CrowdStrike’s Falcon Platform is developed as an “API First Platform”, so as new features are released, corresponding API functionality is added to help automate and control any newly added functionality. With this “API First” approach, customers and partners can quickly implement new functionality into their existing workflows. Visit our Falcon Connect page to learn more about integration and customization options.
Understanding the CrowdStrike API
The CrowdStrike API is managed from the CrowdStrike Falcon UI by the Falcon Administrator. From there, multiple API clients can be defined along with their required scope. The scopes below define the access options.
- Detections – Provides access to Falcon detections, including behavior, severity, host, timestamps, and more.
- Hosts – Provides host details including OS, version, sensor specific data, and more.
- Host groups – Provides access to host groups used to enumerate and assign policies.
- Prevention policies – Provides access to sensor policies for external management.
- Sensor update policies – Provides access to update settings for the sensor.
- User management – Allows for the management of users who access the CrowdStrike Falcon UI.
Once an API client is defined and a scope is set, any number of customer tools can query the CrowdStrike API using the given credentials. OAuth2 is used for authentication of the incoming API requests. OAuth2 access tokens have a validity period of 30 minutes. The diagram below illustrates the typical application calls made to the API. First, the Access Token must be requested first, and then subsequent requests include the Access Token in the Authorization header.
Defining your first API Client
To define a CrowdStrike API client, you must be designated as Falcon Administrator role to view, create, or modify API clients or keys. Secrets are only shown when a new API Client is created or when it is reset.
When logged into the Falcon UI, navigate to Support > API Clients and Keys. From there you can view existing clients, add new API clients, or view the audit log. When you click “Add new API Client” you will be prompted to give a descriptive name and select the appropriate API scopes. After you click save, you will be presented with the Client ID and Client Secret. The secret will only be shown once and should be stored in a secure place. If the Client Secret is lost, a reset must be performed and any applications relying on the Client Secret will need to be updated with the new credentials.
Testing the API
CrowdStrike provides access to Swagger for API documentation purposes and to simplify the development process.
For this example we will use our newly generated credentials to query the “Devices” API to get a list of host IDs which can be used to gather further information about specific hosts.
To test with Swagger, we must first authorize the tool. To do so, click the “Authorize” button at the top of the page and add your client credentials to the OAuth2 form, and again click “Authorize”. Once your credentials are included, testing can be performed with the tool.
Now we will query the “Devices” API to get a list of Host IDs. Under the “Devices” section, find the “/devices/queries/devices-scroll/v1” API endpoint, click it to expand, then click “Try it Out”, and finally “Execute”. This will send an API query to the Devices API endpoint and return a list of device IDs which can be enumerated over to get further details on each host.
This overview of the CrowdStrike API gives you just one example of how to use the available tools to integrate the Falcon Platform into any existing business processes. For more information about using the CrowdStrike API’s, please reference the official Support Documentation listed below.
- API Reference Documentation
- API Introduction for Developers
- Query API Reference
- Streaming API Reference
- Threat Graph API Reference
- Actors API Reference
- Indicator API Reference
- Reports API Reference
- Rules API Reference
- Tailored Intel API Reference
- MalQuery API Reference
- How to Setup the CrowdStrike Falcon SIEM Connector
- How to Import IOCs into the CrowdStrike Falcon Platform via API