CrowdStrike Integration

Stream detection events to CrowdStrike Falcon LogScale (formerly Humio) for centralized SIEM analysis, threat correlation, and security monitoring.

Prerequisites

CrowdStrike Falcon LogScale account
Ingest Token (from LogScale)
LogScale repository configured

Getting CrowdStrike Credentials

Ingest Token

Log into CrowdStrike Falcon LogScale (or your regional URL)
Navigate to your repository
Go to Settings → Ingest Tokens
Click Add Token
Name it “WebDecoy Integration”
Copy the token

Regional URLs

Region	LogScale URL
US	cloud.us.humio.com
EU	cloud.humio.com
US-2	cloud.community.humio.com

Configuring Integration

Go to Integrations → CrowdStrike
Click Add CrowdStrike Integration

Enter:

Field	Description
Name	Friendly name for this integration
LogScale URL	Your LogScale instance URL
Ingest Token	Token from LogScale
Source	Event source name (default: `webdecoy`)
Source Type	Event source type (default: `webdecoy:detection`)

Configure trigger conditions:

Trigger Description
On Detection Send every detection event
On High Risk Only send high-risk detections (score ≥ 75)
On Rule Enforced Send when blocking rules are triggered
Configure optional filters:

Filter Description
Minimum Bot Score Only send detections above this score
Specific Decoys Limit to specific decoy IDs
Click Save

Trigger	Description
On Detection	Send every detection event
On High Risk	Only send high-risk detections (score ≥ 75)
On Rule Enforced	Send when blocking rules are triggered

Filter	Description
Minimum Bot Score	Only send detections above this score
Specific Decoys	Limit to specific decoy IDs

Event Format

WebDecoy sends events using the HTTP Event Collector (HEC) format:

{
  "time": 1704067200,
  "host": "webdecoy",
  "source": "webdecoy",
  "sourcetype": "webdecoy:detection",
  "event": {
    "detection_id": "det_abc123",
    "detection_type": "decoy_link",
    "ip_address": "192.168.1.100",
    "threat_score": 85,
    "threat_level": "critical",
    "bot_score": 92,
    "is_bot": true,
    "is_vpn": false,
    "user_agent": "Mozilla/5.0...",
    "path": "/admin/backup.zip",
    "method": "GET",
    "country": "US",
    "city": "New York",
    "asn": "AS12345",
    "isp": "Example ISP",
    "mitre_tactic": "reconnaissance",
    "mitre_technique": "T1595",
    "property_id": "prop_def456",
    "property_name": "Production Site",
    "decoy_id": "dec_ghi789",
    "decoy_name": "Admin Backup Link",
    "created_at": "2025-01-15T10:30:00Z"
  },
  "fields": {
    "property": "Production Site",
    "threat_level": "critical",
    "detection_type": "decoy_link"
  }
}

Event Fields

Field	Description	Example
`detection_id`	Unique detection ID	`det_abc123`
`detection_type`	Type of detection	`decoy_link`, `bot_scanner`, `endpoint`
`ip_address`	Source IP	`192.168.1.100`
`threat_score`	Risk score (0-100)	`85`
`threat_level`	Risk level	`minimal`, `low`, `medium`, `high`, `critical`
`bot_score`	Bot likelihood (0-100)	`92`
`is_bot`	Bot detection	`true`, `false`
`is_vpn`	VPN detected	`true`, `false`
`mitre_tactic`	MITRE ATT&CK tactic	`reconnaissance`
`mitre_technique`	MITRE technique ID	`T1595`
`country`	Source country code	`US`
`property_name`	Property name	`Production Site`

LogScale Queries

Recent Detections

sourcetype="webdecoy:detection"
| table([@timestamp, event.ip_address, event.threat_level, event.detection_type, event.path])

High-Risk Detections

sourcetype="webdecoy:detection" event.threat_level="critical" OR event.threat_level="high"
| sort(@timestamp, order=desc)

Detection Count by Type

sourcetype="webdecoy:detection"
| groupBy(event.detection_type, function=count())

Top Attacking IPs

sourcetype="webdecoy:detection"
| groupBy(event.ip_address, function=[count(), avg(event.threat_score)])
| sort(_count, order=desc)
| head(20)

Geographic Distribution

sourcetype="webdecoy:detection"
| groupBy(event.country, function=count())
| sort(_count, order=desc)

Bot vs Human Detections

sourcetype="webdecoy:detection"
| case {
    event.is_bot=true | detection_source := "Bot";
    * | detection_source := "Human";
  }
| groupBy(detection_source, function=count())

MITRE ATT&CK Tactics

sourcetype="webdecoy:detection"
| groupBy(event.mitre_tactic, function=count())
| sort(_count, order=desc)

Building Dashboards

Recommended Widgets

Detection Timeline:

Time chart of detections over time
Group by threat_level for color coding

Threat Level Breakdown:

Pie chart by event.threat_level
Shows distribution of severity

Top IPs:

Table of attacking IPs
Include count and average score

Geographic Map:

World map visualization
Color by detection count per country

MITRE Coverage:

Bar chart of MITRE tactics
Shows attack types detected

Sample Dashboard

Create a dashboard with these panels:

Detections Over Time - Timechart grouped by threat_level
Threat Level Distribution - Pie chart
Top 10 Attacking IPs - Table with count
Detection Types - Bar chart
Bot vs Human - Pie chart
Countries - World map or table

Alerting

Create LogScale alerts for WebDecoy events:

Critical Detection Alert

sourcetype="webdecoy:detection" event.threat_level="critical"
| count()

Trigger: count > 0
Window: 5 minutes
Action: Notify security team

Detection Spike Alert

sourcetype="webdecoy:detection"
| bucket(span=5m)
| count()

Trigger: count > 100 (adjust based on baseline)
Action: Alert on anomaly

Known Attacker Alert

sourcetype="webdecoy:detection"
| groupBy(event.ip_address, function=count())
| _count > 10

Trigger: Any result
Window: 1 hour
Action: Block IP / investigate

Integration with Falcon Platform

Correlating with Endpoint Data

WebDecoy detections can be correlated with CrowdStrike Falcon endpoint data:

Use IP address to find matching endpoint alerts
Correlate by timestamp for attack timeline
Link web reconnaissance to endpoint compromise attempts

Threat Graph Integration

Add WebDecoy detections to your threat graph:

Create custom IOC from detected IPs
Track attack progression from web to endpoint
Build attack timelines across data sources

Trigger Tracking

WebDecoy tracks integration activity:

Metric	Description
Trigger Count	Total events sent
Failure Count	Failed delivery attempts
Last Triggered	Most recent event sent
Last Error	Most recent error message

View these in the integration details page.

Best Practices

Do’s

✅ Use descriptive source/sourcetype names
✅ Start with “On High Risk” to reduce volume
✅ Create dashboards for visibility
✅ Set up alerts for critical detections
✅ Correlate with endpoint data
✅ Use MITRE fields for threat intelligence

Don’ts

❌ Forward all events without filtering first
❌ Use overly broad ingest tokens
❌ Ignore integration error metrics
❌ Skip dashboard creation

Troubleshooting

Events Not Appearing

Verify Ingest Token is correct
Check LogScale URL matches your region
Ensure integration is active (toggle enabled)
Check the integration’s failure count
Query LogScale: sourcetype="webdecoy:detection" | head(10)

Authentication Errors

Regenerate Ingest Token in LogScale
Verify token has write permissions
Check token hasn’t expired
Ensure correct repository selected

Missing Events

Check trigger conditions match your detections
Verify minimum bot score filter
Check decoy ID filter if configured
Review last error message in integration details

High Failure Count

Check LogScale service status
Verify network connectivity
Check rate limits on your account
Review error messages in integration

Next Steps

Datadog - Alternative SIEM integration
Cloudflare - Automatic IP blocking
Overview - All integrations