Create API credentials to integrate your existing CrowdStrike Falcon Complete environment with Red Canary
    • 30 Aug 2024
    • 3 Minutes to read
    • PDF

    Create API credentials to integrate your existing CrowdStrike Falcon Complete environment with Red Canary

    • PDF

    Article summary

    To seamlessly integrate your CrowdStrike Falcon Complete environment with Red Canary, you'll need to generate specific API credentials. These credentials provide Red Canary authorized access to your CrowdStrike data, enabling advanced threat detection and response capabilities. To create integrate API credentials to integrate your existing CrowdStrike Falcon Complete environment with Red Canary, follow the procedure below from beginning to end.

    Note: This process is only for customers with a CrowdStrike Falcon Complete environment. If your Customer Success Manager (CSM) or Technical Implementation Manager (TIM) has not instructed you to complete this process, it likely does not apply to your environment. If you are unsure, please check with your CSM or TIM.

    Prerequisites

    • CrowdStrike Support has granted you the Falcon Administrator role to your Customer Identification (CID)

    • CrowdStrike Support has granted Red Canary access to your CID and enabled the following features:

      • Falcon Data Replicator

      • Threat Graph scope

    Step 1: Workstation–Create a text file

    Red Canary needs your API credentials to finish integrating your environments. In addition, a text file containing the API credentials must be saved and shared with Red Canary’s Support team.

    1. On your workstation, create a new text file.

    2. Insert the following template into the text file:

      CrowdStrike Falcon Complete Integration Credentials

      Name:

      Organization Name:

      Falcon CID: 

      Threat Graph Username:

      Threat Graph API Password:

      Falcon Data Replicator SQS URL:

      Falcon Data Replicator AWS Access Key ID:

      Falcon Data Replicator AWS Secret Access Key/Secret:

      Falcon Oauth2 Client ID:

      Falcon Oauth2 Secret:

    3. We recommend leaving the text file open to easily copy and then paste the created API credentials into the text file.

    Step 2: CrowdStrike–Create FDR (Falcon Data Replicator) SQS credentials

    Red Canary requires the use of FDR SQS Credentials to integrate properly. Create and then save these credentials.

    1. From your CrowdStrike CID homepage, click Open menu

    2. Click Support and resources.

    3. Click Falcon Data Replicator.

    4. From the FDR feeds section, click Create feed.

    5. Enter the feed name.

    6. Toggle the Feed Status to On.

    7. Select Create your FDR feed with default settings.

    8. Copy and then save the new Falcon Data Replicator (FDR) URL, Client ID (Access Key ID), and Secret.

    9. Click Next.

    10. Click Create Feed.

      Note: Do not lose the Secret as this is the only time you can view it.

    11. Paste the FDR credentials into the correct fields of the text file from Step 1.2.

    12. Close the FDR credential window.

    Step 3: CrowdStrike–Create OAuth 2.0 Credentials

    Create the CrowdStrike Oauth2 Client ID and Secret from the CrowdStrike platform. At the end of this step, your text file should have all the credentials required to integrate properly with Red Canary.

    1. From your CrowdStrike CID homepage, click Open menu.

    2. Click Support and resources.

    3. Click API clients and keys.

    4. Ensure the OAuth2 API clients tab is selected, then click Create API client.

    5. For the Client Name Field, enter Red Canary.

    6. From the API SCOPES section, select the following permissions:

      1. Detections (Read and Write)

      2. Hosts (Read and Write)

      3. Host Groups (Read)

      4. Real time response (admin) (Write)

      5. Real time response (Read and Write)

      6. Threatgraph (Read)

    7. Click Create.

    8. Copy and then save the API Client ID and Secret that appears.

    9. Paste the Falcon Oauth2 Client ID and Secret into the correct field of the text file from Step 1.2.

    10. Close the credential window.

    Step 4: Red Canary–Share the credential text file with Red Canary

    Red Canary requires the API credentials you created above to complete the integration process. You’ll upload the newly created text file to our Support team. 

    Note: Your Technical Implementation Manager or Sales Engineer should have already invited you to your Red Canary portal via email.

    1. Locate the text file containing the needed API credentials.

    2. To share the text file with Red Canary Support, follow the steps in Share Files Securely with Red Canary.

    3. Red Canary will confirm they have received the file and finish integrating your environments.

    4. Permanently delete the text file.


    Was this article helpful?