Configure CrowdStrike Falcon Endpoint for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform host-based response actions in your network using CrowdStrike Falcon® endpoint.

CrowdStrike Falcon supports these response actions:
  • Contain a host/Remove from containment

For more information, see Response action descriptions.

These resources are required:

  • A Falcon Administrator role for the CrowdStrike Falcon environment that you want Arctic Wolf to monitor.
  • A CrowdStrike Falcon Enterprise license.

    For more information about pricing, see CrowdStrike pricing.

These actions are required:

  • If you are using Falcon Complete, read the terms of your CrowdStrike Falcon agreements to make sure that third-party containment actions are permitted.
  • Define your containment policy with your CST.
  • Contact your CST to validate the Active Response integration. Have a device or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create the API client

Note: Do not reuse API credentials from the CrowdStrike Falcon EDR configuration. They have different permissions.
  1. Sign in to the CrowdStrike Falcon platform.
  2. Navigate to Support and resources > API clients and keys.
  3. Click Create API client.
  4. In the Create API client dialog, configure these settings:
    • Client name — Enter a name for the API client. For example, Arctic Wolf Active Response.
    • Description — (Optional) Enter a description.
  5. In the Hosts scope, select the Read and Write checkboxes.
  6. Click Create.
  7. Copy the API Client and API Client Secret values, and then save them in a safe, encrypted location.

    You will provide these values to Arctic Wolf later.

    Note: The API client secret is only available during API client creation. If this information is lost before you provide it to Arctic Wolf, you must create a new client to get a new API client secret.
  8. Click Done.

Provide CrowdStrike Falcon Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click CrowdStrike Falcon.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> CrowdStrike Active Response Integration.
    • API Base URL — Enter the base URL for your region:
      • US-1 (Default) — https://api.crowdstrike.com
      • US-2 — https://api.us-2.crowdstrike.com
      • EU-1 — https://api.eu-1.crowdstrike.com
    • Client ID — Enter the client ID from Create the API client.
    • Client Secret — Enter the client secret from Create the API client.
    • Query Results Limit — Enter the maximum number of objects for a query to return. We recommend 100.
    • Endpoint Offline Timeout (Hours) — Enter the number of hours Arctic Wolf should continue checking for a command response from CrowdStrike Falcon. We recommend 1.
    • User-Defined Mapping — (Optional) Keep this field blank.
    • Webhook Key — (Optional) Keep this field blank.
  6. Click Save Integration.