# CrowdStrike (Next-Gen SIEM)

## Prerequisites

* CrowdStrike tenant with access to **Falcon LogScale** (or Next‑Gen SIEM).
* Permission to create **Ingest Tokens** on a target **Repository**.
* Network egress from Teleskope to your CrowdStrike ingest URL.

***

### 1) Create a LogScale Ingest Token & find your ingest URL

1. In the CrowdStrike Falcon console, open LogScale → choose your Repository (or create one dedicated to Teleskope alerts).
2. Go to Settings → Ingest Tokens → Create Token.
3. (Optional) Attach a parser to this token if you want custom field mapping.
4. Copy:
   * Ingest URL (examples: `https://cloud.us.humio.com`, `https://cloud.eu.humio.com`)
   * Ingest Token (bearer token)

Endpoints:

* Structured JSON: `POST /api/v1/ingest/humio-structured`

***

### 2) Add the CrowdStrike destination in Teleskope

**Policy Maker → Integrations → CrowdStrike**

Provide:

* **Base URL**: your LogScale URL (e.g., `https://cloud.us.humio.com`)
* **Bearer token**: the Ingest Token from step 1

> If your Teleskope environment doesn’t show a CrowdStrike destination yet, reach out to Teleskope support.

***

### 3) Create a policy

**Policy Maker → Create/Edit Policy**

1. Define your conditions as usual.
2. **Step 4 – Actions**: choose **Send to CrowdStrike**.

{% hint style="warning" %}
It is recommended to add CrowdStrike notifications after a policy has been created and the initial violations populated. A ticket is created per violation, so ensure that policies are sufficiently scoped.
{% endhint %}