Skip to main content

Getting Started

  1. Login to https://falcon.crowdstrike.com/login/
    1. You may have a different portal URL depending on geolocation
  2. Expand the navigation in the top left > Support and resources > API Clients and keys
  3. Select Create API Client
  4. Select the following scopes
    1. Alerts - Read / Write
    2. Hosts - Read
    3. Cases - Read / Write
  5. Create and save Client ID, Client Secret, and Base URL
  6. Login to Wirespeed > Integrations > Add Integration > Crowdstrike Falcon and provide the information from step 5.

Detection Refresh

Wirespeed automatically syncs detection state from CrowdStrike Falcon so your detections stay up to date without manual intervention.

When Does It Run?

Detection refresh runs every 15 minutes for all escalated detections that are actively being worked. Specifically, detections must meet all of the following criteria to be refreshed:
  • The detection was escalated at some point
  • The current status is one of: Chat Ops, Hunting, Monitoring, or Escalated
  • The detection was created within the last 14 days
Refresh also runs during case creation to pull in the latest notes and logs from CrowdStrike before a case is opened.

What Gets Updated?

Each refresh pulls the current alert state from the CrowdStrike API and checks for changes:
  • Status & Verdict — If CrowdStrike marks a detection as a false positive (via tags, resolution, or automated triage), Wirespeed automatically closes the detection as benign. True positive confirmations are logged.
  • Falcon Complete — If the detection is assigned to CrowdStrike Falcon Complete, a note and log are added indicating Falcon Complete is managing the detection.
  • Notes — Comments from CrowdStrike are synced as notes on the detection. Notes flagged for the case are merged into any associated case.
  • Assignee — If the alert has an assignee in CrowdStrike, it is recorded on the detection.