How to automate NordLayer logouts with CrowdStrike

  • 3 minute(s) read
Prev Next

This guide walks you through integrating NordLayer with CrowdStrike Falcon so that when CrowdStrike detects a security event, the affected NordLayer member is automatically logged out and disconnected from all gateways. The member must then re-authenticate before regaining access to private gateways and sensitive company resources.

The integration uses NordLayer's Custom Integration API, triggered by a CrowdStrike Falcon Next-Gen SIEM workflow that sends an HTTP POST request containing the affected member's email address or device name.

Prerequisites

  • NordLayer account with administrator access to the Control Panel.
  • CrowdStrike Falcon platform with access to Next-Gen SIEM.
  • CrowdStrike must be capable of sending webhooks and sending the correctly formatted JSON payload as described below.
  • Knowledge of the member email addresses or device names managed in NordLayer.

Obtain custom integration API credentials from NordLayer

  1. Log into the NordLayer Control Panel, and click on Integrations from the left sidebar menu.

1-Integrations - Custom.png

  1. Under the Custom integrations section, click Add custom integration button.
  2. A configuration window will appear. Enter a descriptive name for the integration (e.g., "CrowdStrike Falcon Log Out"), then click Next.

2-Integrations - Custom - Enable - Step 2 - Modal view.png

  1. You will now see your integration details: URL and a Secret token. You will need both of these credentials in the next steps:
    1. URL — the endpoint that CrowdStrike will send requests to.
    2. Secret token — used as a Bearer token for authentication.
Note

Copy these credentials and store them in a secure location. You can only access these credentials once. If you close this window or attempt to reopen it later, new credentials will be generated, invalidating the previous ones.

Configure CrowdStrike Falcon workflow

In this part, you will create a workflow in CrowdStrike Falcon's Next-Gen SIEM that checks for detection events and sends an HTTP request to NordLayer to log out the affected member.

  1. Log in the CrowdStrike Falcon console and navigate to Next-Gen SIEM, then select Workflows.

Screenshot 2026-03-20 at 16.05.27.png

  1. Click Create workflow.

Screenshot 2026-03-20 at 16.19.12.png

  1. Select the Customer IDs (CIDs) that this workflow should apply to, then click Next.

Screenshot 2026-03-20 at 16.19.54.png

  1. Choose the option to create the workflow from scratch (rather than using a template).

Screenshot 2026-03-20 at 16.20.46.png

  1. Select a trigger that will start the workflow and confirm your selection by choosing the appropriate trigger type.

Screenshot 2026-03-20 at 16.30.12.png

  1. After adding the trigger, you need to ensure the webhook only activates for relevant severity levels. Click Condition to add a filtering rule.

Screenshot 2026-03-20 at 16.35.38.png

  1. Configure the condition so that the workflow only proceeds for medium or higher severity detections. Confirm the condition by clicking Next.

Screenshot 2026-03-20 at 16.35.45.png

  1. Once the condition is in place, add an action by selecting Create HTTP request, then choose Create cloud HTTP request.

Screenshot 2026-03-20 at 16.37.56.png

  1. Select the option to create new authentication and configure it as follows:
Setting Value
Authentication type API key
API secret prefix Bearer
API secret key Paste the Secret token copied from NordLayer
API key location Header
Header name Authorization
Method POST
Endpoint URL Paste the URL copied from NordLayer

Screenshot 2026-03-20 at 16.44.29.png

Note

The request body must be a JSON payload that NordLayer can parse. The JSON must include the member's email address (userEmailAddress) or the Device ID field called agentComputerName.

Screenshot 2026-03-20 at 17.23.59.png

  1. Use CrowdStrike's trigger payload placeholders (visible on the right-side panel in the workflow editor) to dynamically populate these fields from the detection event data.

Example JSON payload with CrowdStrike placeholders:

{
  "userDetails": {
    "userEmailAddress":
      "${data['Trigger.FalconAudit.Detection.XDR.EntityValues.EmailAddresses'][0]}"
  },
  "agentRealtimeInfo": {
    "agentComputerName":
      "${data['Trigger.FalconAudit.Detection.XDR.EntityValues.HostNames'][0]}"
  }
}
Note

Some CrowdStrike trigger fields return an array rather than a single string. In those cases, you must append [0] to the end of the placeholder path to extract the first element. The example above already includes this notation.

The resulting payload received by NordLayer will look like this:

{
  "userDetails": {
    "userEmailAddress": "member@example.com"
  },
  "agentRealtimeInfo": {
    "agentComputerName": "DEVICE-NAME"
  }
}

agentComputerName corresponds to the device's hostname, automatically detected by the NordLayer App on the machine.

Note
  • If a member email address is provided, NordLayer will log out the member from all devices.
  • If a device name is provided, NordLayer will log out all members from all devices with the specified device name.

To successfully trigger the integration, the agentComputerName field must exactly match the device name (hostname) detected by NordLayer.

Testing & verification

NordLayer does not display integration or webhook statuses within the Control Panel. It is essential that you perform your own tests to confirm that your integration works:

  1. Generate or simulate a detection event in CrowdStrike Falcon that meets the severity condition you configured (medium or higher). This will cause the workflow to activate.
  2. Verify that the specified NordLayer member's application logs out and disconnects immediately.
  3. Go to the NordLayer Control Panel, click on the Activity tab in the main left menu, and select the Actions subpage. Check if it contains a confirmation record about the logged-out member.

Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.