Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt

Use this file to discover all available pages before exploring further.

Who is this for? Workspace Admins or Security Engineers who manage a workspace that uses CrowdStrike Falcon. This guide walks you through creating the CrowdStrike API clients, configuring both modules in ContraForce, and verifying that alerts flow end-to-end.

Before You Begin

What These Modules Do

CrowdStrike integrates with ContraForce through two separate modules:

Detection Module

Detection ingestion and investigation
  • Pulls Falcon detections from the CrowdStrike Alerts API
  • Surfaces every detection as its own ContraForce incident
  • Round-trips status changes and comments back to Falcon

Response Module

Gamebook response actions
  • Powers Contain and Lift Containment Gamebooks
  • Powers On-Demand Scan Gamebooks
  • Required for any Gamebook that acts on a CrowdStrike-managed device
The two modules use separate CrowdStrike API clients so each client has only the scopes it needs.

Prerequisites

1

CrowdStrike Falcon subscription

An active CrowdStrike Falcon subscription with at least one product line in scope (EPP, IDP, or any of the product lines listed in Select Alert Types below).
2

Falcon admin access

Access to API Clients and Keys under Support and resources → Resources and tools in the Falcon console. This typically requires the Falcon Administrator role.
3

ContraForce workspace

A ContraForce workspace created for the tenant, with your account assigned the Workspace Admin role.
4

Your CrowdStrike cloud region

Identify which CrowdStrike cloud your tenant is deployed in. You need this for the Base URL field when configuring each module.

CrowdStrike Cloud Base URLs

CrowdStrike has multiple regional clouds. Use the Base URL that matches your tenant:
CloudBase URL
US-1 (Commercial)https://api.crowdstrike.com
US-2https://api.us-2.crowdstrike.com
EU-1https://api.eu-1.crowdstrike.com
ContraForce does not currently support CrowdStrike’s US-GOV-1 cloud. Contact support@contraforce.com if you have a GovCloud tenant.
You can confirm which cloud your tenant is in by looking at the URL of your Falcon console. A console URL of https://falcon.us-2.crowdstrike.com means you’re on US-2.

Step 1 — Create the Detection API Client in Falcon

The scopes you grant on the Detection API client depend on which Falcon tier the customer is licensed for. Pick the matching column below — the tier you choose here must match what you select on the ContraForce configuration page in Step 3.
  1. Navigate to Support and resources → Resources and tools → API Clients and Keys in the Falcon console
  2. Click Create API client
  3. Set Client name to ContraForce Detection
  4. Set Description to ContraForce alert ingestion and status writeback
  5. Under API scopes, grant the scopes for the customer’s tier, then click Create:
For tenants on Falcon Insight (EDR) only. Cases workbench is not available on this tier.
ResourcePermissionWhy
AlertsRead + WriteIngest detections and update their status
User ManagementReadResolve assignee names on detections
HostsReadResolve device metadata on detections
IOCs (Indicators of Compromise)ReadResolve IOC context on alert entities
Copy the Client ID and Client Secret to a secure location — the secret is only shown once.
The Client Secret is shown once at creation time and cannot be retrieved later. If you lose it, you must reset the secret from the same API client in Falcon.

Step 2 — Create the Response API Client in Falcon

Repeat the process for a second API client that ContraForce will use for Gamebook response actions.
  1. In the same API Clients and Keys menu, click Create API client
  2. Set Client name to ContraForce Response
  3. Set Description to ContraForce Gamebook response actions
  4. Under API scopes, grant the scopes listed below, then click Create:
ResourcePermission
HostsRead + Write
On-Demand Scans (ODS)Read + Write
Copy the Client ID and Client Secret for the Response client.
Creating two separate API clients — one for Detection, one for Response — follows the principle of least privilege. The Detection client never needs to contain a device or run a scan, and the Response client never needs to read an alert.

Step 3 — Configure the CrowdStrike Falcon Module in ContraForce

  1. In the ContraForce portal, navigate to Workspaces → your workspace → Modules
  2. Locate the CrowdStrike Falcon card and click Configure
  3. Pick the Falcon licensing tier that matches the customer’s CrowdStrike SKU. The required-scopes list, the incidents-table preview copy, and the verification panel all update based on this selection:
TierWhen to pick itEffect on the platform
Falcon Insight (EDR)Customer is on Falcon Insight (EDR) only — no Cases workbench, no NG-SIEM SKUEach Falcon detection becomes its own incident in the table
Falcon Insight XDRCustomer is licensed for XDR with Cases workbench but no NG-SIEM SKUEach Falcon detection becomes its own incident; case context is resolvable on detections that reference a case
Falcon NG-SIEMCustomer is licensed for NG-SIEMSame detection-as-incident shape, plus LogScale-backed Process Tree ancestor walk and Events Timeline are unlocked
The tier you pick must match the customer’s actual Falcon SKU. The required scopes and which advanced features (Process Tree ancestor walk, Events Timeline) unlock depend on the tier — see CrowdStrike Falcon Integration → Tier Selection for the full breakdown.
  1. Fill in the following fields:
FieldValue
Base URLThe Base URL for your CrowdStrike cloud (see table above)
Client IDThe Client ID from the Detection API client you created in Step 1
Client SecretThe Client Secret from the Detection API client
  1. Click Test Connection to verify the credentials reach CrowdStrike and have the scopes the selected tier requires
  2. Review the Verification panel that appears below the form:
    • ✓ on a row means the API client has that scope and the tenant exposes the corresponding capability
    • ✗ on a row means the scope or capability is missing for the tier you picked — fix it in the Falcon console before saving
    • ℹ︎ on a row means the API client has more capability than the tier you picked uses (e.g. NG-SIEM is reachable but you picked Falcon Insight XDR) — pick a higher tier to unlock the advanced features
  3. Click Save
If Test Connection fails with a scope-missing error, return to the Falcon console and verify the scopes listed in Step 1 for the tier you picked.

What You’ll See After Saving

The configuration page surfaces a “What you’ll see in the incidents table” preview directly under the tier dropdown, so you can confirm the choice before saving. After Save, the incidents table reflects that preview the next time the poller runs (typically within a few minutes).

Tune Which Products Are Ingested (Optional)

After the credentials are saved, an Alert Types card appears as a sibling to the Configuration Information card. Use it to narrow which CrowdStrike products ContraForce ingests into the analyst queue — useful when you’re contracted to triage only a subset of the products the customer’s Falcon tenant emits.
ProductWire formSurfaces
Endpoint (EPP)eppFalcon Insight endpoint-protection detections
Identity (IDP)idpFalcon Identity Protection alerts
MobilemobileFalcon for Mobile alerts
Data ProtectiondpFalcon Data Protection alerts
NG-SIEMngsiemNG-SIEM correlation alerts
XDRxdrCross-platform correlated detections
Cloud Workload (CWPP)cwppFalcon Cloud Security workload-protection alerts
OverWatchoverwatchFalcon OverWatch managed-threat-hunting alerts
Third-PartythirdpartyAlerts ingested from integrated third-party tools
The card is tier-aware by default to cut UI noise:
TierDefault checkbox shortlist
Falcon Insight (EDR)EPP
Falcon Insight XDREPP, IDP, XDR
Falcon NG-SIEMAll products
Click Show all products above the checkbox list (visible on EDR / XDR tiers) to reveal the full catalog when the customer has non-standard add-ons (e.g. EDR with the Mobile add-on). The toggle auto-defaults to “show all” when the persisted selection already includes products outside the tier shortlist.
Saving the Alert Types card is independent of Test Connection. Changing the product selection does not require re-validating credentials or re-saving the Detection module — the card has its own Save button.
Leaving every product checked, or unchecking every product, both fall through to “ingest all products.” This preserves backwards-compatibility for workspaces created before the per-product filter shipped, and acts as a friendly fallback if you accidentally clear every box.

Step 4 — Configure the CrowdStrike Falcon Response Module

  1. On the same Modules page, locate the CrowdStrike Falcon Response card and click Configure
  2. Fill in the following fields:
FieldValue
Base URLSame Base URL as the Detection module
Client IDThe Client ID from the Response API client you created in Step 2
Client SecretThe Client Secret from the Response API client
  1. Click Test Connection to verify the credentials reach CrowdStrike and have the required scopes
  2. Click Save
A successful test means Gamebook response actions are ready for CrowdStrike-managed devices.

Step 5 — Verify End-to-End

1

Wait for the first poll cycle

The Detection module polls CrowdStrike on a short interval. New alerts appear in ContraForce within a few minutes of being generated in Falcon.
2

Check the Command Dashboard

Navigate to the Command Dashboard. CrowdStrike incidents should appear alongside incidents from other sources.
3

Open an incident

Click into a CrowdStrike incident and verify that the Entities and Timeline tabs are populated with alert data.
4

Try a Gamebook (optional)

If the Response module is configured, open a CrowdStrike incident where the affected entity is a device and confirm that Contain, Lift Containment, and On-Demand Scan Gamebook actions are available.

What Each Module Unlocks

CapabilityRequires DetectionRequires Response
Ingest CrowdStrike Falcon detections as incidents
Round-trip status, assignment, and comments to Falcon
Receive real-time incident updates in the portal
Run Contain and Lift Containment Gamebooks
Run On-Demand Scan Gamebooks
Trigger Security Delivery Agents on new incidents
You can configure the Detection module without the Response module if you don’t need Gamebook response actions for CrowdStrike devices. Configuring only the Response module without Detection is not a supported configuration — you’d have no incidents for the Gamebooks to run on.

Troubleshooting

IssueLikely causeFix
Test Connection fails with missing the 'Alerts: Read' scopeThe Detection API client does not have Alerts: Read grantedReturn to API Clients and Keys in Falcon, edit the Detection client, enable Alerts: Read, and save
Test Connection fails with missing the 'Hosts: Write' scopeThe Response API client does not have Hosts: Write grantedEdit the Response client and enable Hosts: Write
Test Connection fails with a generic OAuth errorThe Base URL does not match the tenant’s actual CrowdStrike cloudVerify the Base URL against the cloud table above; cross-check against the Falcon console URL
Verification panel shows ✗ on Cases workbench for XDR / NG-SIEM tierThe Detection API client does not have Cases: Read + Write grantedEdit the Detection client and add Cases: Read + Write, then re-run Test Connection. Without it, ContraForce can ingest detections normally but won’t be able to resolve case context on detections that reference a case
Verification panel shows ✗ on NG-SIEM for the NG-SIEM tierThe Detection API client does not have NGSIEM: Read + Write granted, or the tenant does not have the NG-SIEM SKUEdit the Detection client and add NGSIEM: Read + Write; if the scope still doesn’t appear in the Falcon console it means the tenant isn’t licensed for NG-SIEM and you should pick the XDR tier instead
Process Tree shows only the triggering process (no ancestors)Tenant tier was set to EDR or XDR, or the NG-SIEM scope is missingConfirm the customer is licensed for NG-SIEM and the tier dropdown reflects that; verify the NGSIEM scope on the Detection client
Detection Events Timeline is empty on the NG-SIEM tierNG-SIEM scope missing, or the alert’s process lifetime predates the base_sensor retention horizonCheck the verification panel for ✗ on NG-SIEM; if the scope is fine, the older detection’s events have aged out — see the retention disclosure
Incidents table is empty even though detections are firing in FalconTime filter or product filter on the queue is excluding everything; or the API client lost its Alerts: Read scopeWiden the date filter to a known-detection window, confirm Alerts: Read is still granted, and re-test the connection
Gamebook response actions are greyed outThe Response module is not configuredComplete Step 4 to configure the Response module
Agent comments do not appear in FalconThe Detection API client does not have Alerts: WriteAdd Alerts: Write to the Detection client
Incident owner you assigned in ContraForce isn’t reflected in FalconThis is by design — owner assignments record to the ContraForce audit log only and are not pushed to FalconSee CrowdStrike Falcon Integration → What the Integration Does for the rationale

Rotating an API Secret

CrowdStrike secrets do not expire automatically, but some organizations rotate them on a schedule.
  1. In Falcon, open the affected API client and click Reset secret
  2. Copy the new secret
  3. In ContraForce, reopen the affected module (Detection or Response)
  4. Paste the new secret into Client Secret and click Save
  5. Click Test Connection to verify

CrowdStrike Falcon Integration

What the integration does, what each tier unlocks, and how Falcon’s retention shapes the data shown in the platform

What are Gamebooks?

Learn how Gamebook response actions work

Incident Management

Triage and resolve incidents in ContraForce

Entity Insights

Explore investigation context for an incident’s entities

Roles and Permissions

Detailed role reference for ContraForce users
Questions about connecting CrowdStrike Falcon to ContraForce? Contact us at support@contraforce.com.