Attach a Crowdstrike Falcon control to Detect

To attach a Crowdstrike account to Detect, you will need:

  • The Prelude CLI
  • A limited API client/user that can report new detections

The API client must have permissions to the /iocs/entities/indicators/v1 route.

Attach the control

Run the following command to attach the control

prelude iam attach-control crowdstrike --api <HOST> --user <CLIENT_ID> --secret <SECRET>

The host should look like

Your account credentials are stored, encrypted at REST, behind the Prelude Service API. Prelude manages the OAUTH refresh automatically, refreshing your token with Crowdstrike every 30 minutes.

After attachment, the Prelude Service will send your Crowdstrike account a new IOC every time a probe reports a test in the UNPROTECTED state. Following this report, Falcon should start catching the test.

Detach the control

To detach the control from your account, run:

prelude iam detach-control crowdstrike