CrowdStrike Setup
Connect PocketSOC to your CrowdStrike Falcon environment to view endpoint detections on your iPhone.
Prerequisites
- A CrowdStrike Falcon subscription
- Access to the Falcon console with permissions to create API clients
- Your Falcon cloud environment URL
Step 1: Create an API client in Falcon
- Log into the Falcon console.
- Go to Support and resources > API Clients and Keys.
- Click Create API Client.
- Give it a name like
PocketSOC. - Set the following API scopes (read-only):
| Scope | Permission | Used for |
|---|---|---|
| Detections | Read, Write | View detections; update status, assign, close, add comments |
| Hosts | Read, Write | View host details; contain and lift containment |
| Incidents | Read | View related incidents |
| IOCs | Read | View indicators of compromise |
| User Management | Read | List assignable users |
- Click Create.
- Copy the Client ID and Client Secret — the secret is only shown once.
WARNING
Store the Client Secret securely. If you lose it, you will need to create a new API client.
Step 2: Determine your base URL
CrowdStrike has multiple cloud environments. Select the one that matches your Falcon instance:
| Cloud | Base URL |
|---|---|
| US-1 | https://api.crowdstrike.com |
| US-2 | https://api.us-2.crowdstrike.com |
| EU-1 | https://api.eu-1.crowdstrike.com |
| US-GOV-1 | https://api.laggar.gcw.crowdstrike.com |
TIP
Not sure which cloud you're on? Check the URL in your browser when logged into the Falcon console. If it contains falcon.us-2.crowdstrike.com, you're on US-2.
Step 3: Add the configuration in PocketSOC
- Go to portal.pocketsoc.com > Settings.
- Under Vendor Configurations, click Add Configuration.
- Fill in the fields:
| Field | Value |
|---|---|
| Vendor | CrowdStrike |
| Display Name | A friendly name (e.g., "CrowdStrike Production"). This is shown on each detection in the iOS app to identify which vendor source it came from. |
| Base URL | Your cloud URL from Step 2 |
| Auth Type | OAuth |
| Client ID | From Step 1 |
| Client Secret | From Step 1 |
- Click Save.
Step 4: Verify on the iOS app
- Open PocketSOC on your iPhone.
- If you're already signed in, the app automatically refreshes configurations.
- You should see detections from your CrowdStrike environment in the Detections feed.
Troubleshooting
| Issue | Solution |
|---|---|
| No detections appear | Verify the API client has the correct scopes. Check that the base URL matches your cloud. |
| "Unauthorized" error | The Client Secret may be incorrect. Create a new API client and update the config. |
| Wrong cloud URL | Update the base URL in the portal Settings. The app picks up changes on next refresh. |
Rotating credentials
To rotate your CrowdStrike API credentials:
- Create a new API client in the Falcon console.
- Update the Client ID and Secret in the portal Settings.
- The iOS app picks up the new credentials on next sync.
- Delete the old API client in the Falcon console.