Skip to main content

Pre-requisites

  • User must download and install the Falcon sensor on each endpoint and will need the Customer ID Checksum (CID) to activate the sensor.
  • Ensure that the endpoints can reach CrowdStrike’s cloud through specific URLs and ports, including:
    • HTTPS (TCP Port 443) to:
      • api.crowdstrike.com
      • sensorapi.crowdstrike.com
      • Other regional subdomains depending on your tenant (e.g., us-2.crowdstrike.com, eu-1.crowdstrike.com)

Generate CrowdStrike API Client ID & Secret

1

Log in to the Falcon Console

  1. Login to the Falcon Console.
  2. Sign in using your CrowdStrike Falcon credentials (admin or user with API management permissions).
2

Navigate to API Clients

  1. On the left-hand navigation panel, click “Support and resources”.
  2. Select Resources and tools dropdown.
  3. Click on API clients and keys. Crowdstrike3 Pn
3

Create a New API Client

  1. Select the toggle tab “OAuth2API clients”.
  2. Click the “Create API client” button. Crowdstrike4 Pn
  3. Fill out the form:
    • Client name: Choose something descriptive (e.g., “AirMDR Integration”).
    • Description: Optional, but helpful for team context. Crowdstrike5 Pn
4

Assign API Scopes (Permissions)

  1. Provide the required permissions (scopes) for AirMDR use case as stated below:
    Assign permissions based on the specific Skills you plan to use in AirMDR. Each Skill requires a defined set of actions, and only those permissions should be granted.
    • AlertsRead (To Fetch Crowdstrike Alerts)
    • AlertsWrite (To Update Crowdstrike Alerts)
    • DetectionsRead (To Fetch Crowdstrike Detections)
    • IncidentsRead (To Fetch Crowdstrike Incidents)
    • IncidentsWrite (To Update Crowdstrike Incidents)
    • HostsRead (To Get Crowdstrike Device Details)
    • HostsWrite (To Perform Action on Host and Perform Device Action)
    • NGSIEMRead and Write (To Create Crowdstrike Query Job)
    • On-demand Scans (ODS)Read and Write (To Create ODS Scan)
    You can assign multiple scopes depending on your needs.
  • Edit API client
    • Use the option to update the assigned Scopes
  • Delete API client
    • The Client ID and Secret are permanently revoked
    • All integrations, scripts, or tools using that API client will stop working
    • This action cannot be undone
  • Reset secret (Reset the client secret immediately if you suspect credentials compromise)
    • The old secret becomes invalid immediately after reset.
    • All applications or scripts using the API must be updated with the new secret.
    • If you want a different Client Name or scopes, you will need to create a new client — these can not be edited either
  • Open details panel
    • To view the details of the client id and scopes assigned.
5

Save and Copy Credentials

  1. Click “Create”.
  2. The system will generate:
    • Client ID
    • Client Secret
    Copy and save these credentials immediatelythe Client secret is shown only once.
  3. To view the Base URL
    You can always view your Crowdstrike Base URL under the API clients and keys page.
    Your API base URL depends on your Falcon tenant region: To know the Region-specific endpoint for all API calls refer to the below table:
    RegionBase URL
    US-1https://api.crowdstrike.com
    US-2https://api.us-2.crowdstrike.com
    EU-1 (Germany)https://api.eu-1.crowdstrike.com
    EU-2 (Ireland)https://api.eu-2.crowdstrike.com
    US GovCloudhttps://api.laggar.gcw.crowdstrike.com
6

Configure Crowdstrike API in AirMDR

Done! now you have the required credentials
  • Client ID → For API authentication
  • Client Secret → Used only once to get an access token
  • Base URL → Region-specific endpoint for all API calls
    Share the Client ID, Client Secret and Base URL securely to AirMDR.
    (or)
    Self Configure Crowdstrike API in the AirMDR Integrations Dashboard.

Skills Provided by this Integration

Skill IDPurpose
Fetch CrowdStrike AlertsFetch alerts from CrowdStrike, including detailed summaries for analysis or monitoring.
Fetch CrowdStrike DetectionsFetch detections from CrowdStrike, including detailed summaries for analysis or monitoring.
Fetch CrowdStrike IOM DetectionsFetch detections from CrowdStrike, including detailed summaries for analysis or monitoring.
Get CrowdStrike Device DetailsGiven an IP address, fetch device details including host name and user logon details. Given a hostname, fetch device details including IP address and user logon details.
Fetch CrowdStrike IncidentsFetch Incidents from CrowdStrike, including detailed information for analysis or monitoring.
Fetch CrowdStrike IOA DetectionsFetch detections from CrowdStrike, including detailed summaries for analysis or monitoring.
To view the details of Input Parameters and Output for the respective skills
  • Go to AirMDR → Crowdstrike Integration page.
  • Select the Skills tab and click on the required listed skills.

Configure Crowdstrike API in AirMDR Integrations Dashboard

  1. Navigate to AirMDR, provide the credentials and click Login. Datadog11 Pn
  2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations. Datadog9 Pn
  3. Use the search option, enter the keyword “Crowdstrike”, select the Connections tab, and click Add New Connection. Crowdstrike7 Pn
  4. Enter an unique name to the Instance (e.g., your org name-Crowdstrike) and brief Description to easily identify the user connection by AirMDR.
  5. Enter the generated client_id, client_secret, base_url and Expiry (optional) in the Authentication Details field params, and click Save. Crowdstrike8 Pn

Evaluate Crowdstrike API

Open cURL and run the following command to check if your API Key is working: Request 

curl --location '<base_url>/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>' \
--data-urlencode 'grant_type=client_credentials'
Response 
{
    "access_token": "<Bearer Token>",
    "expires_in": 1799,
    "token_type": "bearer"
}