Platform
Integrations
SIEM Integrations
CrowdStrike

Integrating CrowdStrike with NordStellar

This guide walks you through connecting NordStellar to CrowdStrike Next-Gen SIEM. Once connected, NordStellar sends alert findings such as leaked credentials, malware infections, dark web mentions, and attack surface vulnerabilities into CrowdStrike so your SOC team can query, alert on, and respond to them alongside the rest of your security telemetry.

How the Integration Works

NordStellar provides a dedicated NordStellar data connector for CrowdStrike Next-Gen SIEM. You add it from CrowdStrike's connector catalog under Data onboarding, and CrowdStrike generates an ingestion API URL and an API key for it. You then enter those two values in NordStellar, and NordStellar pushes findings to your CrowdStrike tenant as structured JSON events over HTTPS.

Because the connector is purpose-built for NordStellar, it already includes the parser needed to index NordStellar findings correctly — you don't have to configure parsing yourself.

At a high level:

  1. Add the NordStellar data connector in CrowdStrike Next-Gen SIEM.
  2. Generate and copy the connector's API URL and API key.
  3. Add the CrowdStrike integration in NordStellar and choose which projects and findings to forward.
  4. Verify that NordStellar events are arriving in CrowdStrike.

You do not need to deploy a Falcon LogScale collector or install any agent for this integration. NordStellar sends events directly to the connector's ingestion endpoint over HTTPS.

Prerequisites

Before you begin, make sure you have:

  • A CrowdStrike Falcon subscription with Next-Gen SIEM enabled.
  • Administrator or Connector Manager access in the Falcon console (required to add data connectors and generate API keys).
  • Organization Admin permissions in NordStellar.
  • Access to the NordStellar organization and projects whose findings you want to send to CrowdStrike.

Step 1: Add the NordStellar Data Connector in CrowdStrike

Add the connector in the CrowdStrike tenant where NordStellar findings should appear.

Open the connector catalog

Select the NordStellar connector

  • In the connector catalog, search for NordStellar.
  • Select the NordStellar connector tile, then click Configure.

Configure and save

  • Give the connector a descriptive name, for example NordStellar.
  • Leave the bundled NordStellar parser selected so findings are indexed correctly.
  • Acknowledge any terms and conditions if prompted, then click Save.
  • Wait for the connector setup to finish. When it's ready, a banner appears at the top of the connector page.

Step 2: Generate and Copy the Connector Credentials

Generate the API key

ℹ️

The API key is shown only once, when it is generated. Copy it immediately and store it securely — if you lose it, you'll need to generate a new one.

  • On the connector page, click Generate API Key in the banner (or on the connector's details page).
  • Copy the API URL — the ingestion endpoint that NordStellar will send events to.
  • Copy the API key — the authorization token for the connector.
  • Keep these values handy to finish the setup in NordStellar.

Step 3: Add the Integration in NordStellar

Now return to the NordStellar Platform to create the integration.

Open Security Integrations

  • On the NordStellar Platform, go to the Settings section.
  • In the menu, open Security Integrations.
  • Click Add Security Integration.
  • Select CrowdStrike from the list of providers.

Enter your connector details

In the Connect CrowdStrike dialog, provide:

  • Integration name — a descriptive label to help you identify this integration.
  • API URL — paste the API URL from the CrowdStrike connector.
  • API key — paste the API key from the CrowdStrike connector.

Choose scope and options

  • Apply to all projects: Enabled by default. Leave on to forward findings from every project in your organization (including projects added later), or turn it off and use the Projects picker to select specific projects.
  • Send existing events: Off by default. Enable to backfill historical findings. When enabled, choose a Send existing events from date — findings detected on or after that date are sent in addition to all new findings. This option is only available when first creating the integration.
  • Include consumer credentials' passwords: Off by default. Enable only if you want plaintext passwords from consumer credential findings included in the forwarded events.

Save the integration

  • Click Connect to save.
ℹ️

When you save, NordStellar sends a test alert to your CrowdStrike connector to verify the connection. If the test fails, the integration is not saved — double-check the API URL and API key and try again.

  • Once connected, NordStellar begins forwarding new findings to your CrowdStrike tenant. If you enabled backfill, historical findings are sent shortly after.

Step 4: Verify Data in CrowdStrike

After saving, look for the test alert titled "This is a test alert!" in your connector's data. It can then take several minutes for ongoing findings to appear. To confirm data is flowing:

  1. In the Falcon console, go to Next-Gen SIEM and open Advanced event search.

  2. Search for events from the NordStellar connector. You can filter by the repository or connector name you assigned, for example:

    #repo = "nordstellar"
| tail(50)

  3. You should see structured JSON records containing the NordStellar finding details, including a type field such as COMBO_LIST, MALWARE_INFECTION, or DARK_WEB_FORUM_POST.

Once data is flowing, you can build CrowdStrike Next-Gen SIEM correlation rules, dashboards, and workflows on top of the NordStellar findings.

Troubleshooting

If findings are not appearing in CrowdStrike, review the following:

  • The connection test failed when saving:

    • Confirm the API URL and API key in NordStellar exactly match the values on the CrowdStrike connector page.
    • Verify there are no trailing spaces or truncated characters in the pasted API URL or API key.
    • Confirm the API URL is the connector's full HTTPS ingestion endpoint.

  • No data after several minutes:

    • Confirm the NordStellar data connector is Active in CrowdStrike (Next-Gen SIEM → Data onboarding → Data connectors).
    • Check that enough time has passed for the first events to be sent and indexed.
    • Confirm the integration is enabled in NordStellar.

  • Project scope is too narrow:

    • In NordStellar, confirm that the integration applies to the projects whose findings you expect to see.
    • If you enabled Send existing events, verify that the selected date range includes the findings you are checking.

  • Network/Firewall:

    • Confirm there are no restrictions preventing NordStellar from reaching the CrowdStrike ingestion endpoint over HTTPS.

If you've checked these details and the problem persists, please contact NordStellar support for assistance.

Microsoft SentinelAPI Reference
NordStellar © 2026Privacy Policy