CrowdStrike Falcon Insight Integration Setup
This guide walks you through integrating CrowdStrike Falcon Insight EDR with RAD Security for advanced endpoint detection and response capabilities, enabling you to correlate endpoint security events with container and cloud runtime activity. CrowdStrike Falcon Insight provides real-time endpoint detection and response (EDR), threat intelligence, and automated response actions for comprehensive endpoint security.Prerequisites
Before you begin, ensure you have:- Access to CrowdStrike Falcon Console
- Administrator privileges in CrowdStrike Console
- Access to RAD Security workspace with integration permissions
Administrative Privileges Required: You must have administrative privileges in CrowdStrike Console to create API clients and manage scopes in the API Clients and Keys section.
Understanding CrowdStrike API Scopes
This integration requires specific API scopes to access endpoint data, detections, incidents, and threat intelligence:Read Scopes (11 required)
Read Scopes (11 required)
The following scopes require Read permissions:
- Alerts - Access to security alerts
- Apps - Application inventory data
- Custom IOA rules - Indicator of Attack rules
- Detections - Threat detections
- Device control policy - Device control configurations
- Hosts - Endpoint inventory and status
- Assets - Asset management data
- Indicators - Threat indicators
- Incidents - Security incidents
- IOC Management - Indicator of Compromise management
- IOCs (Indicators of Compromise) - IOC data
- Zero Trust Assessment - Zero trust posture data
Write Scopes (1 required)
Write Scopes (1 required)
The following scope requires Write permissions:
- Hosts - Required to perform response actions on endpoints
Both Read and Write permissions on Hosts: The Hosts scope requires both Read (included in the 11 read scopes above) and Write permissions for full integration functionality.
Step 1: Access CrowdStrike Falcon Console
1
Log in to CrowdStrike Console
Log in to your CrowdStrike Falcon Console with administrative privileges
2
Navigate to API Clients
Open the main menu and go to:Support and resources > Resources and tools > API clients and keys
Step 2: Create API Client
1
Create New Client
Click the Create API client button
2
Configure Client Name
In the modal dialog:
- Client name: Enter a descriptive name (e.g., “RAD Security EDR Integration”)
- Description: (Optional) Add details about this integration
3
Assign Read Scopes
Select Read permissions for the following scopes:
- ☑️ Alerts
- ☑️ Apps
- ☑️ Custom IOA rules
- ☑️ Detections
- ☑️ Device control policy
- ☑️ Hosts
- ☑️ Assets
- ☑️ Indicators
- ☑️ Incidents
- ☑️ IOC Management
- ☑️ IOCs (Indicators of Compromise)
- ☑️ Zero Trust Assessment
All 11 read scopes are required. Missing any scope will result in incomplete data synchronization or integration errors.
4
Assign Write Scope
Select Write permissions for:
- ☑️ Hosts
Write permission on Hosts enables RAD Security to perform response actions on endpoints when needed, such as containment or isolation.
5
Create Client
Click the Create button to generate the API client
6
Copy Credentials
The modal will display your new credentials. Copy these immediately:
- Client ID
- Client Secret
- Base URL
Save these values now! You will not be able to view the Client Secret again. Store them securely in a password manager or secrets vault.
Adjusting Scopes Later: If you need to modify scopes after creation, click the three dots (⋮) to the right of the client listing on the API clients and keys page and select Edit.
Step 3: Determine Regional Base URL
CrowdStrike Falcon uses different base URLs depending on your data center region. The Base URL is provided when you create the API client.Common Regional URLs
| Region | Base URL |
|---|---|
| US-1 | https://api.crowdstrike.com |
| US-2 | https://api.us-2.crowdstrike.com |
| EU-1 | https://api.eu-1.crowdstrike.com |
| US-GOV-1 | https://api.laggar.gcw.crowdstrike.com |
The Base URL is automatically displayed when you create the API client in Step 2. Use the exact URL provided by CrowdStrike.
Step 4: Configure in RAD Security
Navigate to your RAD Security workspace and configure the CrowdStrike Falcon Insight integration with the following parameters:Required Parameters
| Parameter | Description | Example |
|---|---|---|
| Base URL | Base URL from Step 2 | https://api.us-2.crowdstrike.com |
| Client ID | Client ID from Step 2 | abc123def456... |
| Client Secret | Client Secret from Step 2 | xyz789abc123... |
Do NOT configure token_url: The integration automatically handles OAuth2.0 token management. You do not need to set or configure the token_url parameter.
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources > Integrations > EDR in RAD Security
- Locate your CrowdStrike Falcon Insight integration
- Check the connection status shows as Connected
- Verify endpoint data and detections are being synced
Your CrowdStrike Falcon Insight integration is now configured! RAD Security can now correlate endpoint detections with container and cloud runtime events.
What Data is Synced
Once configured, RAD Security will sync the following data from CrowdStrike Falcon Insight:Endpoint Information
Endpoint Information
- Endpoint inventory and status
- Operating system details
- CrowdStrike agent version
- Host configuration
- Last seen timestamps
- Asset information
Detections & Alerts
Detections & Alerts
- Real-time threat detections
- Security alerts
- Detection severity and classification
- Malware and exploit detections
- Behavioral indicators
- Detection timelines
Incidents
Incidents
- Security incidents
- Incident severity and status
- Related detections
- Incident timelines
- Investigation data
- Remediation actions
Indicators & IOCs
Indicators & IOCs
- Indicators of Compromise (IOCs)
- Indicators of Attack (IOAs)
- Custom IOA rules
- Threat indicators
- File hashes, IPs, domains
- Indicator metadata
Applications & Policies
Applications & Policies
- Application inventory
- Device control policies
- Policy compliance status
- Application execution data
- Blocked applications
Zero Trust Assessment
Zero Trust Assessment
- Zero trust posture scores
- Security assessments
- Compliance status
- Risk indicators
- Security recommendations
Use Cases
Endpoint-Container Correlation
Correlate CrowdStrike endpoint detections with RAD Security’s container runtime activity to detect cross-platform attacks.
Threat Intelligence Integration
Leverage CrowdStrike’s threat intelligence with RAD Security’s runtime context for enhanced detection accuracy.
Coordinated Response
Execute coordinated response actions across endpoints and containerized infrastructure from a single platform.
Zero Trust Enforcement
Integrate CrowdStrike’s Zero Trust Assessment with RAD Security for comprehensive security posture management.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- Client ID or Client Secret incorrect
- API client was deleted or disabled
- Wrong regional Base URL
- OAuth token issues
- Verify Client ID and Secret are copied correctly (no extra spaces)
- Check the API client still exists in CrowdStrike Console
- Ensure you’re using the correct regional Base URL
- Do NOT set token_url parameter
- Create a new API client if needed
Missing Scopes
Missing Scopes
Possible causes:
- Not all 11 read scopes selected
- Hosts write scope not selected
- Scopes were modified after creation
- Verify all required read scopes are enabled
- Ensure Hosts has both Read and Write permissions
- Edit the API client to add missing scopes
- Review the complete list of required scopes in Step 2
Partial Data Syncing
Partial Data Syncing
Possible causes:
- Missing specific scopes for data types
- Insufficient permissions
- API rate limits
- Check which scopes correspond to missing data types
- Verify all 12 scopes (11 read + 1 write) are enabled
- Review integration logs for specific API errors
- Monitor API usage to ensure you’re within rate limits
Cannot Perform Response Actions
Cannot Perform Response Actions
Possible causes:
- Missing Hosts write scope
- Write permission removed after creation
- Endpoint isolation policy restrictions
- Verify Hosts scope has Write permission enabled
- Check API client permissions in CrowdStrike Console
- Ensure endpoint policies allow remote actions
- Review CrowdStrike response action settings
Wrong Regional Base URL
Wrong Regional Base URL
Possible causes:
- Using incorrect regional endpoint
- Typo in Base URL
- Using old URL format
- Use the exact Base URL provided during API client creation
- Verify your CrowdStrike region (US-1, US-2, EU-1, etc.)
- Check CrowdStrike’s regional endpoints documentation
- Ensure URL includes
https://and correct format
Token URL Configuration Error
Token URL Configuration Error
Possible causes:
- token_url parameter was manually configured
- Incorrect OAuth configuration
- Do NOT set the token_url parameter
- Remove any token_url configuration if present
- The integration automatically handles OAuth2.0 token management
- Use only URL, ClientId, and ClientSecret parameters
Security Best Practices
Rotate Credentials Regularly
Periodically create new API clients and delete old ones to maintain security hygiene.
Least Privilege Scopes
Only grant the required scopes. Avoid adding unnecessary additional scopes to the API client.
Secure Credential Storage
Store Client ID and Secret in a secure password manager or secrets vault. Never commit to version control.
Monitor API Usage
Regularly review API client activity in CrowdStrike Console to detect anomalous behavior.
Audit Client Access
Periodically review all API clients and ensure unused clients are removed.
Response Action Controls
Monitor and audit response actions performed through the integration for compliance.
API Client Management
To manage your CrowdStrike API clients:1
View Existing Clients
Navigate to Support and resources > Resources and tools > API clients and keys to view all active API clients
2
Edit Client Scopes
Click the three dots (⋮) next to a client and select Edit to modify scopes
3
Rotate Credentials
- Create a new API client with the same scopes
- Update RAD Security with the new Client ID and Secret
- Verify the integration works
- Delete the old API client
4
Revoke Compromised Credentials
If credentials are compromised, immediately delete the API client in CrowdStrike Console and create a new one
Additional Resources
CrowdStrike OAuth2 APIs
Official CrowdStrike OAuth2-based APIs documentation
CrowdStrike Base URLs
Complete list of regional base URLs
CrowdStrike Falcon Spotlight
Configure CrowdStrike for vulnerability management
CrowdStrike NextGen SIEM
Integrate CrowdStrike NextGen SIEM for unified threat analysis