CrowdStrike integration is available to organizations with Password Management or Credential Protection.
With our CrowdStrike integration, you can send your Dashlane Activity Logs to CrowdStrike automatically.
CrowdStrike is a next-gen security information and event management (SIEM) platform designed for real-time threat detection and massive-scale data ingestion. CrowdStrike combines log management with AI-driven analytics, threat intelligence, and automated incident response.
With Password Management, you can track how your team members use Dashlane. Events include new devices added, login sharing, invitations to your plan, and admin policy changes. You can set up alerts for specific events, like when someone shares a login with someone outside the organization.
With Credential Protection, you get everything listed above, plus credential risk events: weak and compromised credential usage and phishing incidents detected in the browser. This lets your security team detect credential threats as they happen and correlate them with signals from your other tools in CrowdStrike.
Prerequisites
Dashlane
- Admin in an organization with Password Management or Credential Protection
- Admin Console access
CrowdStrike
- Access to Next-Gen SIEM/LogScale
- Ability to create:
- A Data Connection
- A Parser (blank template works)
Set up CrowdStrike integration
1. Configure CrowdStrike HEC/HTTP Event Collector
- Log in to Falcon LogScale.
-
Go to: Next-Gen SIEM, Data connections and then Add connection.
-
Search for and select:
- HEC/HTTP Event Collector
- Select Configure
- Set:
- Vendor: Generic
- Vendor Product: Generic
-
Create a parser:
- Scroll to Parser
- Select Create new parser
-
Choose Blank Template
Name it:
dashlane_parser - Copy and paste one of these scripts, making sure to add your connector name. We recommend selecting the OCSF script to immediately standardize logs in CrowdStrike:
Dashlane OCSF event script
// ===================================================================== // STATIC METADATA DEFINITIONS // ===================================================================== | Vendor := "Dashlane" | Parser.version := "1.2.0" | ecs.version := "8.17.0" | Cps.version := "2.0.0" | observer.type := "other" | #connector := "put your connecter name here" // ===================================================================== // TIMESTAMP // ===================================================================== // Pulls directly from the root 'time' field automatically unpacked by the cloud | findTimestamp(field=time, as=@timestamp, timezone="UTC") // ===================================================================== // NORMALIZATION: EVENT CATEGORY & TYPE // ===================================================================== | event.kind := "event" // Category Mapping (e.g., maps "Application Activity" to event.category) | TempCategory := coalesce([category_name, "other"]) | array:append(array="event.category[]", values=[TempCategory]) // Activity Mapping (e.g., maps "Update" to event.type) | TempType := coalesce([activity_name, "other"]) | array:append(array="event.type[]", values=[TempType]) | drop([TempCategory, TempType]) // ===================================================================== // NORMALIZATION: USER IDENTITY // ===================================================================== | user.email := actor.user.email_addr | user.name := coalesce([actor.user.email_addr, "unknown_user"]) // ===================================================================== // NORMALIZATION: STATUS, SEVERITY & MESSAGE // ===================================================================== | event.outcome := status | event.severity_name := severity | event.message := message // ===================================================================== // NORMALIZATION: NETWORK, GEO & DEVICE ENRICHMENT // ===================================================================== // 1. Source Network IP | source.ip := src_endpoint.ip // 2. Geographic Location Data | source.geo.city_name := src_endpoint.location.city | source.geo.country_iso_code := src_endpoint.location.country // 3. Client Operating System | source.os.name := src_endpoint.os.name | source.os.version := src_endpoint.os.version // 4. Raw User-Agent String (Pulled from the first item in the observables list) | user_agent.original := observables[0].valueDashlane event script
// ===================================================================== // STATIC METADATA DEFINITIONS // ===================================================================== | Vendor := "Dashlane" | Parser.version := "1.0.0" | ecs.version := "8.17.0" | Cps.version := "2.0.0" | observer.type := "other" | #connector := "name of your connector" // ===================================================================== // TIMESTAMP (Native Dashlane Format) // ===================================================================== // Pulls from the 'date_time' epoch millisecond field | findTimestamp(field=date_time, as=@timestamp, timezone="UTC") // ===================================================================== // NORMALIZATION: EVENT CATEGORY & TYPE // ===================================================================== | event.kind := "event" // Category Mapping (e.g., maps "team_settings_siem" to event.category) | TempCategory := coalesce([category, "other"]) | array:append(array="event.category[]", values=[TempCategory]) // Activity Mapping (e.g., maps "nitro_siem_edited" to event.type) | TempType := coalesce([log_type, "other"]) | array:append(array="event.type[]", values=[TempType]) | drop([TempCategory, TempType]) // ===================================================================== // NORMALIZATION: USER IDENTITY // ===================================================================== // In the native schema, the user is found inside the 'properties' object | user.email := properties.author_login | user.name := coalesce([properties.author_login, "unknown_user"]) // ===================================================================== // NORMALIZATION: NETWORK, GEO & DEVICE ENRICHMENT // ===================================================================== // 1. Source Network IP (Native 'device' object) | source.ip := device.ip // 2. Geographic Location Data | source.geo.city_name := device.location.city | source.geo.country_iso_code := device.location.country // 3. Client Operating System | source.os.name := device.os.name | source.os.version := device.os.version // 4. Raw User-Agent String (Pulled from the observables array) | user_agent.original := observables[0].value-
Select Save.
-
Copy the API Key.
- You must use this API URL, but add your own Region and Connector ID:
https://ingest.{region}.crowdstrike.com/api/ingest/humio/{connector_id}/v1/humio-structured- region= eu-1, us-1, us-2
- connector_id = your unique CrowdStrike Logscale ID
-
Example:
https://ingest.eu-1.crowdstrike.com/api/ingest/humio/fd2066a935954344b04121f84e5867ad/v1/humio-structured
- Save the connector.
2. Set up events reporting in Dashlane
- Log in to your Dashlane Admin Console.
- Go to the integrations or events reporting section.
- Select CrowdStrike as your event destination.
- Enter the CrowdStrike API URL (in the format above) and bearer token in the corresponding fields.
-
Before saving, if you previously uploaded the OCSF event script, please toggle on the Enable OCSF mapping for CrowdStrike beta option to immediately standardize logs in CrowdStrike, without having to manually map fields.
-
-
Select Save to enable the connection.
3. Test the connection
Verify in CrowdStrike:
- Generate a test event in Dashlane, such as a new device login or an admin action.
- Open LogScale
- Go to the repository you attached to the connector
-
Search for:
dashlane
You should see incoming activity log events.
After setting up your integration, you can use CrowdStrike to track the events listed in the Activity Log in your Dashlane Admin Console.
Note: Your CrowdStrike integration won't log any previous events. Only new events will be tracked after the setup.
Use Activity Logs to track team activity
If you have any issues with this process, please contact our Support team.