# CrowdStrike {% hint style="info" %} Note that this is separate from the "CrowdStrike Falcon Intelligence" Threat intelligence data source. {% endhint %} The Dropzone AI platform integrates with the CrowdStrike APIs. This document describes how to set up API credentials and install them into the Dropzone platform. ## Integration Overview To enable these integrations you will perform the following actions: * Create API credentials in the CrowdStrike dashboard * Install the credentials into your Dropzone tenant (Data Source and Alert Source) * Select integration parameters, such as which alert types to sync ## Create an API Key * As an Admin, go to your CrowdStrike dashboard, e.g. https\://*falcon.us-#*.crowdstrike.com/ * From the menu in the upper left, navigate to Support and Resources > API clients and keys

* On the right, click "Create API Client"

* On the "Create API Client" page, input "Dropzone AI" in the client name field. Under "Description," write "Dropzone AI Integration Key"

* Enable the following scopes: | Scope | Read | Write | Used By | | ----------------------------- | ---- | ----- | ------------------------------ | | Alerts | ✓ | | Alert Source, Data Source | | API Integrations | ✓ | | Alert Source, Data Source | | Cases | ✓ | ✓ | Alert Source, Data Source | | Detections | ✓ | | Alert Source, Data Source | | Hosts | ✓ | ✓ | Data Source, Remediator Source | | NGSIEM | ✓ | ✓ | Data Source | | Incidents | ✓ | | Alert Source, Data Source | | Quarantined Files | ✓ | | Data Source | | Real Time Response | ✓ | ✓ | Data Source | | Event Streams | ✓ | | Data Source | | Threatgraph | ✓ | | Data Source | | Identity Protection Entities | ✓ | | Data Source | | Identity Protection Timeline | ✓ | | Data Source | | Identity Protection GraphQL | | ✓ | Data Source | | Sandbox (Falcon Intelligence) | ✓ | ✓ | Data Source | | Indicators of Compromise | ✓ | ✓ | Remediator Source | {% hint style="info" %} Some of these scopes are only necessary for the Data Source or Remediator integration. If you don't intend to perform those integrations, you may ignore them. {% endhint %} * Write permission details * `Cases`: Write permissions are only required when used in Response Actions * `Hosts`: Write permissions are only required when used in Remediator Containment Actions * `NGSIEM`: Write permissions are required when NextGen SIEM is enabled in order to execute NGSIEM queries ([docs](https://www.falconpy.io/Service-Collections/NGSIEM.html#startsearchv1)) * `Real Time Response`: Write permissions are required when File Retrieval is enabled ([docs](https://www.falconpy.io/Service-Collections/Real-Time-Response.html#rtr_executeactiverespondercommand)) * Dropzone *only* uses Real Time Response to perform `get ` commands * `Identity Protection GraphQL`: Write permissions are required when Identity Protection is enabled in order to execute queries for user directory information ([docs](https://www.falconpy.io/Service-Collections/Identity-Protection.html#api_preempt_proxy_post_graphql)) * `Sandbox (Falcon Intelligence`: Write permissions are only required when File Detonation is enabled in order to upload collected or attached files in the Falcon Sandbox * `Indicators of Compromise`: Write permissions are only required when used in Remediator Containment Actions * When done, click "Create" * Copy the Client ID and Secret for use later in the Dropzone UI where they are called "Client ID" and "Client Secret" respectively

## Enable Crowdstrike The Alert source integration allows Dropzone AI to pull alerts from CrowdStrike for investigation. You'll need the following information: | Dropzone Field | Source | | -------------- | ---------------------------------------- | | Client ID | The "Client ID" value you copied earlier | | Client Secret | The "Secret" value you copied earlier | To enable the Alert Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, navigate to Settings > Integrations

* Click "Available"

* In the Search bar, search CrowdStrike, then click "Configure"

{% hint style="success" %} Make sure you're using the EDR CrowdStrike tile, not the "CrowdStrike Falcon Intelligence" Threat Intelligence tile. {% endhint %} * Under the Alert Source header, input the Client ID and Client Secret. If you use a non-default URL for the CrowdStrike API, configure the API Base URL as well

The CrowdStrike Alert Source Configuration (pt 1)

* If you wish to enable endpoint detection, check the box labeled "Enable Endpoint Detection." Then select the severity levels you want Dropzone to investigate alerts for * Under Exlusions, you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of [Python regexes](https://docs.python.org/3/library/re.html) of the alerts you wish to exclude

The CrowdStrike Alert Source Configuration (pt 2)

* If you wish to enable Dropzone to investigate specific endpoint incidents, check the box labeled "Enable Endpoint Incidents." Then select the incident statuses you want Dropzone to investigate alerts for * Enter the minimum incident score you want Dropzone to investigate alerts for Crowdstrike utilizes an incident scoring system to indicate the severity and potential impact of an incident. The numbers range from 0 (no risk) to 100 (critical risk). If you wish for Dropzone to be able to investigate all alerts, choose 0 as the minimum incident score.

The CrowdStrike Alert Source Configuration (pt 3)

* If you wish to enable CloudStrike's [Next-Gen SIEM](https://developer.crowdstrike.com/docs/ng-siem/), check the box labeled "Enable Next-gen SIEM." Then select the severity levels you want Dropzone to investigate alerts for * Under "Next-Gen SIEM Alert Exlusions," you may choose to exclude alerts by display name. To do so, click "Add Item," then input a list of regexes to exclude alerts

The CrowdStrike Alert Source Configuration (pt 4)

* If you wish to enable Dropzone to investigate [identity protection alerts](https://www.crowdstrike.com/wp-content/uploads/2021/06/CrowdStrike-Falcon-Identity-Protection-Modules_DataSheet.pdf), check the box labeled "Enable Identity Protection Alerts." Then select the severity levels you want Dropzone to investigate alerts for

The CrowdStrike Alert Source Configuration (pt 5)

* Input your desired poll interval and lookback

The CrowdStrike Alert Source Configuration (pt 6)

* Click "Test & Save" to finish You should begin ingesting alerts immediately. If you have any errors engage your Dropzone AI support representative. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/integrations/alert/crowdstrike_alert.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.