CrowdStrike (CS): Network Requirements

Description

You must be logged into your CrowdStrike (Falcon) Management portal at the following URL to view CrowdStrike linked articles. 

 

Table of Contents

NOAM - US-2 IPs

The Falcon sensor on your hosts uses these fully qualified domain names (FQDNs) to:

  • Falcon Console - Access to CrowdStrike Falcon Management Console
  • CrowdStrike Term Servers - Communicate with the CrowdStrike cloud for everyday operation
  • CrowdStrike Cloud - Retrieve dynamic content from the cloud, includes updates to policy and configuration settings
  • OAuth2-based APIs
  • Event Streams API

Add these FQDNs or IP addresses to your allow lists if your organization blocks these network communications.

  • Communication occurs from the sensor to the CrowdStrike cloud over port 443, outbound only.

Public DNS Name:

 

Falcon Console:

https://falcon.us-2.crowdstrike.com

https://assets.falcon.us-2.crowdstrike.com

https://assets-public.falcon.us-2.crowdstrike.com

 

CrowdStrike Term Servers:

ts01-gyr-maverick.cloudsink.net

 

CrowdStrike Cloud:

lfodown01-gyr-maverick.cloudsink.net

lfoup01-gyr-maverick.cloudsink.net

 

OAuth2-based APIs:

https://api.us-2.crowdstrike.com

 

Event Streams API:

https://firehose.us-2.crowdstrike.com

IPv4 addresses:

 

Falcon Console:

34.223.189.85

44.227.83.73

44.227.251.226

 

CrowdStrike Term Servers:

35.162.224.228

35.162.239.174

50.112.129.218

50.112.130.23

50.112.131.18

52.25.223.26

52.33.193.184

52.35.11.124

52.35.162.27

54.68.92.116

54.71.43.66

100.20.76.137

 

CrowdStrike Cloud:

34.209.79.111

34.210.186.129

34.209.165.130

35.80.210.147

35.160.213.193

35.166.20.122

52.10.219.156

52.27.205.162

100.20.144.105

34.214.236.51

34.215.239.163

44.228.118.64

44.229.24.18

50.112.6.52

54.191.184.169

 

OAuth2-based APIs:

50.112.127.4

50.112.127.55

50.112.111.36

 

Event Streams API:

44.224.200.221

44.225.216.237

44.227.134.78

IPv6 addresses:

 

Falcon Console:

2600:1f14:185:8400::/56 (allow all addresses between 2600:1f14:0185:8400:0000:0000:0000:0000 and 2600:1f14:0185:84ff:ffff:ffff:ffff:ffff)

 

CrowdStrike Term Servers:

2600:1f14:2d89:8300::/56 (allow all addresses between 2600:1f14:2d89:8300:0000:0000:0000:0000 and 2600:1f14:2d89:83ff:ffff:ffff:ffff:ffff)

 

CrowdStrike Cloud:

2600:1f14:2d89:8300::/56 (allow all addresses between 2600:1f14:2d89:8300:0000:0000:0000:0000 and 2600:1f14:2d89:83ff:ffff:ffff:ffff:ffff)

2600:1f14:2d89:8300::/56 (allow all addresses between 2600:1f14:2d89:8300:0000:0000:0000:0000 and 2600:1f14:2d89:83ff:ffff:ffff:ffff:ffff)

 

OAuth2-based APIs:

2600:1f14:185:8400::/56 (allow all addresses between 2600:1f14:0185:8400:0000:0000:0000:0000 and 2600:1f14:0185:84ff:ffff:ffff:ffff:ffff)

 

Event Streams API:

None

EMEA - EU-1 IPs

The Falcon sensor on your hosts uses these fully qualified domain names (FQDNs) to:

  • Falcon Console - Access to CrowdStrike Falcon Management Console
  • CrowdStrike Term Servers - Communicate with the CrowdStrike cloud for everyday operation
  • CrowdStrike Cloud - Retrieve dynamic content from the cloud, includes updates to policy and configuration settings
  • OAuth2-based APIs
  • Event Streams API

Add these FQDNs or IP addresses to your allow lists if your organization blocks these network communications.

  • Communication occurs from the sensor to the CrowdStrike cloud over port 443, outbound only.

Public DNS Name (EMEA):

 

Falcon Console:

https://falcon.eu-1.crowdstrike.com

https://assets.falcon.eu-1.crowdstrike.com

https://assets-public.falcon.eu-1.crowdstrike.com

 

CrowdStrike Term Servers:

ts01-lanner-lion.cloudsink.net

 

CrowdStrike Cloud:

lfodown01-lanner-lion.cloudsink.net

lfoup01-lanner-lion.cloudsink.net

 

OAuth2-based APIs:

https://api.eu-1.crowdstrike.com

 

Event Streams API:

https://firehose.eu-1.crowdstrike.com

IPv4 addresses (EMEA):

 

Falcon Console:

3.121.13.180

18.184.114.155

18.194.8.224

18.197.35.253

3.122.135.178

18.194.222.197

 

CrowdStrike Term Servers:

3.121.6.180

3.121.187.176

3.121.238.86

3.125.15.130

18.158.187.80

18.198.53.88

 

CrowdStrike Cloud:

3.78.32.129

3.121.13.180

3.123.240.202

18.184.114.155

18.194.8.224

35.156.219.65

3.69.184.79

3.76.143.53

3.77.82.22

 

OAuth2-based APIs:

18.157.232.250

18.157.222.4

18.185.224.93

 

Event Streams API:

3.121.28.37

18.196.94.202

52.29.26.172

IPv6 addresses (EMEA):

 

Falcon Console:

None

 

CrowdStrike Term Servers:

2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and 2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

 

CrowdStrike Cloud:

2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and 2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and 2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

 

OAuth2-based APIs:

2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and  2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

 

Event Streams API:

None

Additional IP information is available from CrowdStrike at the following link:

Related Articles

  • MSS Managed Firewall Best Practice Configuration
    Read More
  • NDR: Integration Guide
    Read More
  • NDR: Windows Server Agent
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Crowdstrike
not finding your answers?
Ask the Community