CrowdStrike integration is available to organizations with Password Management or Credential Protection.
With a CrowdStrike integration, you can track how your team members use Dashlane, as we send your Dashlane activity logs automatically to CrowdStrike.
CrowdStrike is a next-gen security information and event management (SIEM) platform designed for real-time threat detection and massive-scale data ingestion. CrowdStrike combines log management with AI-driven analytics, threat intelligence, and automated incident response.
Process overview
This guide explains how to forward Dashlane Audit Logs to CrowdStrike Next-Gen SIEM/Falcon LogScale from Windows or macOS using:
- Dashlane CLI key (Read-only activity logs)
- Dashlane audit-logs Docker image
- Fluent Bit for log forwarding
- CrowdStrike’s HEC/HTTP Event Collector with a custom parser
Prerequisites
Dashlane
- Admin in an organization with Password Management or Credential Protection
- Admin Console access
- Ability to create CLI keys
- Scope required: Read-only activity logs
CrowdStrike
- Access to Next-Gen SIEM/LogScale
- Ability to create:
- A Data Connection
- A Parser (blank template works)
Set up CrowdStrike integration
Windows
Recommended setup
- Windows 10 or later
- Docker Desktop installed and running
- PowerShell available
1. Configure CrowdStrike HEC/HTTP Event Collector
- Log in to Falcon LogScale.
-
Go to: Next-Gen SIEM, Data connections and then Add connection.
-
Search for and select:
- HEC/HTTP Event Collector
- Select Configure
- Set:
- Vendor: Generic
- Vendor Product: Generic
- Create a parser:
- Scroll to Parser
- Select Create new parser
-
Choose Blank Template
Name it:
dashlane_parser -
Select Save.
-
Copy the API Key and API URL as you'll use them in Fluent Bit.
- Save the connector.
2. Generate Dashlane CLI key
In Dashlane Admin Console:
- Log in to the Dashlane browser extension and open the Admin Console
- Select Settings and then Developer Access
- After this, select Create CLI Key
- Name: CrowdStrike SIEM Key
- Scope: Read-only activity logs
- Select the expiration date
-
Select Generate key
-
Copy the key, which starts with DASH_EDWSA_
Store the CLI key securely.
3. Install the Docker Desktop
Verify installation: docker version
4. Create a working directory in PowerShell
mkdir C:\DashlaneCrowdStrike
5. Create fluent bit configuration
Run this in PowerShell, updating the Host line before running:
@'
[INPUT]
Name stdin
Tag dashlane
[OUTPUT]
Name crowdstrike
Match *
Host CROWDSTRIKE_INGEST_HOST
Port 443
URL /services/collector
tls On
tls.verify On
format json_lines
Header Authorization Splunk CROWDSTRIKE_HEC_TOKEN
Header Content-Type application/json
'@ | Set-Content -Path .\fluent-bit.conf
Update before running:
CROWDSTRIKE_INGEST_HOST
CROWDSTRIKE_HEC_TOKEN
Change URL if your connector uses /api/v1/ingest/hec
6. Pull Dashlane activity logs Docker image
Run in PowerShell:
docker pull dashlane/audit-logs:2
7. Run the Dashlane → CrowdStrike Container
Replace the placeholders with your actual values, then run this in PowerShell:
docker run -d ` --restart unless-stopped ` --platform linux/amd64 ` --name dashlane-crowdstrike ` -eDASHLANE_ENROLLED_TEAM_DEVICE_KEYS="DASH_EDWSA_XXXXXXXXXXXXXXXX..." ` -e DASHLANE_CLI_FLUENTBIT_CONF=/fluent-bit.conf ` -v "$(pwd)/fluent-bit.conf:/fluent-bit.conf:ro" ` dashlane/audit-logs:2
8. Verify the integration
Check container:docker ps
Check runtime logs:docker logs dashlane-crowdstrike --tail 50
Verify in CrowdStrike:
- Open LogScale
- Go to the repository you attached to the connector
-
Search for:
dashlane
You should see incoming activity log events.
macOS
Recommended setup
- macOS 12 or later
- Docker Desktop installed and running
- Terminal access
1. Configure CrowdStrike HEC/HTTP Event Collector
- Log in to Falcon LogScale.
-
Go to: Next-Gen SIEM, Data connections and then Add connection.
-
Search for and select:
- HEC/HTTP Event Collector
- Select Configure
- Set:
- Vendor: Generic
- Vendor Product: Generic
- Create a parser:
- Scroll to Parser
- Select Create new parser
-
Choose Blank Template
Name it:
dashlane_parser -
Select Save.
-
Copy the API Key and API URL as you'll use them in Fluent Bit.
- Save the connector.
2. Generate Dashlane CLI key
In Dashlane Admin Console:
- Log in to the Dashlane browser extension and open the Admin Console
- Select Settings and then Developer Access
- After this, select Create CLI Key
- Name: CrowdStrike SIEM Key
- Scope: Read-only activity logs
- Select the expiration date
-
Select Generate key
-
Copy the key, which starts with DASH_EDWSA_
Store the CLI key securely.
3. Install the Docker Desktop
Verify installation: docker version
4. Create a working directory in Terminal
mkdir -p ~/DashlaneCrowdStrike
cd ~/DashlaneCrowdStrike
5. Create fluent bit configuration
Create a fluent-bit.conf file:
cat fluent-bit.conf <><'eof'>
[INPUT]
Name stdin
Tag dashlane
[OUTPUT]
Name crowdstrike
Match *
Host CROWDSTRIKE_INGEST_HOST
Port 443
URL /services/collector
tls On
tls.verify On
format json_lines
Header Authorization Splunk CROWDSTRIKE_HEC_TOKEN
Header Content-Type application/json
EOF
Update before running:
CROWDSTRIKE_INGEST_HOST
CROWDSTRIKE_HEC_TOKEN
Change URL if your connector uses /api/v1/ingest/hec
6. Pull Dashlane activity logs Docker image
Run in Terminal:
docker pull dashlane/audit-logs:2
7. Run the Dashlane → CrowdStrike Container
Replace the placeholders with your actual values, then run this in Terminal:
docker run -d \ --restart unless-stopped \ --platform linux/amd64 \ --name dashlane-crowdstrike \ -eDASHLANE_ENROLLED_TEAM_DEVICE_KEYS="DASH_EDWSA_XXXXXXXXXXXXXXXX..." \ -e DASHLANE_CLI_FLUENTBIT_CONF=/fluent-bit.conf \ -v "$(pwd)/fluent-bit.conf:/fluent-bit.conf:ro" \ dashlane/audit-logs:2
8. Verify the integration
Check container:docker ps
Check runtime logs:docker logs dashlane-crowdstrike --tail 50
Verify in CrowdStrike:
- Open LogScale
- Go to the repository you attached to the connector
-
Search for:
dashlane
You should see incoming activity log events.