Skip to content

Get Crowdstrike API Credentials

Jump to bottom
stanfrbd edited this page Mar 25, 2025 · 5 revisions

Important

Requirements: Crowdstrike is a paid service, you must have an account to get API keys.
You will need an account with administrative permissions to create API credentials.

Falcon Insight XDR is required to access the API (Device Count).
Falcon Intelligence or Falcon Intelligence Premium is required to access the API (CTI Data).

Note

You can use Cyberbro with Falcon Insight XDR only but the CTI data won't be displayed,
you will just have Device Count (on how many devices the observable was seen).

To interact with the Crowdstrike API, you need to obtain the following credentials:

  • Client ID ("crowdstrike_client_id" in secrets.json or CROWDSTRIKE_CLIENT_ID environment variable).
  • Client Secret ("crowdstrike_client_secret" in secrets.json or CROWDSTRIKE_CLIENT_SECRET environment variable).

Additionally, you need to assign the appropriate API permissions to your application to interact with Indicators of Compromise (IOC) and Intel.

Steps to Obtain API Credentials

1. Log in to the Crowdstrike Falcon Console

  1. Go to the Crowdstrike Falcon Console.
  2. Log in with your credentials.

2. Navigate to API Clients and Keys

  1. In the left-hand menu, navigate to Support and resources > API Clients and Keys
  2. Click Create API client.

3. Create a New API Client

  1. Enter a name and description for your API client.

  2. Under Scope, select the following permissions:

    • IOC Management - Read
    • IOCs (Indicators of Compromise) - Read
    • Indicators (Falcon Intelligence) - Read
    • Actors (Falcon Intelligence) - Read
    • Malware Families (Falcon Intelligence) - Read
    • Reports (Falcon Intelligence) - Read

  3. Click Create.

4. Obtain Client ID and Client Secret

  1. After creating the API client, you will be shown the Client ID and Client Secret.
  2. Copy these values and store them securely.

Warning

Make sure to copy the Client Secret now as it will not be shown again.

Summary

You now have the Client ID and Client Secret required to authenticate with the Crowdstrike API.
Additionally, you have assigned the necessary permissions to interact with Indicators of Compromise (IOC) and Intel.

For more information, consult the official documentation: https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis

Note

To configure the Falcon link (clickable in the GUI), users may utilize the optional "crowdstrike_falcon_base_url": "https://falcon.crowdstrike.com" setting in secrets.json or the CROWDSTRIKE_FALCON_BASE_URL environment variable. By default, this variable is set to "https://falcon.crowdstrike.com". For instance, those operating within the US2 region should specify the prefix as "https://falcon.us-2.crowdstrike.com".

Screenshots

image

image

Any questions? Raise an issue or contact @cyberbro_cti on X / @cyberbro on Mastodon (infosec.exchange).

Clone this wiki locally