Powered by

# Integrations

The Integrations page allows you to connect BAS with your other products. This empowers BAS to communicate with the third-party provider to determine if it was able to detect the actions taken when a procedure ran. BAS supports integration with the following products.

  • Carbon Black Cloud
  • CrowdStrike Falcon
  • Microsoft Security
  • SentinelOne Singularity
  • Splunk Cloud (with Splunk Enterprise Security)
  • Splunk Enterprise (with Splunk Enterprise Security)

BAS integrations fall into two categories of capabilities as outlined in the table below.

Capability Integrations that have this capability
Integrated with the Event Viewer

BAS finds events with a high-probability of relevance, and you provide the final acknowledgement and label for that event while associating it to a play		 All available integrations:

  • Carbon Black Cloud
  • CrowdStrike Falcon
  • Microsoft Security
  • SentinelOne Singularity
  • Splunk Cloud
  • Splunk Enterprise
Integrated with the Event Viewer AND includes Automatic Detection Categorization

The same capability as the category above (BAS finds events, etc.) AND BAS automatically labels/correlates those events to the play
  • CrowdStrike Falcon

# Adding an integration

To add an integration, follow the general steps below. See the sections that follow for your exact integration for any specific details.

  1. Select the Add Integration button at the top right of the page to display the Add Integration right sidebar navigation.

    Add Integrations

  2. Select the Active slider to set the integration to active (blue) or inactive (gray).

  3. Select the desired integration from the Vendor drop-down list.

  4. Enter a name of your choice in the Name and Description fields.

  5. Enter a value in the Viewing Cutoff Time field. This value, in seconds, represents the look-ahead time since the play was run that events are recorded, capturing or resulting in an event, alert, or detection time.

Each specific integration will also prompt you to select your organization's credentials for the API and its base URL.

See the Credentials page for more information.

# Carbon Black Cloud integration

Configuring the Carbon Black Cloud integration follows the general instructions above, with the following differences:

  • The API base URL field specifies that the Base URL of the Carbon Black API is required
  • The Organization Key (located within your Carbon Black Cloud instance)

Carbon Black Cloud integration
Carbon Black Cloud integration

# CrowdStrike Falcon integration

Configuring the CrowdStrike integration follows the general instructions above, with the following differences:

  • The API base URL field specifies that the Base URL of the CrowdStrike API is required

CrowdStrike Falcon integration
CrowdStrike Falcon integration

See the section directly below for a walkthrough of setting up the CrowdStrike Falcon integration.

# CrowdStrike Falcon integration walkthrough

This integration requires the Oauth Client credential type. Please refer to the CrowdStrike documentation for generating these credentials in Falcon.

Note: When creating an API Client, you will need to enable Read access for the Alerts Scope and Detections Scope.

Select Let's Get Started in the walkthrough below to see how to create a CrowdStrike integration with BAS.

BAS's CrowdStrike integration walkthrough

# SentinelOne Singularity integration

Configuring the SentinelOne Singularity integration follows the general instructions above, with the following differences:

  • The API base URL field specifies that the Base URL of the SentinelOne API is required

SentinelOne Singularity integration
SentinelOne Singularity integration

# Microsoft Security

Configuring the Microsoft Security integration follows the general instructions above, with the following differences:

  • No API base URL field is required, but a Tenant ID value is required

Microsoft Security integration
Microsoft Security integration

# Splunk Cloud integration

Configuring the Splunk Cloud integration follows the general instructions above, with the following differences:

  • You must select the API authorization scheme

  • The API base URL field specifies that the Base URL of the Splunk Cloud API is required and recommends port 8089

  • The Events search field is required and pre-populates with the following, editable search string from which to pull security-related events:

    (index=windows_events sourcetype=windows_security) OR (index=linux_logs sourcetype IN (linux_audit,linux_secure))

  • An optional Alerts search field, allowing you to enter a search string from which to pull security-related alerts

Splunk Cloud integration
Splunk Cloud integration

# Splunk Enterprise integration

Configuring the Splunk Enterprise integration follows the general instructions above, with the following differences:

  • You must select the API authorization scheme

  • The API base URL field specifies that the Base URL of the Splunk Enterprise API is required and recommends port 8089

  • The Events search field is required and pre-populates with the following, editable search string from which to pull security-related events:

    (index=windows_events sourcetype=windows_security) OR (index=linux_logs sourcetype IN (linux_audit,linux_secure))

  • An optional Alerts search field, allowing you to enter a search string from which to pull security-related alerts

Splunk Enterprise integration
Splunk Enterprise integration

# Editing an integration

To edit the active/inactive status, description, API base URL, and/or API client credentials, follow the steps below.

  1. Select the Edit button for any of your current integrations to open the Edit Integration right sidebar navigation.

    Edit Integrations

  2. Edit any field values and select the Save button to save them and return focus to the main Integration page.

© Copyright 2025. All rights reserved.