This article leads you through the process of creating API credentials to integrate your existing CrowdStrike Falcon Complete environment with Red Canary. Follow the procedure from beginning to end.

PLEASE NOTE: This process is only for customers with a CrowdStrike Falcon Complete environment. If your Customer Success Manager (CSM) has not instructed you to complete this process, it likely does not apply to your environment. If you are unsure, please check with your CSM.

Prerequisites

CrowdStrike Support has granted you the Falcon Administrator role to your Customer Identification (CID)
CrowdStrike Support has granted Red Canary access to your CID and enabled the following features:
- Falcon data replicator
- Legacy ThreatGraph API

Step 1: Workstation–Create a text file

Red Canary needs your API credentials to finish integrating your environments. In addition, a text file containing the API credentials must be saved and shared with Red Canary’s Support team.

On your workstation, create a new text file.

Insert the following template into the text file:

CrowdStrike Falcon Complete Integration Credentials

Name:

Organization Name:

Falcon CID:

ThreatGraph Username:

ThreatGraph API Key/Password:

Falcon Data Replicator SQS URL:

Falcon Data Replicator AWS Access Key ID:

Falcon Data Replicator AWS Secret Access Key/Secret:

Falcon Oauth2 Client ID:

Falcon Oauth2 Secret:

We recommend leaving the text file open to easily copy and then paste the created API credentials into the text file.

Step 2: CrowdStrike–Create ThreatGraph API credentials

Red Canary requires the use of ThreatGraph API to integrate. Create and then save these credentials.

Log into your CrowdStrike CID at (https://falcon.crowdstrike.com/ or https://falcon.us-2.crowdstrike.com/).
Click Open menu.
Click Support and resources.
Click API clients and keys.
Note: If the API clients and keys option is not available, contact CrowdStrike Support as you do not have the required Falcon Administrator role.
From the Legacy Falcon API credentials section, click Create new credentials.
Copy and then save the new ThreatGraph Username and Password that appears.
Note: Do not lose the Password as this is the only time you can view it.
Paste the ThreatGraph Username and Password into the correct field of the text file from Step 1.2.
Click DONE.

Step 3: CrowdStrike–Create FDR (Falcon Data Replicator) SQS credentials

Red Canary requires the use of FDR SQS Credentials to integrate properly. Create and then save these credentials.

From your CrowdStrike CID homepage, click Open menu.
Click Support and resources.
Click API clients and keys.
From the FDR AWS S3 Credentials and SQS Queue section, click Create new credentials. Note: If a window opens asking you to CHOOSE FEED, select default.

Copy and then save the new Falcon Data Replicator (FDR) URL, Client ID (Access Key ID), and Secret.
Note: Do not lose the Secret as this is the only time you can view it.
Paste the FDR credentials into the correct fields of the text file from Step 1.2.
Close the FDR credential window.

Step 4: CrowdStrike–Create OAuth 2.0 Credentials

Create the CrowdStrike Oauth2 Client ID and Secret from the CrowdStrike platform. At the end of this step, your text file should have all the credentials required to integrate properly with Red Canary.

From your CrowdStrike CID homepage, click Open menu.
Click Support and resources.
From the Legacy Falcon API credentials section, click Create new credentials.
Click Add a new API client.
For the Client Name Field, enter Red Canary.
From the API SCOPES section, select the following permissions:
1. Detections (Read and Write)
2. Hosts (Read and Write)
3. Real time response (admin) (Write)
4. Real time response (Read and Write)
Click Add.
Copy and then save the Falcon Oauth2 Client ID and Secret that appears.
Paste the Falcon Oauth2 Client ID and Secret into the correct field of the text file from Step 1.2.
Close the credential window.

Step 5: Red Canary–Share the credential text file with Red Canary

Red Canary requires the API credentials you created above to complete the integration process. You’ll upload the newly created text file to our Support team.

Note: Your Customer Success Manager or Sales Engineer should have already invited you to your Red Canary portal via email.

Locate the text file containing the needed API credentials.
Use the process in this Help article to share the text file with Red Canary Support.
Red Canary will confirm they have received the file and finish integrating your environments.
Permanently delete the text file.

Create API credentials to integrate your existing CrowdStrike Falcon Complete environment with Red Canary