# CrowdStrike Falcon Protect

This document provides instructions for configuring CrowdStrike in order for the Netography Context Integration to have the correct access to pull label contexts.

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before configuring the CrowdStrike Falcon Protect Context Integration in Netography, you will need to have an API user created in CrowdStrike.

### Configure an API Client <a href="#configure-an-api-client" id="configure-an-api-client"></a>

* On the left hand menu expand the "Support and resources" submenu.
* Then click on API clients and keys.\
  ![](/files/Jvomt67lFU5dd4mrpjMC)
* Click on the "Create API client" button in the top right\
  ![](/files/h7YFaeXeryUuwYOuz1hl)
* Fill out the client name.
* Give the key a description.
* In the API Scopes table select Read permission for "Hosts".
* Click add at the bottom to create this api client.

**📘The CrowdStrike Falcon Protect setup uses the same steps as Discover but only the Read permission is required for Hosts, as exampled below in the Add new API client window:**

![](/files/madPictvfS7TUko2nEWX)

* After clicking "Create" you will be presented with a screen that shows the credentials like below. Make note of the `CLIENT ID`, `SECRET` and subdomain from the `BASE URL`.
  * Note: The Subdomain of the base URL is what to select for Cloud abbreviation.

    <mark style="color:$info;">**📘 If the BASE URL is api.crowdstrike.com then your cloud is US-1.**</mark><br>

    ![](/files/Wmttu1fGs07x3aSfWlnj)

## Netography Portal Steps <a href="#netography-portal-steps" id="netography-portal-steps"></a>

Navigate to Integrations (make sure you are on the Context tab) and click "Add Integration", then select `CrowdStrike Falcon Protect`

![](/files/3krW5op7axujYtUptAs7)

### Configuration

The following fields are specific to the CrowdStrike Falcon Protect integration.

| Field                | Required | Description                                                                      | Example                                                |
| -------------------- | -------- | -------------------------------------------------------------------------------- | ------------------------------------------------------ |
| `Cloud Abbreviation` | yes      | The falcon cloud to query. Found as the subdomain from the CrowdStrike`BASE URL` | US 2                                                   |
| `Filter`             |          | An optional FQL string to be used when filtering results.                        | entity\_type:'managed'+last\_seen\_timestamp:<'now-3d' |
| `Sort`               |          | An optional FQL sort string.                                                     | last\_seen\_timestamp.desc                             |

### Authentication

The following fields are necessary for the integration to authenticate with CrowdStrike.

| Field           | Required | Description                 |
| --------------- | -------- | --------------------------- |
| `Client ID`     | yes      | The CrowdStrike `CLIENT ID` |
| `Client Secret` | yes      | The CrowdStrike `SECRET`    |

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/crowdstrike-falcon-protect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.