Skip to main content
Version: 2.13.0

CrowdStrike Next-Gen SIEM (Zero Trust Logs)

Free integration setupWe’ll install and validate this for you.
Book a setup call

Overview

This integration forwards Superna Data Security Edition findings to CrowdStrike Next-Gen SIEM using the Collector API, enabling searchable log ingestion, detections, and correlation with broader security telemetry.

Free white-glove setup

We’ll install and validate this integration at no charge so you can see value fast. Next step: use Book a setup call at the top of this page.

See CrowdStrike marketplace landing page

What You Get

  • Structured security findings from Superna ingested into Next-Gen SIEM via API keys/ingest URL.
  • Faster investigations with searchable logs (e.g., by vendor, fields like severity, clientIPs, shares, files).
  • Detections visibility in CrowdStrike (e.g., Investigate → Event search; Detections).
  • Operational simplicity using a lightweight Eyeglass VM service that translates webhooks to CPS/collector format.

Demo Video

How It Works

  1. Connector setup in CrowdStrike
    In Falcon Console: Data connectors → Add connection → Vendor = Superna → Superna Data Security Edition Data Connector → Configure.
    Generate API Key and copy the API URL and API Key for the collector.

  2. Lightweight service on Eyeglass
    On the Eyeglass VM, a small Python/Flask service listens for Superna webhooks and posts translated JSON to the CrowdStrike Collector API using the provided key. Managed as a systemd service for resilience and autostart.

  3. Webhook from Superna
    In Eyeglass WebUI → Integrations → Webhooks, add a webhook to http://localhost:5000/webhook (content-type application/json). Recommend sending Critical/Major events and those that reflect actionable findings.

  4. Result in CrowdStrike
    Logs appear in Investigate → Event search (e.g., filter by vendor “Superna”) and detections appear in the console.
    Typical payload fields forwarded: eventid, host (first IP), severity, state, nes, user, userName, shares[], detected (epoch secs), protocol, files[].

Tip: Use your lab first—send a sample event and confirm http 200 with successCount=1 from the collector.

Components

  • Superna Data Security Edition — Emits webhook events for high-confidence findings at the data layer.
  • Integration Service (Eyeglass VM) — Small Flask app + systemd unit that maps webhook JSON to the CrowdStrike collector format and authenticates with an API key.
  • CrowdStrike Next-Gen SIEM — Receives events via Collector API and surfaces them in Event Search/Detections.

Integration Architecture

FAQs

What’s required to enable this?

A Next-Gen SIEM data connector in Falcon (to obtain the API URL and API key), an Eyeglass VM with outbound HTTPS, and Superna webhook configuration. We’ll guide you through all steps.

Which fields are forwarded?

Common fields include eventid, host (from clientIPs[0]), severity, state, nes, user, userName, shares[], detected (seconds), protocol, and files[].

Is there a performance impact?

Minimal. The service makes small HTTPS posts to the collector API. Scope webhooks to critical/meaningful findings.

Any common pitfalls?

Using the wrong ingest URL/region, stale API key, blocking outbound HTTPS, or sending low-signal alarms instead of high-confidence findings.