IoT Security Integration Guide
  • IoT Security Integration Guide
  • IoT Security Documentation
  • All Documentation
>
Integrate IoT Security with CrowdStrike
Focus
Download PDF
Focus
  1. Home
  2. IoT Security
  3. Endpoint Protection
  4. Integrate IoT Security with CrowdStrike
Download PDF
IoT Security

Integrate IoT Security with CrowdStrike

Table of Contents

Integrate IoT Security with CrowdStrike

Integrate IoT Security through Cortex XSOAR with CrowdStrike.
Where Can I Use This?What Do I Need?
  • IoT Security (Managed by IoT Security)
  • IoT Security subscription for an advanced IoT Security product (Enterprise Plus, Industrial OT, or Medical)
One of the following Cortex XSOAR setups:
  • An IoT Security Third-party Integration Add-on license that includes a cohosted, limited-featured Cortex XSOAR instance
  • A full-featured Cortex XSOAR server
CrowdStrike is a detection and response app that uses endpoint sensors to detect threats and uncover the cause to accelerate investigations. A CrowdStrike cloud server collects endpoint data from sensors installed on IT devices such as laptops and desktops.
By integrating IoT Security with CrowdStrike, IoT Security can import attributes for devices in its inventory.
IoT Security can receive the following device attributes through an integration with CrowdStrike:
  • Hostname – The hostname of a device
  • OS – The operating system running on the device
  • OS version – The version of the operating system
  • OS type – The type of operating system running on a device
  • Serial number – The device serial number
  • Vendor – The device vendor
  • Endpoint Detection Response (EDR) isolation status – Whether or not a device, or endpoint, is being isolated, a condition in which all network access for the isolated device is blocked except for traffic to the CrowdStrike cloud server
  • EDR operational status – The status of the protection that a CrowdStrike sensor is providing the device hosting it: Protected, Partially Protected, or Unprotected
  • EDR group name – The name of the endpoint group to which a device is assigned
You can display columns on the Devices page for EDR isolation status, EDR operational status, and EDR group name. For example, the EDR Isolation Status column is shown below.
You can also see the three EDR attributes on the Device Details page.
Device attributes that IoT Security discovers for hostname, OS, OS version, OS type, serial number and vendor take precedence over those received from CrowdStrike. If IoT Security already has values for any of these attributes, it does not replace them with values from CrowdStrike. If you’re using both Cortex XDR and CrowdStrike for EDR and there’s a conflict in the reported data, IoT Security displays whatever was reported most recently.
Integrating with CrowdStrike requires either a full-featured Cortex XSOAR server or the purchase and activation of an IoT Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan includes a license for three integration add-ons, one of which can be used for CrowdStrike. The advanced plan includes a license for all supported third-party integrations.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.