Configure Crowdstrike Falcon EDR integration

  • Release version: Australia
  • Updated April 21, 2026
  • 1 minute to read

    • Download and configure the CrowdStrike Falcon EDR integration to enable endpoint detection and response capabilities in your ServiceNow instance.

    Before you begin

    Role required: sn_sec_tisc.admin
    Important:
    • Threat Intelligence Security Center application must be installed and activated.
    • Obtain the API Client ID and API Client Secret from CrowdStrike Falcon console.
    • In the CrowdStrike Falcon portal API Scopes, enable the IOC Management: read and write access.

    Procedure

    1. Navigate to Threat Intelligence Security Center.
    2. Download the integration from the ServiceNow Store.
    3. Select Integrations > Security Tools > EDR.
    4. Select Configure New Security Tool to configure CrowdStrike Falcon EDR integration.
    5. Select CrowdStrike Falcon EDR.
    6. On the Configure new security tool form, fill in the fields as appropriate.
      Table 1. Create Enrichment Integration
      Field Description
      Name Name for the new security tool integration. For example, CrowdStrike Falcon EDR.
      Vendor Name Name of the vendor. The details of the selected vendor are populated by default. For example, CrowdStrike Falcon EDR.
      Description Description for the new security tool integration.
      Integration Type Type of integration.
      Integration Category Category of integration.
      Integration Configuration
      Base URL The base URL is the CrowdStrike API base URL. The default value is https://api.crowdstrike.com. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis#k9578c40
      Client ID The client ID that you obtained from CrowdStrike. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis.
      Client Secret The client secret key that you obtained from CrowdStrike. For more information, see https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis.
      Expiration period in days for any type of observables The expiry period in days that is applied for any type of observable(s) when they are sent to CrowdStrike EDR.
      Note:
      This option is a fall back expiration period when the expiration time is not set for any specific observable type.
      IP Observable Expiration Time The expiry period in days that is applied for the IP type of observable when they are sent to CrowdStrike EDR.
      Domain Observable Expiration Time The expiry period in days that is applied for the domain type of observable when they are sent to CrowdStrike EDR.
      Hash Observable Expiration Time The expiry period in days that is applied for the Hash type of observable when they are sent to CrowdStrike EDR.
    7. Select Save to apply the changes.
      The integration details are validated, and by default the CrowdStrike EDR integration's status is turned off.
    8. Select Enable to enable the CrowdStrike EDR integration.
      Note:
      Multiple configurations are allowed for CrowdStrike Falcon EDR integration.