> ## Documentation Index > Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt > Use this file to discover all available pages before exploring further. # CrowdStrike > Integrate with CrowdStrike products including Falcon, NG-SIEM, and their identity platform ## Getting Started 1. Login to [https://falcon.crowdstrike.com/login/](https://falcon.crowdstrike.com/login/) 1. You may have a different portal URL depending on geolocation 2. Expand the navigation in the top left > Support and resources > **API Clients and keys** 3. Select **Create API Client** 4. Select the following scopes 1. Alerts - Read / Write 2. Hosts - Read 3. Cases - Read / Write 4. Threat Graph - Read 5. Custom IOA Rules - Read 6. Correlation Rules - Read 7. Real Time Response (Active Responder) - Write *(required for file deletion)* 5. Create and save **Client ID**, **Client Secret**, and **Base URL** 6. Login to Wirespeed and navigate to Integrations > [Add Integration](https://app.wirespeed.co/settings/integrations?tab=browse) > Crowdstrike and provide the information from step 5. ## Detection Refresh Wirespeed automatically syncs detection state from CrowdStrike Falcon so your detections stay up to date without manual intervention. ### When Does It Run? Detection refresh runs **every 15 minutes** for all escalated detections that are actively being worked. Specifically, detections must meet all of the following criteria to be refreshed: * The detection was **escalated** at some point * The current status is one of: **Chat Ops**, **Hunting**, **Monitoring**, or **Escalated** * The detection was created within the **last 14 days** Refresh also runs during **case creation** to pull in the latest notes and logs from CrowdStrike before a case is opened. ### What Gets Updated? Each refresh pulls the current alert state from the CrowdStrike API and checks for changes: * **Status & Verdict** — If CrowdStrike marks a detection as a false positive (via tags, resolution, or automated triage), Wirespeed automatically closes the detection as benign. True positive confirmations are logged. * **Falcon Complete** — If the detection is assigned to CrowdStrike Falcon Complete, a note and log are added indicating Falcon Complete is managing the detection. * **Notes** — Comments from CrowdStrike are synced as notes on the detection. Notes flagged for the case are merged into any associated case. * **Assignee** — If the alert has an assignee in CrowdStrike, it is recorded on the detection. On first sync, Wirespeed fetches detections from up to the last **90 days**, capped at the newest **5,000** detections.