Create API credentials to integrate your existing CrowdStrike Falcon environment with Red Canary
    • 09 Jul 2025
    • 5 Minutes to read
    • PDF

    Create API credentials to integrate your existing CrowdStrike Falcon environment with Red Canary

    • PDF

    Article summary

    To integrate CrowdStrike Falcon with Red Canary, your Technical Implementation Manager (TIM) will generate API credentials in your CrowdStrike Falcon environment. If you are a CrowdStrike Falcon Complete customer or a customer who uses CrowdStrike Falcon on a GovCloud environment, your TIM will instruct you to follow this process to generate and then share the API credentials with Red Canary. These credentials provide Red Canary authorized access to your CrowdStrike data, enabling advanced threat detection and response capabilities.

    Prerequisites

    Please make sure the following requirements are met:

    • CrowdStrike Support has granted you the Falcon Administrator role to your CrowdStrike Falcon console

    • CrowdStrike Support has enabled the following features:

      • Falcon Data Replicator

      • Threat Graph scope

    • If you are a CrowdStrike Falcon Complete customer, your TIM has confirmed that your CrowdStrike Customer Identification (CID) is now a child CID under Red Canary’s parent CID

    • If you are a customer who uses CrowdStrike Falcon on a GovCloud environment, you have granted Red Canary access to your CrowdStrike instance

    1 Workstation | Create a text file

    You will need to share your API credentials with Red Canary using our secure file sharing process. Prior to creating the FDR feed and OAauth 2.0 API client, it is recommended that you prepare the text file that you’ll share with Red Canary.

    1. Create a new text file on your workstation.

    2. Copy and paste the following content into your text file:

      CrowdStrike Falcon Integration Credentials
      Name:
      Organization Name:
      Falcon CID: 
      Falcon Data Replicator SQS URL:
      Falcon Data Replicator AWS Access Key ID:
      Falcon Data Replicator AWS Secret Access Key/Secret:
      Falcon Oauth2 Client ID:
      Falcon Oauth2 Secret:
    3. Save the file. Red Canary recommends you leave the file open to easily copy and paste the necessary credentials into it.

    2 CrowdStrike Falcon | Create an FDR Feed

    Create an FDR feed and add the FDR SQS credentials to the text file. The FDR feed sends your CrowdStrike Falcon telemetry to an AWS S3 bucket; Red Canary then connects to the AWS S3 bucket using the credentials you provide. When you create the FDR feed, you will create it with the default recommended settings. Changing the default settings could result in Red Canary not having the necessary data to make proper threat analysis, limiting our ability to protect your environment.

    You will need the following information to fill out the text file:

    • Client ID

    • Secret

    • Notifications URL

    Note

    Refer to the CrowdStrike documentation (US-1 US-2, EU-1) for step-by-step instructions on how to create an FDR feed and for more information on what FDR feeds do in your system. The Create an FDR feed steps are found in the Falcon Documentation > Tools and Reference > Falcon Data Replicator topic. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.

    1. Navigate to the FDR feed page in your CrowdStroke Falcon console and click Create feed.

      Create feed action highlighted in CrowdStrike Falcon.

    2. Type Red Canary in the Feed name field.

    3. Click the Feed toggle to On.

    4. Click the Create your FDR Feed with default settings, then click Next.

    5. Review the FDR feed details as needed, then click Create Feed.

    6. Copy and then paste the Client ID, Secret, and Notifications URL into the text file you will share. Red Canary also recommends saving these values to a secure password manager.

    7. Save the text file.

    8. Click Close.Close action highlighted in CrowdStrike Falcon.

    3 CrowdStrike Falcon | Create an API Client

    Create an API client and add the OAuth 2.0 API credentials to the text file. The API client has several required scopes and permissions necessary for Red Canary to ingest CrowdStrike telemetry, and the justification for each is provided in the table below.

    You will need the following information to fill out the text file:

    • Client ID

    • Secret

    Note

    Refer to the CrowdStrike documentation (US-1 US-2, EU-1) for step-by-step instructions on how to create API clients and for more information on what API clients can do in your system. The Create an API client steps are found in the Falcon Documentation > CrowdStrike APIs > CrowdStrike APIs - General Info > CrowdStrike OAuth2-Based APIs topic. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.

    1. Navigate to the API clients and keys page in your CrowdStrike Falcon console and click Create API client.

    2. Type Red Canary in the Client name field, then type an appropriate description in the Description field.

    3. Enable the following scopes to allow Red Canary to ingest and enrich detection data, perform real-time response and remediation actions, enable investigations and analysis, and support automation and workflow capabilities:

      Scope

      Permission

      Purpose

      Justification

      Detections

      Read and Write

      Allows Red Canary to ingest and update detection data.

      Red Canary uses this scope to update detection status, add comments, and provide context back into CrowdStrike, and it is critical for SOAR/Automation capabilities that require updating detections as part of automated workflows.

      Hosts

      Read and Write

      Allows Red Canary to view host information and take action against hosts.

      Red Canary uses this scope to perform investigations and take actions to protect your environment, such as isolating hosts during an investigation or response scenario.

      Host Groups

      Read

      Allows Red Canary to read host group information.

      Red Canary uses this scope to understand endpoint groupings and contexts within CrowdStrike, such as mapping and correlating endpoints during analysis and investigation.

      NGSIEM

      Read and Write

      Allows Red Canary to query process data.

      Red Canary uses this scope to investigate threats within your CrowdStrike environment using the internal Surveyor on Rails tool. This critical tool allows Threat Response Engineering (TRE) to hunt for threats more quickly and efficiently.

      Note

      Refer to the CrowdStrike documentation (US-1 US-2, EU-1) for  more information regarding Next-Gen SIEM Search APIs. To view these instructions you'll need to log in with your CrowdStrike account information for the appropriate region.

      Real Time Response (admin)

      Write

      Allows Red Canary to issue real-time commands on endpoints.

      Red Canary uses this scope to provide Active Remediation services, such as executing commands equivalent to the Real Time Responder - Admin role that remove malicious files or run custom scripts.

      Note

      This scope is only required if you have purchased Active Remediation services through Red Canary.

      Real Time Response

      Read and Write

      Allows Red Canary to perform reconnaissance.

      Red Canary uses this scope to provide Active Remediation services, such as executing commands equivalent to the Real Time Responder - Read Only Analyst or the Real Time Responder - Active Responder roles.

      Note

      This scope is only required if you have purchased Active Remediation services through Red Canary.

      Threatgraph

      Read

      Allows Red Canary to query CrowdStrike’s ThreatGraph API.

      Red Canary uses this scope to retrieve relational telemetry and graph data to be used as context for our investigations.

    4. Click Create.
      Create action highlighted in Create API Client pop-up.

    5. Copy and then paste the Client ID and Secret into the text file you will share. Red Canary also recommends saving these values to a secure password manager.

    6. Save the text file.

    7. Click Done.
      Done action highlighted on API client created pop-up.

    4 Red Canary | Share the credentials

    Share the API credentials with Red Canary to continue the integration process. Red Canary recommends that you save the secrets to a secure password manager.

    Note: Your TIM or Sales Engineer should have already invited you to your Red Canary portal via email.

    1. Share the text file with Red Canary.

    2. When Red Canary confirms they have received the file, permanently delete it.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.