CrowdStrike Falcon
Connects to CrowdStrike Falcon to pull endpoint devices, vulnerability findings, and detection events into Clariti. This gives you a unified view of your endpoint security posture — which machines are protected, what vulnerabilities exist, and what threats have been detected.
What You'll Need
- Falcon console admin access (or a role with API client management permissions)
- CrowdStrike Falcon Go, Pro, or Enterprise license
- About 5 minutes
- A Clariti account with adapter setup permissions
Configure in CrowdStrike Falcon
Log Into the Falcon Console
Navigate to: falcon.crowdstrike.com
Go to falcon.crowdstrike.com and sign in with your admin account.
Why: All API client management happens in the Falcon console. You'll need admin-level access to create API credentials.
Navigate to API Clients
Navigate to: Support and resources → API clients and keys
In the left sidebar, navigate to Support and resources → API clients and keys.
Depending on your console version, this may appear as Support and resources → API clients and keys or Support → API Clients & Keys. The location varies slightly between Falcon console versions, but it's always under the Support section.
Why: CrowdStrike manages API access through dedicated API clients, separate from user accounts. This is where you create credentials for integrations like Clariti.
Create a New API Client
Navigate to: API Clients & Keys page
Click Create API client (or Add new API client depending on your console version).
Why: Each integration should have its own API client with scoped permissions. This follows the principle of least privilege and makes it easy to revoke access later without affecting other integrations.
Configure Client Permissions
Navigate to: Create API Client dialog
Fill in the client details:
- Client Name:
Clariti AI - Description:
Asset inventory integration
Under API scopes, grant Read access to:
- Hosts — endpoint device inventory
- Vulnerabilities — vulnerability assessment findings
- Detections — threat detection events
Leave all other scopes unchecked.
Only grant the scopes Clariti actually needs. If you don't use CrowdStrike's vulnerability scanning, you can skip the Vulnerabilities scope — Clariti will simply not pull that data type.
Why: Clariti only needs read access to pull asset data. Granting only Read scope follows least-privilege principles — Clariti never modifies your CrowdStrike data.
Copy Client ID and Secret
Navigate to: API Client Created confirmation dialog
Click Create. A confirmation dialog appears with your Client ID and Client Secret.
Copy both values immediately.
The Client Secret is only displayed once in this dialog. If you close it without copying the secret, you'll need to delete this API client and create a new one. There's no way to retrieve the secret after closing.
After creating the API client, the Client ID and Secret appear in a modal dialog. Copy both values before closing the dialog.
Why: These are your authentication credentials. Like most security platforms, CrowdStrike only shows the secret once at creation time.
📋 Copy the Client ID and Client Secret — you'll need it in Clariti.
Enter Credentials in Clariti
Navigate to Adapters → Add Adapter → CrowdStrike Falcon and enter your credentials:
| Value from vendor console | Paste into Clariti field |
|---|---|
Client ID | Client ID |
Client Secret | Client Secret |
Note: No Tenant ID is needed — CrowdStrike uses a different authentication model than Microsoft. Clariti auto-detects your CrowdStrike cloud region.
CrowdStrike operates multiple regional cloud instances (US-1, US-2, EU-1, US-GOV-1). Clariti auto-detects your region, but if you get persistent 403 errors after setup, confirm your CrowdStrike cloud region in the Falcon console and verify it matches what Clariti detected. Your region is visible in the Falcon console URL or under Support → Sensor downloads.
Verify Connection
Click Test Connection. CrowdStrike connections are fast — you should see a green checkmark within seconds. The first sync pulls your device inventory, and if scoped, vulnerability and detection data shortly after.
Troubleshooting
401 Unauthorized Invalid credentials or an expired client secret. Verify you copied the Client ID and Secret correctly. If the secret was created long ago, it may have expired — create a new API client.
403 Forbidden Two common causes: the API client doesn't have the required scopes (Hosts, Vulnerabilities, Detections), or you're hitting the wrong regional cloud URL. Verify your API client scopes in the Falcon console and check that Clariti is pointed at your correct CrowdStrike region.
429 Too Many Requests Rate limiting from the CrowdStrike API. Clariti handles retry automatically with exponential backoff — no action needed on your part. If you see this persistently, it may indicate another integration is consuming your API rate limit.