CrowdStrike Falcon Endpoint Protection API

📘

TL;DR

To integrate CrowdStrike Falcon EDR with Query:

  • Configure the required API connection parameters for CrowdStrike as mentioned in the 'Prerequisites' section of this document.
  • Add a CrowdStrike connection source in Query with the connection parameters.
  • Test the integration with Test connection link.
  • Perform searches for alerts, users, devices, and file hashes.

Overview

CrowdStrike Falcon is one of the leaders in the Endpoint Protection Platform (EPP) market. By integrating with Query, you can:

  • Search detections for users' names, email addresses, devices, and file hashes.
  • Get context on devices from CrowdStrike Falcon.

Prerequisites

To add CrowdStrike as a connection source in Query, make sure you have the following connection parameters:

  • CrowdStrike API URL
  • Falcon API Client ID
  • Falcon Secret Access Key

Gathering CrowdStrike Falcon API Keys

  • Login to the Falcon UI with an account with permission to create API keys.
  • In the dropdown in the upper left, click Support and Resources -> API clients and keys:
  • Next, click Create API client in the upper right corner:
  • Configure a Client name and add a Description
  • Query only requires Read access to a few scopes. Below are some recommended Read scopes:
    • Alerts
    • Detections
    • Incidents
    • Hosts
    • Host Groups
    • Indicators (IOC)
    • Scheduled Reports
    • Users
  • Click Create

Adding a connection source in Query

  • Go to the Connections page, click Add Connections, and select CrowdStrike from the Endpoint category.
  • In the General tab, add the following details:
    • Name - This is the display name in the UI. For example, you can use:
      • CrowdStrike
      • CrowdStrike Corporate or Division
      • CrowdStrike
    • CrowdStrike API URL - The API URL (ex: https://api.crowdstrike.com)
    • Falcon API Client ID
    • Falcon Secret Access Key
  1. Click the Save button on the top right corner of the screen to save the connection source.
  2. To test the connection credentials, click on 'Test Connection.' You will see a successful connection message if the credentials are valid. If the test connection fails, then check if the connection parameters are correct. If necessary, change appropriately and retest.

Resources