AiStrike integrates directly with CrowdStrike Falcon APIs to enrich investigations, automate responses, and provide contextual security insights.
Prerequisites
-
Administrator access to the CrowdStrike Falcon Console (to create API clients and assign permissions).
-
Permission to create an API client and generate a Client ID and Client Secret.
Step 1: Create API credentials in CrowdStrike
-
Log in to your Falcon console at
https://falcon.us-<region>.crowdstrike.com/(region = us-1, us-2, eu-1, or us-gov-1). -
Go to Support and Resources > API Clients and Keys and select Create API Client.
-
Set Client Name
AiStrikeand a description (e.g. "AiStrike Integration Key"). -
Enable the read scopes below, then click Create.
-
Copy the Client ID and Client Secret and share them securely with AiStrike.
Required scopes (read)
|
Scope |
Access |
Purpose |
|---|---|---|
|
Alerts |
Read |
View detection information |
|
Detections |
Read |
Detection behavior, severity, host, timestamps |
|
Hosts |
Read |
Search hosts and get host details |
|
NGSIEM |
Read + Create Search |
Run Next-Gen SIEM queries and get results |
|
Incidents |
Read |
Retrieve incident data |
|
Quarantined Files |
Read |
Quarantine info and actions |
|
On-demand scans (ODS) |
Read |
View scan data and results |
|
Real Time Response |
Read |
RTR read-only analyst commands |
|
Event Streams |
Read |
Find and connect to event streams |
|
Threatgraph |
Read |
Entity relationships and metadata |
|
Identity Protection Entities / Timeline |
Read |
Search entity and timeline data |
|
Other features |
Read |
IOC, Intelligence Monitoring, and other licensed modules |
Step 2: Configure the AiStrike integration
|
Field |
Value |
|---|---|
|
Configuration Name |
e.g. |
|
Client ID |
From CrowdStrike |
|
Client Secret |
From CrowdStrike |
|
Base URL |
e.g. |
In AiStrike, go to Integrations > CrowdStrike, enter the details, and save.
API base URL mapping: us-1 → api.crowdstrike.com; us-2 → api.us-2.crowdstrike.com; eu-1 → api.eu-1.crowdstrike.com; us-gov-1 → api.laggar.gcw.crowdstrike.com.
Optional: response scopes
If AiStrike will perform automated response (host isolation, network containment, on-demand scans, file quarantine), also enable Write/Response on: Hosts, On-demand scans, Quarantined Files, Real Time Response, and Incidents.
Optional: a read-only Falcon console user (Viewer role) lets AiStrike analysts validate ingested data in the Falcon UI. Not required for the API integration to function.