> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CrowdStrike Falcon

> Connect CrowdStrike Falcon to import endpoint detection and threat data.

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="CrowdStrike Falcon" recommendDelegated={true} />

## What Living Security needs

| Credential        | Description                                              |
| ----------------- | -------------------------------------------------------- |
| **Client ID**     | The unique identifier for your API client                |
| **Client Secret** | The confidential key used to authenticate the API client |
| **Base URL**      | The API base URL for your CrowdStrike cloud environment  |

**Scopes:** **Alerts: Read** and **Hosts: Read** — Alerts backs the alerts sync (`/alerts/queries/alerts/v2`) and Hosts backs the device sync (`/devices/queries/devices-scroll/v1`).

**Required role:** **Falcon Administrator** or equivalent with API client management permissions

### Prerequisites

* You must have **Falcon Administrator** access or equivalent permissions to create API clients in the CrowdStrike Falcon console.

***

## Part A — In CrowdStrike Falcon

*Your CrowdStrike administrator completes these steps.*

<Steps>
  <Step title="Navigate to API Clients and Keys">
    1. Log in to your [CrowdStrike Falcon console](https://falcon.crowdstrike.com/).
    2. From the search toolbar, search for **API Clients and Keys** and select it.

    <img src="https://mintcdn.com/livingsecurity/HhONVgmsi9Vt7YJR/integrations/images/crowdstrike/search.png?fit=max&auto=format&n=HhONVgmsi9Vt7YJR&q=85&s=fd1a179180c97bb6e4251a370d4323c2" alt="CrowdStrike search bar with API Clients and Keys" width="1918" height="586" data-path="integrations/images/crowdstrike/search.png" />
  </Step>

  <Step title="Create an API client">
    1. Click **Create API Client**.

    <img src="https://mintcdn.com/livingsecurity/HhONVgmsi9Vt7YJR/integrations/images/crowdstrike/create_api_client.png?fit=max&auto=format&n=HhONVgmsi9Vt7YJR&q=85&s=aa1ed84a051ec79c2487eea96aefa445" alt="Create API Client button" width="1918" height="586" data-path="integrations/images/crowdstrike/create_api_client.png" />

    2. Enter a **Name** (e.g., `Living Security Platform`).
    3. Enter a **Description** (e.g., `Read access for Living Security HRM platform`).
    4. Under **API Scopes**, enable **Read** for **Alerts** and **Hosts**.
    5. Click **Create**.
  </Step>

  <Step title="Copy the credentials">
    After creation, CrowdStrike displays your **Client ID**, **Client Secret**, and **Base URL**.

    <img src="https://mintcdn.com/livingsecurity/HhONVgmsi9Vt7YJR/integrations/images/crowdstrike/credentials.png?fit=max&auto=format&n=HhONVgmsi9Vt7YJR&q=85&s=004622c1f5f95b5cc209edab25414130" alt="CrowdStrike API credentials display" width="1918" height="490" data-path="integrations/images/crowdstrike/credentials.png" />

    **Copy all three values immediately** and store them securely.

    <Warning>
      The **Client Secret** is displayed only once. If you navigate away without copying it, you must delete the API client and create a new one.
    </Warning>

    <Note>
      The **Base URL** is the domain portion (e.g., `api.crowdstrike.com`) without the `https://` prefix. Common base URLs include:

      * US-1: `api.crowdstrike.com`
      * US-2: `api.us-2.crowdstrike.com`
      * EU-1: `api.eu-1.crowdstrike.com`
      * US-GOV-1: `api.laggar.gcw.crowdstrike.com`
    </Note>
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="CrowdStrike Falcon">
    | Field             | Value                                                          |
    | ----------------- | -------------------------------------------------------------- |
    | **Base URL**      | The Base URL from Part A, Step 3 (e.g., `api.crowdstrike.com`) |
    | **Client ID**     | The Client ID from Part A, Step 3                              |
    | **Client Secret** | The Client Secret from Part A, Step 3                          |

    <img src="https://mintcdn.com/livingsecurity/oVkrOMkYmNevekTI/integrations/images/crowdstrike/connect-dialog.png?fit=max&auto=format&n=oVkrOMkYmNevekTI&q=85&s=672bd99630a10a73b2a88c0554077588" alt="Living Security connect dialog for CrowdStrike" style={{maxWidth: "450px"}} width="576" height="752" data-path="integrations/images/crowdstrike/connect-dialog.png" />
  </ConnectInPlatform>
</Steps>

You are now connected to CrowdStrike Falcon.

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    The credentials are invalid. Check:

    1. Client ID and Client Secret are correct
    2. Client Secret has not been rotated or revoked
    3. Base URL matches your CrowdStrike cloud environment
  </Accordion>

  <Accordion title="403 Forbidden">
    The API client is missing required scopes. Verify that **Alerts: Read** and **Hosts: Read** are enabled on the API client in the CrowdStrike console.
  </Accordion>

  <Accordion title="Wrong Base URL">
    Each CrowdStrike cloud environment has a different API base URL. Verify you're using the correct URL for your tenant:

    * US-1: `api.crowdstrike.com`
    * US-2: `api.us-2.crowdstrike.com`
    * EU-1: `api.eu-1.crowdstrike.com`
  </Accordion>
</AccordionGroup>

***

<Note>Portions of this documentation are adapted from [Nango](https://nango.dev/docs/), used under the [Elastic License 2.0](https://github.com/NangoHQ/nango?tab=License-1-ov-file#readme).</Note>
