CrowdStrike Falcon Connection

Connects your agent to CrowdStrike Falcon for endpoint detection and response. The agent can query detections, inspect host details, manage IOCs, and pull vulnerability data. Write operations (contain host, update detection status) require confirmation.

Authentication

OAuth2 client credentials flow. Requires:

• client_id — API client ID from Falcon console > API Clients
• client_secret — API client secret
• base_url — Your CrowdStrike cloud (us-1, us-2, eu-1, us-gov-1)

Scopes required: detections:read, hosts:read, iocs:read, incidents:read, vulnerabilities:read. Add hosts:write and detections:write for containment actions.

Endpoints

Detections

• GET /detects/queries/detects/v1 — Search detections by filter (severity, hostname, tactic)
• GET /detects/entities/summaries/GET/v1 — Get detection details by ID
• PATCH /detects/entities/detects/v2 — Update detection status (requires confirmation)

Hosts

• GET /devices/queries/devices/v1 — Search hosts by hostname, OS, platform
• GET /devices/entities/devices/v2 — Get full host detail (OS, policies, last seen)
• POST /devices/entities/devices-actions/v2 — Contain / lift containment (requires confirmation)

Incidents

• GET /incidents/queries/incidents/v1 — Search incidents by state, time range
• GET /incidents/entities/incidents/GET/v1 — Get incident details with associated detections

IOCs

• GET /iocs/queries/indicators/v1 — Search custom IOCs
• GET /iocs/entities/indicators/v1 — Get IOC details

Vulnerabilities

• GET /spotlight/queries/vulnerabilities/v1 — Search vulnerabilities by CVE, severity, host
• GET /spotlight/entities/vulnerabilities/v2 — Get vulnerability detail with remediation

Rules

• Rate limit: 100 requests/minute for detection queries, 500/minute for host lookups
• Host containment actions always require user confirmation — no auto-contain
• Detection status updates are logged to audit trail
• Bulk operations (>5 hosts) require itemized confirmation