Home / Integration Connectors / CrowdStrike
CrowdStrike Falcon Integration
Prerequisites
Requirement Details
CrowdStrike Falcon Falcon Prevent, Insight, or Discover (depends on features needed) CrowdStrike role Falcon Administrator to create API clients StackFlow role super_admin
Step 1: Create OAuth2 API Client
Log into Falcon Console and go to Support & Resources → API Clients and Keys → Add new API Client
Name it StackFlow Integration
Grant the following scopes:
Scope Access Purpose
Detections Read Read detections for incident creation Hosts Read Enrich incidents with host details Incidents Read + Write Read and update CrowdStrike incidents IOC Management Read + Write Ingest IOCs from StackFlow intelligence Real Time Response Read Check host containment status
Copy the Client ID and Client Secret — the secret is shown only once
Note your Falcon Cloud region: us-1, us-2, eu-1, or us-gov-1
Map CrowdStrike detection severities and tactics to StackFlow incident priorities:
{
"detection_rules": [
{
"condition": "severity >= 80 OR tactic IN ('Execution', 'Exfiltration', 'Impact')",
"action": "create_incident",
"priority": "P1",
"assignment_group": "Security Operations",
"category": "security",
"auto_contain_host": false
},
{
"condition": "severity >= 50",
"action": "create_incident",
"priority": "P2",
"assignment_group": "Security Operations",
"category": "security"
},
{
"condition": "severity < 50",
"action": "log_only"
}
]
}Step 3: Host Enrichment
When a detection triggers an incident, StackFlow automatically enriches it with host details from the CrowdStrike Hosts API and links the host CI in CMDB:
{
"enrichment_fields": {
"hostname": "device.hostname",
"platform": "device.platform_name",
"os_version": "device.os_version",
"local_ip": "device.local_ip",
"external_ip": "device.external_ip",
"last_seen": "device.last_seen",
"containment_status": "device.status",
"tags": "device.tags",
"groups": "device.groups"
}
}Step 4: IOC Ingestion
StackFlow can push Indicators of Compromise (IOCs) from resolved security incidents back to CrowdStrike for blocking:
# Push an IOC to CrowdStrike via StackFlow
curl -X POST https://your-instance.stackflow-tech.com/prod/api/integrations/crowdstrike/iocs -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{
"type": "ipv4",
"value": "192.168.1.100",
"action": "prevent",
"severity": "critical",
"description": "C2 server identified in INC0001234",
"source_incident": "INC0001234",
"platforms": ["windows", "linux", "mac"],
"expiration_days": 30
}'Step 5: Connect in StackFlow
Navigate to Admin → Integration Hub → CrowdStrike → Configure
Enter the Client ID, Client Secret, and Falcon Cloud region
Configure detection-to-incident mapping rules
Enable host enrichment and CMDB sync
Configure IOC ingestion settings
Click Save & Test
Field Reference
Field Required Description
Client ID Yes Falcon OAuth2 API client ID Client Secret Yes Falcon OAuth2 API client secret Cloud Region Yes us-1, us-2, eu-1, us-gov-1Detection Rules No Severity/tactic-based routing rules Host Enrichment No Auto-enrich incidents with host metadata (default: true) IOC Push No Push IOCs to Falcon on incident resolution (default: false) Polling Interval No Detection poll interval in minutes (default: 5)
Testing the Integration
Click Test OAuth Token to verify credentials
Click Pull Recent Detections to see the last 10 detections without creating incidents
Set a low severity threshold temporarily and verify incidents are created
Test IOC push with a known-benign IP address (remove after testing)
Troubleshooting
Issue Cause Fix
401 on OAuth token request Invalid client credentials Re-copy Client ID and Secret from Falcon API Clients page Detections not creating incidents Severity threshold too high Lower the minimum severity in detection rules Host enrichment failing Hosts scope not granted Add Hosts:Read scope to the Falcon API client IOC push 403 IOC Management scope missing Add IOC Management:Write scope to the Falcon API client
