# Falcon CrowdStrike Forensics ## Connection Requirements {% stepper %} {% step %} ### Domain The domain of the CrowdStrike. {% hint style="info" %} Default:\ {% endhint %} {% hint style="warning" %} The domain may change depending on the region where the server is located. You can find the domain information where you created the **Client ID** and **Client Secret** information. {% endhint %} {% endstep %} {% step %} ### Client ID Generated Client ID for a user that has the permissions to fetch asset details. {% endstep %} {% step %} ### Client Secret Generated Client Secret Key for a user that has the permissions to fetch asset details. {% hint style="info" %} You can define a CrowdStrike API client only if you are assigned the Falcon Administrator role to view, create, or modify API clients or keys. Secrets are only shown when a new API Client is created or reset. {% endhint %} You can follow the steps below: * When logged into the Falcon UI, navigate to Support > API Clients and Keys. * From there you can view existing clients, add new API clients, or view the audit log. * When you click “Add new API Client” you will be prompted to give a descriptive name and select the appropriate API scopes. The vulnerabilities:read scope should suffice. * After you click save, you will be presented with the Client ID and Client Secret. {% hint style="info" %} Note: The secret will only be shown once and must be saved somewhere. {% endhint %} {% endstep %} {% step %} ### Timeout Timeout for API calls in seconds (default: 30). {% endstep %} {% step %} ### Thread Count Number of parallel threads for collector enrichment (optional, default: 32, min: 1, max: 32).\ This is an advanced setting that controls concurrent API requests. {% endstep %} {% endstepper %} ## Required Permissions **Required Falcon Subscriptions:**\ • Falcon Insight XDR (required)\ • Falcon Forensics (required) To use the Falcon Forensics APIs, your API client must be assigned the **Falcon Forensics** scope. The following permission is required: * **Falcon Forensics: Read** {% hint style="warning" %} Please perform a connection test to ensure there is a valid connection to the host. When the discovery operation is finalized, you will be able to see the details on the **Assets** page. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.octoxlabs.com/adapters/adapters/falcon-crowdstrike-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.