AiStrike Documentation

CrowdStrike

AiStrike integrates directly with CrowdStrike Falcon APIs to enrich investigations, automate responses, and provide contextual security insights.

Prerequisites

  • Administrator access to the CrowdStrike Falcon Console (to create API clients and assign permissions).

  • Permission to create an API client and generate a Client ID and Client Secret.

Step 1: Create API credentials in CrowdStrike

  1. Log in to your Falcon console at https://falcon.us-<region>.crowdstrike.com/ (region = us-1, us-2, eu-1, or us-gov-1).

  2. Go to Support and Resources > API Clients and Keys and select Create API Client.

  3. Set Client Name AiStrike and a description (e.g. "AiStrike Integration Key").

  4. Enable the read scopes below, then click Create.

  5. Copy the Client ID and Client Secret and share them securely with AiStrike.

Required scopes (read)

Scope

Access

Purpose

Alerts

Read

View detection information

Detections

Read

Detection behavior, severity, host, timestamps

Hosts

Read

Search hosts and get host details

NGSIEM

Read + Create Search

Run Next-Gen SIEM queries and get results

Incidents

Read

Retrieve incident data

Quarantined Files

Read

Quarantine info and actions

On-demand scans (ODS)

Read

View scan data and results

Real Time Response

Read

RTR read-only analyst commands

Event Streams

Read

Find and connect to event streams

Threatgraph

Read

Entity relationships and metadata

Identity Protection Entities / Timeline

Read

Search entity and timeline data

Other features

Read

IOC, Intelligence Monitoring, and other licensed modules

Step 2: Configure the AiStrike integration

Field

Value

Configuration Name

e.g. Crowdstrike-API-Connector

Client ID

From CrowdStrike

Client Secret

From CrowdStrike

Base URL

e.g. https://falcon.us-<region>.crowdstrike.com/

In AiStrike, go to Integrations > CrowdStrike, enter the details, and save.

API base URL mapping: us-1 → api.crowdstrike.com; us-2 → api.us-2.crowdstrike.com; eu-1 → api.eu-1.crowdstrike.com; us-gov-1 → api.laggar.gcw.crowdstrike.com.

Optional: response scopes

If AiStrike will perform automated response (host isolation, network containment, on-demand scans, file quarantine), also enable Write/Response on: Hosts, On-demand scans, Quarantined Files, Real Time Response, and Incidents.

Optional: a read-only Falcon console user (Viewer role) lets AiStrike analysts validate ingested data in the Falcon UI. Not required for the API integration to function.