search

Falcon CrowdStrike Forensics

hashtag
Connection Requirements

1

hashtag
Domain

The domain of the CrowdStrike.

circle-info

Default: https://api.crowdstrike.com

circle-exclamation

The domain may change depending on the region where the server is located. You can find the domain information where you created the Client ID and Client Secret information.

2

hashtag
Client ID

Generated Client ID for a user that has the permissions to fetch asset details.

3

hashtag
Client Secret

Generated Client Secret Key for a user that has the permissions to fetch asset details.

circle-info

You can define a CrowdStrike API client only if you are assigned the Falcon Administrator role to view, create, or modify API clients or keys. Secrets are only shown when a new API Client is created or reset.

You can follow the steps below:

  • When logged into the Falcon UI, navigate to Support > API Clients and Keys.

  • From there you can view existing clients, add new API clients, or view the audit log.

  • When you click “Add new API Client” you will be prompted to give a descriptive name and select the appropriate API scopes. The vulnerabilities:read scope should suffice.

  • After you click save, you will be presented with the Client ID and Client Secret.

circle-info

Note: The secret will only be shown once and must be saved somewhere.

4

hashtag
Timeout

Timeout for API calls in seconds (default: 30).

5

hashtag
Thread Count

Number of parallel threads for collector enrichment (optional, default: 32, min: 1, max: 32). This is an advanced setting that controls concurrent API requests.

hashtag
Required Permissions

Required Falcon Subscriptions: • Falcon Insight XDR (required) • Falcon Forensics (required)

To use the Falcon Forensics APIs, your API client must be assigned the Falcon Forensics scope. The following permission is required:

  • Falcon Forensics: Read

circle-exclamation

Please perform a connection test to ensure there is a valid connection to the host. When the discovery operation is finalized, you will be able to see the details on the Assets page.

PreviousFalcon CrowdStrike IDPNextFire Hydrant

Was this helpful?