Certified: October 29, 2025
Use Case
This connector facilitates the ingestion of RSA Authentication Manager (AM) audit logs into the Falcon platform, enabling security monitoring and analysis of multi-factor authentication (MFA) events and related administrative activities.
Key Capabilities
- Centralized Management: Ingests logs from RSA Authentication Manager, the central component that manages tokens, users, applications, and authentication policies.
- Comprehensive Log Ingestion: Processes critical event types, including:
- Authentication Events
- Token Management
- User Administration
- Configuration Changes
- System Operations
Requirements
- CrowdStrike subscription: Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB
- CrowdStrike clouds: Available in US-1, US-2, EU-1, and US-GOV-1
- CrowdStrike access and permissions: Administrator or Connector Manager access to the Falcon console for the respective CID
- Vendor requirements: Read access to the service account running the Falcon LogScale Collector
- Parser: The default parser for this data connector requires logs in syslog-header CSV comma-delimited message format
Configuration Summary
This section contains instruction steps that show how to integrate CrowdStrike with RSA for cloud administrators using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.
All RSA and CrowdStrike components must be installed and working prior to the integration.
All the supported use cases of RSA with CrowdStrike require both server-side and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
AM
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
| Previous Version | New Version | Examples/Comments |
| Cloud Authentication Service | Cloud Access Service | |
| Token | OTP Credential | SecurID OTP Credential |
| Authenticator | Hardware Authenticator | |
| Tokencode | OTP | SecurID OTP, SMS OTP, Voice OTP |
| Access Code | Emergency Access Code | |
| SecurID Authenticate app | RSA Authenticator app | RSA Authenticator app for iOS and Android, RSA Authenticator app for Windows |
| Device | Authenticator | Register an authenticator |
| Company ID | Organization ID | |
| Account | Credential | |
| Device Serial Number | Binding ID |
Certification Details
AM 8.7 SP1 or later
CrowdStrike Falcon Next-Gen SIEM
Known Issues
No known issues.
Related Articles
CrowdStrike Falcon Next-Gen SIEM - Authentication Manager - RSA Ready Implementation Guide Number of Views RSA SecurID WebExpress and ACE/Server QuickAdmin: Protecting JRun functionality from IIS Lockdown Tool Number of Views RSA ACE/Server Remote Administration functionality on Windows 2000 Number of Views Microsoft Sentinel as SIEM for RSA Admin Logs Using Logic Apps - RSA Ready Implementation Guide Number of Views How to test EFN Functionality Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes: Cloud Access Service and RSA Authenticators RSA Release Notes for RSA Authentication Manager 8.8 RSA-2026-04: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities
