Source: https://manu-tests-all-orgs.docs-staging.pageloop.ai/integrations/security/crowdstrike

# Crowdstrike

# Crowdstrike

## Crowdstrike: Overview and setup

Connect CrowdStrike Falcon to Atomicwork to query, investigate, and manage security alerts as part of your IT and security workflows.

#### Usecases

By connecting CrowdStrike Falcon, your teams can:

- **Triage security alerts:** Query alerts using filters to surface high-severity or new alerts for investigation. For example, a workflow can automatically pull all new critical-severity alerts every morning and post a summary to your security team's Slack channel.
- **Investigate alert details:** Pull detailed alert information — including host details, detection context, and severity — directly from Atom or within a workflow. An agent handling a ticket about suspicious activity can ask Atom to pull the latest CrowdStrike alerts for that user's device without switching to the Falcon Console.
- **Automate alert response:** Update alert status, assign alerts to analysts, and add comments or tags as part of automated incident response workflows. For example, when a critical alert is detected, a workflow can automatically assign it to the on-call security analyst, set the status to in-progress, and create an incident in Atomicwork for tracking.
- **Enable self-service security queries:** Employees can ask Atom about security alerts affecting their devices without waiting for the security team — for example, "Are there any security alerts on my laptop?"

#### Permissions

To connect CrowdStrike Falcon to Atomicwork, you need:

- **Org admin access** in Atomicwork
- **Admin access to the CrowdStrike Falcon Console** with permission to create API clients

The integration authenticates using an API client configured in the Falcon Console. The API client requires the following scopes:

| **Permission**    | **Purpose**                                                                                                                    |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| **Alerts: Read**  | Query and retrieve alert details. Required for listing alerts and pulling alert information into workflows.                    |
| **Alerts: Write** | Update alert status, add comments, manage tags, and assign or unassign alerts. Required for any action that modifies an alert. |

To create the API client:

1. In the Falcon Console, navigate to **Support and Resources > API Clients and Keys**.
2. Click **Create API Client**.
3. Assign the **Alerts: Read** and **Alerts: Write** scopes.
4. Note the **Client ID** and **Client Secret** — you'll need these to complete the setup in Atomicwork.

#### Setup

Before connecting, identify your CrowdStrike cloud region. The base URL must match your Falcon environment:

| **Region** | **Base URL**                                                           |
| ---------- | ---------------------------------------------------------------------- |
| US-1       | [`https://api.crowdstrike.com`](https://api.crowdstrike.com)           |
| US-2       | [`https://api.us-2.crowdstrike.com`](https://api.us-2.crowdstrike.com) |
| EU-1       | [`https://api.eu-1.crowdstrike.com`](https://api.eu-1.crowdstrike.com) |

> \[!NOTE]
> **Using the wrong regional URL will cause authentication failures.** If you're unsure which region your Falcon tenant is on, check with your CrowdStrike administrator or refer to your Falcon Console URL.

To connect:

- Navigate to **Settings > App Store > CrowdStrike Falcon**.
- Enter your credentials:
  - **Client ID -** Your CrowdStrike API Client ID from the Falcon Console.
  - **Client secret -** Your CrowdStrike API Client Secret from the Falcon Console.
  - **Base URL** - The regional base URL for your CrowdStrike cloud instance (see table above).
- Click **Connect** to authorize the integration.

Atomicwork validates the connection by checking that the API client has the required Alerts: Read scope. If validation fails, you'll see a specific error message indicating what needs to be fixed.

#### Supported workflow actions

Once connected, you can automate the following CrowdStrike Falcon actions within your Atomicwork workflows:

| **Action**       | **Description**                                                                                                                      |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| **List alerts**  | Query alert IDs using filters, with optional sorting and pagination. Use this to find alerts by severity, status, or other criteria. |
| **Get alerts**   | Retrieve detailed alert information by alert ID, including severity, status, description, host information, and detection details.   |
| **Update alert** | Perform actions on one or more alerts — update status, add a comment, add or remove tags, or assign/unassign to a team member.       |
| **Call API**     | Make a generic API call to any CrowdStrike Falcon endpoint for operations beyond the standard actions.                               |

#### Troubleshoot common issues

| **Error**                                        | **Cause**                                                                                                                       | **Resolution**                                                                                                                                                |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Invalid credentials (401)**                    | The Client ID or Client Secret is incorrect or has been revoked.                                                                | Generate a new API client in **Falcon Console > Support and Resources > API Clients and Keys** and update the credentials in Atomicwork.                      |
| **Insufficient permissions (403)**               | The API client is missing required scopes.                                                                                      | Verify that both **Alerts: Read** and **Alerts: Write** are assigned to the API client in the Falcon Console.                                                 |
| **Alerts read permission missing**               | The integration specifically checks for the Alerts: Read scope during connection. This scope is not assigned to the API client. | Edit the API client in the Falcon Console and add the **Alerts: Read** scope.                                                                                 |
| **Invalid base URL**                             | The base URL is malformed or missing the protocol.                                                                              | Ensure the URL includes `https://` and matches your CrowdStrike region (for example, [`https://api.crowdstrike.com`](https://api.crowdstrike.com) for US-1).  |
| **Authentication failure after initial success** | The regional base URL doesn't match your Falcon tenant's cloud instance.                                                        | Verify your cloud region and update the base URL in **Settings > App Store > CrowdStrike Falcon**.                                                            |
| **Token acquisition failure**                    | The CrowdStrike API is unreachable or experiencing issues.                                                                      | Verify network connectivity and check the [CrowdStrike status page](https://status.crowdstrike.com/) for any ongoing incidents.                               |
| **Action failure (403)**                         | The API client lacks the specific scope required for the action being performed.                                                | Check which action failed — list/get alerts requires **Alerts: Read**, update alerts requires **Alerts: Write**. Add the missing scope in the Falcon Console. |

---
