Falcon XDR Detections & Records Connector

CrowdStrike Falcon XDR: ExtraHop Detection & Record Connector


Extend protection beyond your endpoints with CrowdStrike Falcon® XDR integrated with ExtraHop NDR. Falcon® XDR provides consolidated threat visibility, hassle-free detections and investigation, and end-to-end orchestration and response.

This integration enables XDR with real-time reception of the Detections and Records ExtraHop is generating from your wire data.

Download Bundle:
Falcon XDR_ Connector.json (9.6 KB)

The following figure shows an example of ExtraHop Record data in XDR, where you can then leverage the data for creating dashboards, or running powerful queries using the LogScale Query Language.

Figure 1. ExtraHop Record data in XDR

Bundle Contents

  • (5) Triggers
    • Falcon XDR: Detection Connector
    • Falcon XDR: Record Connector - DNS_RESPONSE
    • Falcon XDR: Record Connector - HTTP_RESPONSE
    • Falcon XDR: Record Connector - RDP_OPEN
    • Falcon XDR: Record Connector - SSL_OPEN


  • You must have Reveal(x) Enterprise or 360, running firmware 8.8 or later
  • An ExtraHop user account that has Unlimited privileges
  • You must have Falcon XDR
  • You must be able to setup an ExtraHop Reveal(x) Data Connector in Falcon

Installation Instructions

Configure LogScale

  1. Follow CrowdStrike documentation and return to these steps when you have your ingest endpoint and authentication Login | Falcon

Configure ExtraHop Reveal(x)

Install the bundle

When installing the bundle on a Command appliance or Cloud Control Plane, select the option to install the bundle on all of the connected sensors that should participate in this integration.

  1. Download the bundle on this page.
  2. Upload and apply the bundle.

Configure ODS targets

When installing this bundle on a Command appliance or 360 console, configure the open data stream (ODS) targets on each connected Discover appliance that the bundle was installed on.

  1. Log into the Admin UI on the Discover appliance.
  2. Configure an HTTP target for an open data stream with the following parameters:
  • In the Name field, type Crowdstrike_XDR
  • In the Host field, type in the hostname CrowdStrike provided when configuring the Reveal(x) data ingestion
  • In the Port field, type in 443
  • From the Type drop-down list, select HTTPS.
  • Check “Multiple connections”
  • Enter the Additional HTTP header using your XDR token
    1. Authorization: Bearer <YOUR_INGEST_TOKEN>
      Note: Replace <YOUR_INGEST_TOKEN> with the one CrowdStrike provided when configuring the Reveal(x) data ingestion

The completed ODS target page should look similar to the following figure:

Configure the triggers

  1. In the Web UI on the Reveal(x) 360 Console or Command appliance where you installed the bundle, click the System Settings icon , and then click Triggers.
  2. In the list of triggers, filter on Falcon XDR
  3. Click the select all checkbox at the top left next to Name
  4. Click Enable on the right hand pane
  5. (Optional) Click into each Records trigger to modify assignments – pick specific Devices or Groups for what Records will send. Note: Detection updates have no assignments, all Detections will send, only Record Connector triggers need assignments
  6. Click Save, then click Done.
  7. Your configured data is available in Falcon XDR, in real time