Skip to main content
Who is this for? Workspace Admins or Security Engineers who manage a workspace that uses CrowdStrike Falcon. This guide walks you through creating the CrowdStrike API clients, configuring both modules in ContraForce, and verifying that alerts flow end-to-end.

Before You Begin

What These Modules Do

CrowdStrike integrates with ContraForce through two separate modules:

Detection Module

Alert ingestion and investigation
  • Pulls alerts from the CrowdStrike Alerts API
  • Classifies them as ContraForce Incidents or Detections
  • Round-trips status changes, comments, and assignments back to Falcon

Response Module

Gamebook response actions
  • Powers Contain and Lift Containment Gamebooks
  • Powers On-Demand Scan Gamebooks
  • Required for any Gamebook that acts on a CrowdStrike-managed device
The two modules use separate CrowdStrike API clients so each client has only the scopes it needs.

Prerequisites

1

CrowdStrike Falcon subscription

An active CrowdStrike Falcon subscription with at least one product line in scope (EPP, IDP, or any of the product lines listed in Select Alert Types below).
2

Falcon admin access

Access to API Clients and Keys under Support and resources → Resources and tools in the Falcon console. This typically requires the Falcon Administrator role.
3

ContraForce workspace

A ContraForce workspace created for the tenant, with your account assigned the Workspace Admin role.
4

Your CrowdStrike cloud region

Identify which CrowdStrike cloud your tenant is deployed in. You need this for the Base URL field when configuring each module.

CrowdStrike Cloud Base URLs

CrowdStrike has multiple regional clouds. Use the Base URL that matches your tenant:
CloudBase URL
US-1 (Commercial)https://api.crowdstrike.com
US-2https://api.us-2.crowdstrike.com
EU-1https://api.eu-1.crowdstrike.com
ContraForce does not currently support CrowdStrike’s US-GOV-1 cloud. Contact support@contraforce.com if you have a GovCloud tenant.
You can confirm which cloud your tenant is in by looking at the URL of your Falcon console. A console URL of https://falcon.us-2.crowdstrike.com means you’re on US-2.

Step 1 — Create the Detection API Client in Falcon

  1. Navigate to Support and resources → Resources and tools → API Clients and Keys in the Falcon console
  2. Click Create API client
  3. Set Client name to ContraForce Detection
  4. Set Description to ContraForce alert ingestion and status writeback
  5. Under API scopes, grant the scopes listed below, then click Create:
ResourcePermission
AlertsRead + Write
User ManagementRead
Copy the Client ID and Client Secret to a secure location — the secret is only shown once.
The Client Secret is shown once at creation time and cannot be retrieved later. If you lose it, you must reset the secret from the same API client in Falcon.

Step 2 — Create the Response API Client in Falcon

Repeat the process for a second API client that ContraForce will use for Gamebook response actions.
  1. In the same API Clients and Keys menu, click Create API client
  2. Set Client name to ContraForce Response
  3. Set Description to ContraForce Gamebook response actions
  4. Under API scopes, grant the scopes listed below, then click Create:
ResourcePermission
HostsRead + Write
On-Demand Scans (ODS)Read + Write
Copy the Client ID and Client Secret for the Response client.
Creating two separate API clients — one for Detection, one for Response — follows the principle of least privilege. The Detection client never needs to contain a device or run a scan, and the Response client never needs to read an alert.

Step 3 — Configure the CrowdStrike Detection Module in ContraForce

  1. In the ContraForce portal, navigate to Workspaces → your workspace → Modules
  2. Locate the CrowdStrike Detection card and click Configure
  3. Fill in the following fields:
FieldValue
Base URLThe Base URL for your CrowdStrike cloud (see table above)
Client IDThe Client ID from the Detection API client you created in Step 1
Client SecretThe Client Secret from the Detection API client
  1. Click Test Connection to verify the credentials reach CrowdStrike and have the required scopes
  2. Click Save
If Test Connection fails with a scope-missing error, return to the Falcon console and verify the scopes listed in Step 1 before saving.

Select Alert Types

After saving, an Alert Types card appears on the module page. Use the toggles to choose which CrowdStrike product lines generate ContraForce incidents.
Alert TypeWhat it covers
Automated LeadAI-correlated composite alerts (the replacement for CrowdScore Incidents)
EPPEndpoint detections (Falcon Insight, Falcon Prevent)
IDPIdentity Protection detections
MobileFalcon for Mobile detections
Data ProtectionFalcon Data Protection detections
3rd-PartyAlerts from integrated 3rd-party tools
Automated IntelligenceCrowdStrike Automated Intelligence matches
All alert types are enabled by default. Toggling one off removes it from future polls — it does not delete incidents already ingested.
If you’re not sure which product lines your CrowdStrike subscription covers, leave all alert types enabled. ContraForce only ingests alert types that CrowdStrike actually produces in your tenant.

Step 4 — Configure the CrowdStrike Response Module

  1. On the same Modules page, locate the CrowdStrike Response card and click Configure
  2. Fill in the following fields:
FieldValue
Base URLSame Base URL as the Detection module
Client IDThe Client ID from the Response API client you created in Step 2
Client SecretThe Client Secret from the Response API client
  1. Click Test Connection to verify the credentials reach CrowdStrike and have the required scopes
  2. Click Save
A successful test means Gamebook response actions are ready for CrowdStrike-managed devices.

Step 5 — Verify End-to-End

1

Wait for the first poll cycle

The Detection module polls CrowdStrike on a short interval. New alerts appear in ContraForce within a few minutes of being generated in Falcon.
2

Check the Command Dashboard

Navigate to the Command Dashboard. CrowdStrike incidents should appear alongside incidents from other sources.
3

Open an incident

Click into a CrowdStrike incident and verify that the Entities and Timeline tabs are populated with alert data.
4

Try a Gamebook (optional)

If the Response module is configured, open a CrowdStrike incident where the affected entity is a device and confirm that Contain, Lift Containment, and On-Demand Scan Gamebook actions are available.

What Each Module Unlocks

CapabilityRequires DetectionRequires Response
Ingest CrowdStrike alerts as incidents or detections
Round-trip status, assignment, and comments to Falcon
Receive real-time incident updates in the portal
Run Contain and Lift Containment Gamebooks
Run On-Demand Scan Gamebooks
Trigger Security Delivery Agents on new incidents
You can configure the Detection module without the Response module if you don’t need Gamebook response actions for CrowdStrike devices. Configuring only the Response module without Detection is not a supported configuration — you’d have no incidents for the Gamebooks to run on.

Troubleshooting

IssueLikely causeFix
Test Connection fails with missing the 'Alerts: Read' scopeThe Detection API client does not have Alerts: Read grantedReturn to API Clients and Keys in Falcon, edit the Detection client, enable Alerts: Read, and save
Test Connection fails with missing the 'Hosts: Write' scopeThe Response API client does not have Hosts: Write grantedEdit the Response client and enable Hosts: Write
Test Connection fails with a generic OAuth errorThe Base URL does not match the tenant’s actual CrowdStrike cloudVerify the Base URL against the cloud table above; cross-check against the Falcon console URL
No incidents appear after 15 minutesAll alert types are disabledOpen the Alert Types card and enable at least one alert type
No incidents appear and alert types are enabledNo alerts exist in CrowdStrike for the configured product linesVerify alerts exist in the Falcon console for the product lines you have enabled
Gamebook response actions are greyed outThe Response module is not configuredComplete Step 4 to configure the Response module
Agent comments do not appear in FalconThe Detection API client does not have Alerts: WriteAdd Alerts: Write to the Detection client

Rotating an API Secret

CrowdStrike secrets do not expire automatically, but some organizations rotate them on a schedule.
  1. In Falcon, open the affected API client and click Reset secret
  2. Copy the new secret
  3. In ContraForce, reopen the affected module (Detection or Response)
  4. Paste the new secret into Client Secret and click Save
  5. Click Test Connection to verify

What are Gamebooks?

Learn how Gamebook response actions work

Incident Management

Triage and resolve incidents in ContraForce

Entity Insights

Explore investigation context for an incident’s entities

Roles and Permissions

Detailed role reference for ContraForce users
Questions about connecting CrowdStrike Falcon to ContraForce? Contact us at support@contraforce.com.