with other sources during investigation.