> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# CrowdStrike Falcon Insight

> Configure CrowdStrike Falcon Insight EDR integration with RAD Security for advanced endpoint detection and response.

# CrowdStrike Falcon Insight Integration Setup

This guide walks you through integrating CrowdStrike Falcon Insight EDR with RAD Security for advanced endpoint detection and response capabilities, enabling you to correlate endpoint security events with container and cloud runtime activity.

CrowdStrike Falcon Insight provides real-time endpoint detection and response (EDR), threat intelligence, and automated response actions for comprehensive endpoint security.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Access to CrowdStrike Falcon Console
  * **Administrator privileges** in CrowdStrike Console
  * Access to RAD Security workspace with integration permissions
</Check>

<Warning>
  **Administrative Privileges Required:** You must have administrative privileges in CrowdStrike Console to create API clients and manage scopes in the API Clients and Keys section.
</Warning>

***

## Understanding CrowdStrike API Scopes

This integration requires specific API scopes to access endpoint data, detections, incidents, and threat intelligence:

<AccordionGroup>
  <Accordion title="Read Scopes (11 required)" icon="book-open">
    The following scopes require **Read** permissions:

    * **Alerts** - Access to security alerts
    * **Apps** - Application inventory data
    * **Custom IOA rules** - Indicator of Attack rules
    * **Detections** - Threat detections
    * **Device control policy** - Device control configurations
    * **Hosts** - Endpoint inventory and status
    * **Assets** - Asset management data
    * **Indicators** - Threat indicators
    * **Incidents** - Security incidents
    * **IOC Management** - Indicator of Compromise management
    * **IOCs (Indicators of Compromise)** - IOC data
    * **Zero Trust Assessment** - Zero trust posture data
  </Accordion>

  <Accordion title="Write Scopes (1 required)" icon="pen-to-square">
    The following scope requires **Write** permissions:

    * **Hosts** - Required to perform response actions on endpoints
  </Accordion>
</AccordionGroup>

<Note>
  **Both Read and Write permissions on Hosts:** The Hosts scope requires both Read (included in the 11 read scopes above) and Write permissions for full integration functionality.
</Note>

***

## Step 1: Access CrowdStrike Falcon Console

<Steps>
  <Step title="Log in to CrowdStrike Console">
    Log in to your CrowdStrike Falcon Console with administrative privileges
  </Step>

  <Step title="Navigate to API Clients">
    Open the main menu and go to:

    **Support and resources > Resources and tools > API clients and keys**
  </Step>
</Steps>

***

## Step 2: Create API Client

<Steps>
  <Step title="Create New Client">
    Click the **Create API client** button
  </Step>

  <Step title="Configure Client Name">
    In the modal dialog:

    1. **Client name:** Enter a descriptive name (e.g., "RAD Security EDR Integration")
    2. **Description:** (Optional) Add details about this integration
  </Step>

  <Step title="Assign Read Scopes">
    Select **Read** permissions for the following scopes:

    * ☑️ **Alerts**
    * ☑️ **Apps**
    * ☑️ **Custom IOA rules**
    * ☑️ **Detections**
    * ☑️ **Device control policy**
    * ☑️ **Hosts**
    * ☑️ **Assets**
    * ☑️ **Indicators**
    * ☑️ **Incidents**
    * ☑️ **IOC Management**
    * ☑️ **IOCs (Indicators of Compromise)**
    * ☑️ **Zero Trust Assessment**

    <Warning>
      All 11 read scopes are required. Missing any scope will result in incomplete data synchronization or integration errors.
    </Warning>
  </Step>

  <Step title="Assign Write Scope">
    Select **Write** permissions for:

    * ☑️ **Hosts**

    <Info>
      Write permission on Hosts enables RAD Security to perform response actions on endpoints when needed, such as containment or isolation.
    </Info>
  </Step>

  <Step title="Create Client">
    Click the **Create** button to generate the API client
  </Step>

  <Step title="Copy Credentials">
    The modal will display your new credentials. **Copy these immediately:**

    * **Client ID**
    * **Client Secret**
    * **Base URL**

    <Warning>
      **Save these values now!** You will not be able to view the Client Secret again. Store them securely in a password manager or secrets vault.
    </Warning>
  </Step>
</Steps>

<Note>
  **Adjusting Scopes Later:** If you need to modify scopes after creation, click the three dots (⋮) to the right of the client listing on the API clients and keys page and select Edit.
</Note>

***

## Step 3: Determine Regional Base URL

CrowdStrike Falcon uses different base URLs depending on your data center region. The Base URL is provided when you create the API client.

### Common Regional URLs

| Region   | Base URL                                 |
| -------- | ---------------------------------------- |
| US-1     | `https://api.crowdstrike.com`            |
| US-2     | `https://api.us-2.crowdstrike.com`       |
| EU-1     | `https://api.eu-1.crowdstrike.com`       |
| US-GOV-1 | `https://api.laggar.gcw.crowdstrike.com` |

<Info>
  The Base URL is automatically displayed when you create the API client in Step 2. Use the exact URL provided by CrowdStrike.
</Info>

For a complete list of regional endpoints, see [CrowdStrike's Base URLs documentation](https://falcon.us-2.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis#k9578c40).

***

## Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the CrowdStrike Falcon Insight integration with the following parameters:

### Required Parameters

| Parameter         | Description               | Example                            |
| ----------------- | ------------------------- | ---------------------------------- |
| **Base URL**      | Base URL from Step 2      | `https://api.us-2.crowdstrike.com` |
| **Client ID**     | Client ID from Step 2     | `abc123def456...`                  |
| **Client Secret** | Client Secret from Step 2 | `xyz789abc123...`                  |

<Warning>
  **Do NOT configure token\_url:** The integration automatically handles OAuth2.0 token management. You do not need to set or configure the token\_url parameter.
</Warning>

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > EDR** in RAD Security
2. Locate your CrowdStrike Falcon Insight integration
3. Check the connection status shows as **Connected**
4. Verify endpoint data and detections are being synced

<Check>
  Your CrowdStrike Falcon Insight integration is now configured! RAD Security can now correlate endpoint detections with container and cloud runtime events.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from CrowdStrike Falcon Insight:

<AccordionGroup>
  <Accordion title="Endpoint Information" icon="computer">
    * Endpoint inventory and status
    * Operating system details
    * CrowdStrike agent version
    * Host configuration
    * Last seen timestamps
    * Asset information
  </Accordion>

  <Accordion title="Detections & Alerts" icon="shield-virus">
    * Real-time threat detections
    * Security alerts
    * Detection severity and classification
    * Malware and exploit detections
    * Behavioral indicators
    * Detection timelines
  </Accordion>

  <Accordion title="Incidents" icon="siren">
    * Security incidents
    * Incident severity and status
    * Related detections
    * Incident timelines
    * Investigation data
    * Remediation actions
  </Accordion>

  <Accordion title="Indicators & IOCs" icon="magnifying-glass-chart">
    * Indicators of Compromise (IOCs)
    * Indicators of Attack (IOAs)
    * Custom IOA rules
    * Threat indicators
    * File hashes, IPs, domains
    * Indicator metadata
  </Accordion>

  <Accordion title="Applications & Policies" icon="shield-check">
    * Application inventory
    * Device control policies
    * Policy compliance status
    * Application execution data
    * Blocked applications
  </Accordion>

  <Accordion title="Zero Trust Assessment" icon="user-shield">
    * Zero trust posture scores
    * Security assessments
    * Compliance status
    * Risk indicators
    * Security recommendations
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Endpoint-Container Correlation" icon="diagram-venn">
    Correlate CrowdStrike endpoint detections with RAD Security's container runtime activity to detect cross-platform attacks.
  </Card>

  <Card title="Threat Intelligence Integration" icon="brain">
    Leverage CrowdStrike's threat intelligence with RAD Security's runtime context for enhanced detection accuracy.
  </Card>

  <Card title="Coordinated Response" icon="bolt">
    Execute coordinated response actions across endpoints and containerized infrastructure from a single platform.
  </Card>

  <Card title="Zero Trust Enforcement" icon="shield-halved">
    Integrate CrowdStrike's Zero Trust Assessment with RAD Security for comprehensive security posture management.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID or Client Secret incorrect
    * API client was deleted or disabled
    * Wrong regional Base URL
    * OAuth token issues

    **Solution:**

    * Verify Client ID and Secret are copied correctly (no extra spaces)
    * Check the API client still exists in CrowdStrike Console
    * Ensure you're using the correct regional Base URL
    * Do NOT set token\_url parameter
    * Create a new API client if needed
  </Accordion>

  <Accordion title="Missing Scopes" icon="shield-exclamation">
    **Possible causes:**

    * Not all 11 read scopes selected
    * Hosts write scope not selected
    * Scopes were modified after creation

    **Solution:**

    * Verify all required read scopes are enabled
    * Ensure Hosts has both Read and Write permissions
    * Edit the API client to add missing scopes
    * Review the complete list of required scopes in Step 2
  </Accordion>

  <Accordion title="Partial Data Syncing" icon="database">
    **Possible causes:**

    * Missing specific scopes for data types
    * Insufficient permissions
    * API rate limits

    **Solution:**

    * Check which scopes correspond to missing data types
    * Verify all 12 scopes (11 read + 1 write) are enabled
    * Review integration logs for specific API errors
    * Monitor API usage to ensure you're within rate limits
  </Accordion>

  <Accordion title="Cannot Perform Response Actions" icon="hand">
    **Possible causes:**

    * Missing Hosts write scope
    * Write permission removed after creation
    * Endpoint isolation policy restrictions

    **Solution:**

    * Verify Hosts scope has Write permission enabled
    * Check API client permissions in CrowdStrike Console
    * Ensure endpoint policies allow remote actions
    * Review CrowdStrike response action settings
  </Accordion>

  <Accordion title="Wrong Regional Base URL" icon="globe">
    **Possible causes:**

    * Using incorrect regional endpoint
    * Typo in Base URL
    * Using old URL format

    **Solution:**

    * Use the exact Base URL provided during API client creation
    * Verify your CrowdStrike region (US-1, US-2, EU-1, etc.)
    * Check [CrowdStrike's regional endpoints documentation](https://falcon.us-2.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis#k9578c40)
    * Ensure URL includes `https://` and correct format
  </Accordion>

  <Accordion title="Token URL Configuration Error" icon="key-skeleton">
    **Possible causes:**

    * token\_url parameter was manually configured
    * Incorrect OAuth configuration

    **Solution:**

    * Do NOT set the token\_url parameter
    * Remove any token\_url configuration if present
    * The integration automatically handles OAuth2.0 token management
    * Use only URL, ClientId, and ClientSecret parameters
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Rotate Credentials Regularly" icon="rotate">
    Periodically create new API clients and delete old ones to maintain security hygiene.
  </Card>

  <Card title="Least Privilege Scopes" icon="shield-halved">
    Only grant the required scopes. Avoid adding unnecessary additional scopes to the API client.
  </Card>

  <Card title="Secure Credential Storage" icon="lock">
    Store Client ID and Secret in a secure password manager or secrets vault. Never commit to version control.
  </Card>

  <Card title="Monitor API Usage" icon="chart-line">
    Regularly review API client activity in CrowdStrike Console to detect anomalous behavior.
  </Card>

  <Card title="Audit Client Access" icon="clipboard-list">
    Periodically review all API clients and ensure unused clients are removed.
  </Card>

  <Card title="Response Action Controls" icon="shield-check">
    Monitor and audit response actions performed through the integration for compliance.
  </Card>
</CardGroup>

## API Client Management

To manage your CrowdStrike API clients:

<Steps>
  <Step title="View Existing Clients">
    Navigate to **Support and resources > Resources and tools > API clients and keys** to view all active API clients
  </Step>

  <Step title="Edit Client Scopes">
    Click the three dots (⋮) next to a client and select **Edit** to modify scopes
  </Step>

  <Step title="Rotate Credentials">
    1. Create a new API client with the same scopes
    2. Update RAD Security with the new Client ID and Secret
    3. Verify the integration works
    4. Delete the old API client
  </Step>

  <Step title="Revoke Compromised Credentials">
    If credentials are compromised, immediately delete the API client in CrowdStrike Console and create a new one
  </Step>
</Steps>

## Additional Resources

<CardGroup cols={2}>
  <Card title="CrowdStrike OAuth2 APIs" icon="book" href="https://falcon.us-2.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis">
    Official CrowdStrike OAuth2-based APIs documentation
  </Card>

  <Card title="CrowdStrike Base URLs" icon="globe" href="https://falcon.us-2.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis#k9578c40">
    Complete list of regional base URLs
  </Card>

  <Card title="CrowdStrike Falcon Spotlight" icon="magnifying-glass" href="/rad-security/integrations/vulnerabilities/crowdstrike-falcon-spotlight-setup">
    Configure CrowdStrike for vulnerability management
  </Card>

  <Card title="CrowdStrike NextGen SIEM" icon="chart-line" href="/rad-security/integrations/siem/crowdstrike-falcon-nextgen-siem-setup">
    Integrate CrowdStrike NextGen SIEM for unified threat analysis
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="EDR Integrations Overview" icon="shield-check" href="/rad-security/integrations/edr/overview">
    Explore other EDR integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn about RAD's container runtime security
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure correlated alerts and incident management
  </Card>

  <Card title="Threat Models" icon="crosshairs" href="/rad-security/security-and-compliance/overview">
    Understand how threats are detected across platforms
  </Card>
</CardGroup>