Overview
The CrowdStrike Falcon integration enables you to automate endpoint security, threat detection, and incident response workflows. Connect Serval to CrowdStrike to streamline security operations, automate threat hunting, and manage your endpoint protection programmatically.Key Features
- Manage hosts and endpoint security
- Monitor and respond to detections
- Automate threat response workflows
- Manage users and permissions
Common Use Cases
- Automated incident investigation
- Host isolation and containment
- Detection triage and analysis
- Security policy enforcement
Prerequisites
Before setting up the CrowdStrike integration, ensure you have:1
CrowdStrike Account
An active CrowdStrike Falcon account with administrative access
2
API Client Permissions
Permissions to create API clients in your CrowdStrike tenant
3
Cloud Region
Know your CrowdStrike cloud region (US-1, US-2, EU-1, or US-GOV-1)
Check your Falcon Console URL to determine your region:
falcon.crowdstrike.com= US-1falcon.us-2.crowdstrike.com= US-2falcon.eu-1.crowdstrike.com= EU-1falcon.laggar.gcw.crowdstrike.com= US-GOV-1
Setup Instructions
Step 1: Create API Client in CrowdStrike
1
Access API Settings
Log in to your CrowdStrike Falcon Console. The URL depends on your cloud region:Once logged in:
- US-1
- US-2
- EU-1
- US-GOV-1
- Navigate to Support and resources → API Clients and Keys
- Click Add new API client
2
Configure Client Details
- Provide a descriptive name:
Serval Integration - Add a description:
API client for Serval automation platform
3
Assign API Scopes
Select the appropriate scopes based on your automation needs.
Start with read-only scopes and add write permissions as you build workflows that require them.
4
Generate Credentials
- Click Add to create the API client
- Copy the Client ID — you’ll need this for Serval
- Copy the Client Secret — you’ll need this for Serval
Store your Client Secret securely. CrowdStrike only displays it once and it cannot be retrieved later.
Step 2: Configure Integration in Serval
- Navigate to the Integrations page in Serval
- Find CrowdStrike in the available integrations
- Click Connect to begin configuration
- Enter your configuration details:
Select your CrowdStrike cloud region. This determines which API endpoint to
use:
- US-1:
api.crowdstrike.com - US-2:
api.us-2.crowdstrike.com - EU-1:
api.eu-1.crowdstrike.com - US-GOV-1:
api.laggar.gcw.crowdstrike.com
Find your cloud region in the CrowdStrike console URL or contact your
CrowdStrike representative
The Client ID from the API client you created in Step 1
The Client Secret from the API client you created in Step 1
- Click Save to establish the integration
Integration configured! Serval will verify your credentials and run health
checks automatically.
API Scopes Reference
CrowdStrike uses granular API scopes to control access. Below are the most relevant scopes for IT operations and security automation with Serval:Host Management
Host Management
Scopes: hosts:read, hosts:write, sensor-update-policies:read, sensor-update-policies:write
Read permissions enable:
- View and search endpoint hosts
- Retrieve detailed host information and metadata
- Monitor host sensor status and version
Write permissions enable:
- Contain or release hosts from network isolation
- Modify host groups or tags
- Initiate sensor updates and manage deployment policies
Detections and Incidents
Detections and Incidents
Scopes: detections:read, detections:write, incidents:read, incidents:write
Read permissions enable:
- Access lists of detections and incidents
- View threat indicators, behaviors, and status details
Write permissions enable:
- Update detection or incident status
- Assign ownership or add investigation notes
- Automate triage and escalation workflows
Prevention and Response Policies
Prevention and Response Policies
Scopes: prevention-policies:read, prevention-policies:write, response-policies:read, response-policies:write
Read permissions enable:
- View current policy configurations and applied host groups
- Monitor enforcement across the environment
Write permissions enable:
- Create or modify security policies
- Assign policies to specific host groups for enforcement
Real Time Response (RTR)
Real Time Response (RTR)
Scopes: real-time-response:read, real-time-response:write, real-time-response-admin:read, real-time-response-admin:write
Standard RTR scopes enable:
- Start interactive response sessions on endpoints
- Execute read-only diagnostic commands
- Gather system information remotely
Admin RTR scopes enable:
- Run elevated or administrative commands
- Upload and execute remediation scripts
- Transfer files for deeper forensics
User and Role Management
User and Role Management
Scopes: users:read, users:write, roles:read
Read permissions enable:
- List users and their assigned roles
- Audit user access levels and permissions
Write permissions enable:
- Create or modify users
- Assign or remove administrative privileges
Custom Indicators of Compromise (IOCs)
Custom Indicators of Compromise (IOCs)
Scopes: custom-ioc:read, custom-ioc:write
Read permissions enable:
- Review all configured custom IOCs
Write permissions enable:
- Create new IOCs to block or monitor malicious artifacts
- Automate IOC creation based on Serval detection workflows
Sensor Health and Updates
Sensor Health and Updates
Scopes: sensor-versions:read, sensor-update-policies:read, sensor-update-policies:write
Read permissions enable:
- Monitor sensor versions and deployment status
- Track endpoints in reduced functionality mode
Write permissions enable:
- Manage sensor rollout policies and update schedules
Example Workflows
Build automated workflows that connect CrowdStrike with your IT operations:Employee Onboarding
When a new hire joins, automatically verify their device has the CrowdStrike sensor installed, assign it to the appropriate host group, apply security policies, and log the setup in your ITSM. If the sensor is missing, create a help desk ticket for IT to follow up.Employee Offboarding
When an employee leaves, trigger a workflow that contains their endpoint, removes it from active host groups, archives device information to your documentation system, and sends a summary report to the security team.Security Incident Response
When CrowdStrike detects a high-severity threat, automatically create a help desk ticket, send alerts to Slack, isolate the affected host, and compile a threat summary with host details and detection timeline for the security team to review.Weekly Security Reports
Schedule a workflow that queries all detections, host health status, and policy compliance data from the past week. Compile the information into a formatted report and distribute it via email or Slack to stakeholders.Help Desk Ticket Resolution
When users submit tickets about endpoint issues, automatically query CrowdStrike for the device’s sensor status, recent detections, and policy assignments. Attach this context to the ticket to help support teams troubleshoot faster.Access Audit Workflows
Run monthly workflows that list all CrowdStrike users, identify inactive accounts or permission changes, compile an audit report, and send it to your compliance team with recommendations for access review.Best Practices
Start with Minimal Scopes: Begin with read-only API scopes
and add write permissions only as needed for specific workflows. This follows
the principle of least privilege.
Use FQL Effectively: CrowdStrike’s Falcon Query Language
(FQL) is powerful for filtering. Learn FQL syntax in the Falcon Console
documentation:
https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql
Host Containment Impact: Network containment prevents a host
from communicating on the network except with the CrowdStrike cloud. Use
containment carefully and ensure you have documented procedures for lifting
containment.
Batch API Calls: When retrieving details for multiple
resources, use batch endpoints that accept arrays of IDs rather than making
individual calls for each resource.
Troubleshooting
Common Issues
Authentication Failed
Authentication Failed
Symptoms: 401 or 403 errors when making API requests
Solutions:
- Verify your Client ID and Client Secret are correct
- Confirm you’re using the correct API domain for your cloud region
- Check if the API client has been disabled in CrowdStrike
- Ensure the API client has the required scopes
Insufficient Scope Errors
Insufficient Scope Errors
Symptoms: 403 errors with “insufficient scope” messages
Solutions:
- Review the API endpoint documentation for required scopes
- Add the necessary scopes to your API client in CrowdStrike
- Wait a few minutes after scope changes for them to take effect
- Reconnect the integration in Serval after updating scopes
Wrong Cloud Region
Wrong Cloud Region
Symptoms: Connection timeouts or “customer not found” errors
Solutions:
- Verify your cloud region by checking your CrowdStrike Falcon Console URL:
- US-1:
falcon.crowdstrike.com→ useapi.crowdstrike.com - US-2:
falcon.us-2.crowdstrike.com→ useapi.us-2.crowdstrike.com - EU-1:
falcon.eu-1.crowdstrike.com→ useapi.eu-1.crowdstrike.com - US-GOV-1:
falcon.laggar.gcw.crowdstrike.com→ useapi.laggar.gcw.crowdstrike.com
Rate Limiting
Rate Limiting
Symptoms: 429 errors or slow response times
Solutions:
- Implement exponential backoff in workflows
- Reduce the frequency of polling workflows
- Use batch endpoints to reduce the number of API calls
- Contact CrowdStrike support if you need higher rate limits
Health Check Failures
Health Check Failures
Symptoms: Integration health checks fail during setup
Solutions:
- Test Connection fails: Verify Client ID and Secret
- List Hosts fails: Ensure
hosts:readscope is granted - List Detections fails: Ensure
detections:readscope is granted - List Users fails: Ensure
users:readscope is granted - Wait 5–10 minutes after creating the API client for it to propagate
Security Considerations
Credential Security: CrowdStrike API credentials provide
powerful access to your security infrastructure. Store them securely and
rotate them regularly.
Audit Logging: All actions performed through the Serval
integration are logged in CrowdStrike’s audit logs. Review these regularly to
ensure compliance.
Multi-Factor Authentication: Require MFA for all users with
access to create or manage API clients in CrowdStrike.
Additional Resources
CrowdStrike API Documentation
Complete API reference for all CrowdStrike endpoints
Falcon Query Language (FQL)
Learn how to write effective FQL queries
Real Time Response
Guide to using RTR for remote endpoint actions
API Scopes Reference
Detailed documentation on all available API scopes
Support
Need help with the CrowdStrike integration?- Review the CrowdStrike API documentation: https://falcon.crowdstrike.com/documentation
- Contact Serval support for integration-specific issues
- Reach out to CrowdStrike support for API client or scope questions
This integration is currently in beta. Features and
functionality may change. Please report any issues or feedback to the Serval
team.