Overview

The CrowdStrike connector provides comprehensive access to CrowdStrike's endpoint protection platform. This enables device management, user administration, incident response, detection analysis, and alert management capabilities.

Setup

Prerequisites

Before setting up the CrowdStrike Falcon connector, ensure you have:

Access to CrowdStrike Falcon console with appropriate permissions.
CrowdStrike API client credentials (Client ID and Client Secret).
Ability to create API clients in CrowdStrike Falcon.
Access to your Leena AI workspace with connector management permissions.
Knowledge of your CrowdStrike cloud region (US-1, US-2, EU-1, etc.).

Get Credentials

Step 1: Create API Client in CrowdStrike Falcon

Login to CrowdStrike Falcon Console.
Navigate to API Clients by going to Support and resources > API Clients and Keys.
Click on Add new API client.
Provide a descriptive client name.
Select appropriate API scopes (see Required Scopes section below).
Click Add to create the client.
Note the Client ID and Client Secret that are displayed.

Add Connection

Step 1: Access the Integrations Page

Log in to your Leena AI workspace.
Navigate to Settings > Integrations.
Click on Add Connector.
Search for "CrowdStrike" and select it from the list.

Step 2: Configure Connection in Leena AI

The CrowdStrike Falcon connector uses OAuth 2.0 client credentials authentication.

Parameter	Description	Example
Client ID	API client ID from CrowdStrike	From Step 1
Client Secret	API client secret from CrowdStrike	From Step 1
Base URL	CrowdStrike API endpoint	`https://api.us-2.crowdstrike.com`
Region	CrowdStrike cloud region	`$US-1, $US-2, $EU-1`, etc.

Step 3: Required Scopes

Configure your API client in CrowdStrike with the following scopes based on your intended use case:

Category	Scope	Description	Actions Enabled
Hosts	`Hosts: READ`	Read host information	Query devices, get device details, online status
Hosts	`Hosts: WRITE`	Perform actions on hosts	Contain hosts, suppress detections, hide hosts
User Management	`User-management: READ`	Read user information	List users, get user details, get roles
User Management	`User-management: WRITE`	Manage users	Create, update, delete users
Incidents	`Incidents:READ`	Read incident data	Get incidents, behaviours, incident details
Incidents	`Incidents:WRITE`	Manage incidents	Perform incident actions, update status
Detections	`Detects: READ`	Read detection data	Get detects, summaries, aggregations
Detections	`Detects: WRITE`	Manage detections	Update detection status, assign detections
Alerts	`Alerts: READ`	Read alert data	Get alerts, alert details, aggregations
Alerts	`Alerts: WRITE`	Manage alerts	Update alert status, assign alerts

Step 4: Test Connection and Save

After entering all required credentials, click Test Connection.
If successful, click Save.
If the test fails, verify your API client configuration and credentials.

Actions

The CrowdStrike connector supports actions related to device management, user management, and security monitoring.

Devices: Perform Action on Device

Executes specified actions on one or more devices.

Input Parameters

Parameter	Requirement	Description
Device IDs	Mandatory	An array of device IDs (comma-separated strings).
Action Name	Mandatory	The action to perform on the selected devices (selected from a dropdown).

Supported Actions:

contain: Restrict network access except to CrowdStrike cloud.
lift_containment: Remove containment restrictions.
detection_suppress: Suppress future detections.
detection_unsuppress: Re-enable detections.
hide host: Hide device from standard view.
unhide_host: Make device visible again.

Devices: Get Device Details

Retrieves full metadata for specified device IDs.

Input Parameters

Parameter	Requirement	Description
Device IDs	Mandatory	An array of device IDs for which detailed information is returned.

Devices: Get Online Status

This action returns the online/offline status for specified device IDs.

Input Parameters

Parameter	Requirement	Description
Device IDs	Mandatory	An array of device IDs (comma-separated strings).

JSON Input

[NO JSON INPUT FOUND IN PROVIDED DOCUMENTATION - Content is blank]

Response

[NO RESPONSE DETAILS FOUND IN PROVIDED DOCUMENTATION - Content is blank]

Devices: Get Combined Devices by Filter

Retrieves a list of device IDs and corresponding details matching specified filters.

Input Parameters

Parameter	Requirement	Description
filter	Optional	FQL filter expression.
limit	Optional	Maximum number of results (default: 100).
offset	Optional	Starting index for pagination.
sort	Optional	Sort field and direction.
fields	Optional	Device attributes that are to be returned.

Devices: Get Hidden Devices by Filter

Retrieves information about devices that have been hidden from standard view for agents/admins.

Input Parameters

Parameter	Requirement	Description
Fields	Optional	Specific fields to return.
Filter	Optional	FQL filter expression.
Limit	Optional	Maximum number of results.
Offset	Optional	Starting index for pagination.
Sort	Optional	Sort field and direction.

Users: List Users

Retrieves a list of users with filtering and pagination.

Input Parameters

Parameter	Description	Type	Default
Filter	FQL filter expression	String	[NO DEFAULT PROVIDED - Content is blank]
Limit	Maximum results	Integer	10 (max: 500)
Offset	Starting index	Integer	0
Sort	Sort field and direction	String	[NO DEFAULT PROVIDED - Content is blank]

Filterable Fields: assigned_cids, cid, first_name, last_name, name, status, uid (unique identifier).

Sortable Fields: first_name, has_temporary_roles (true/false), last_name, name, uid (unique identifier).

Users: Delete User

Deletes a user from the CrowdStrike system.

Input Parameters

Parameter	Requirement	Description
User UUID	Mandatory	The unique identifier of the user (UUID) which is maintained in CrowdStrike.

Note: To fetch the User UUID, a supporting action like 'List users' can be used.

Alerts: Get Aggregate Alerts

Retrieves aggregated alert data for analytics.

Input Parameters

Parameter	Description	Type	Default
include_hidden	Include hidden alerts in aggregations	Boolean	`false`
date_ranges	Date ranges for aggregation	Array of Objects	[NO DEFAULT PROVIDED - Content is blank]
field	Field to aggregate on	String	[NO DEFAULT PROVIDED - Content is blank]
filter	FQL filter expression	String	[NO DEFAULT PROVIDED - Content is blank]
type	Aggregation type	String	[NO DEFAULT PROVIDED - Content is blank]
interval	Time interval for `date_histogram`	String	[NO DEFAULT PROVIDED - Content is blank]
ranges	Value ranges for range aggregations	Array of Objects	[NO DEFAULT PROVIDED - Content is blank]
size	Maximum number of buckets	Integer	[NO DEFAULT PROVIDED - Content is blank]
sort	Sort bucket results	String	[NO DEFAULT PROVIDED - Content is blank]
time_zone	Time zone for results	String	[NO DEFAULT PROVIDED - Content is blank]
exclude	Elements to exclude	String	[NO DEFAULT PROVIDED - Content is blank]
include	Elements to include	String	[NO DEFAULT PROVIDED - Content is blank]
max_doc_count	Only return buckets with values $\leq$ this	Integer	[NO DEFAULT PROVIDED - Content is blank]
min_doc_count	Only return buckets with values $\geq$ this	Integer	[NO DEFAULT PROVIDED - Content is blank]
missing	Value for missing aggregation fields	String	[NO DEFAULT PROVIDED - Content is blank]
name	Name of aggregate query	String	[NO DEFAULT PROVIDED - Content is blank]
[BLANK]	Full text search across metadata	String	[NO DEFAULT PROVIDED - Content is blank]
sub_aggregates	Nested aggregations (max 3)	Array of Objects	[NO DEFAULT PROVIDED - Content is blank]

Aggregation Types: date_histogram, date_range, terms, range, cardinality, max, min, Avg, sum, percentiles.

Interval Values: year, month, week, day, hour, minute.