Crowdstrike Falcon

introduction this guide explains how to authenticate the crowdstrike falcon connector in swimlane using oauth 2 0 client credentials you will identify your cloud base url, gather crowdstrike oauth credentials, and configure the connector inside swimlane turbine crowdstrike access requirements you must have crowdstrike console permissions to create / view api clients and keys assign required oauth scopes identify your falcon cloud region (if applicable) access your member cid for mssp environments required credentials during setup, you will collect client id client secret base url (depends on your falcon cloud) member cid (optional; only for mssp) crowdstrike cloud base urls use the base url specific to your falcon region cloud base url us 1 https //api crowdstrike com/ us 2 https //api us 2 crowdstrike com/ eu 1 https //api eu 1 crowdstrike com/ us gov 1 https //api laggar gcw\ crowdstrike com/ us gov 2 https //api us gov 2 crowdstrike mil/ ask your admin or check your crowdstrike portal url to confirm your region crowdstrike setup take the following steps to create api client log into crowdstrike falcon console navigate to support > api clients and keys click create api client enter a name and description assign required oauth scopes as per the following list core falcon permissions detections read detections write hosts read incidents read incidents write real time response read real time response write iocs read iocs write sensor download read spotlight vulnerabilities read optional (based on actions) rtr admin commands quarantine / scan management sandbox file submission click create and copy client id client secret these values will not be shown again store them securely take the following steps to collect member cid this is an optional step and is only required if your environment is mssp (managed security service provider) go to user > my profile in crowdstrike locate customer id (cid) if multiple tenants exist, use the member cid assigned to your sub org connector configuration in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the plus icon to open the configure your connector asset window select crowdstrike falcon from the asset type list fill in the asset settings and asset input as shown field description required url base url for your falcon cloud required client id client id from crowdstrike required client secret client secret from crowdstrike required member cid required only for mssp optional verify ssl enable/disable ssl validation optional http proxy proxy settings, if applicable optional fields with marks are required click create troubleshooting invalid credentials error ensure client id / client secret were copied correctly confirm the api client still exists and wasn't regenerated 403 forbidden missing oauth scopes add required permissions and re authenticate wrong region make sure your base url matches your crowdstrike cloud you have successfully authenticated the crowdstrike falcon connector in swimlane