Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through connecting a CrowdStrike Falcon tenant to Clarion via the Falcon OAuth2 API. Once connected, Clarion polls Falcon every minute for new detections and cases, and uses them to drive alerts and agent triage.
Estimated time: 5 minutes. You will need a CrowdStrike Falcon account with permission to create API clients.

Prerequisites

  • A CrowdStrike Falcon tenant and access to Support and resources → API clients and keys
  • A Clarion workspace where you can add a monitor
  • A secure place to store the Client ID and Client Secret generated in Falcon

Step 1 — Pick your Falcon cloud region

In Clarion, open IntegrationsCrowdStrike, then Add Monitor. On the configuration screen, choose the cloud region that matches your Falcon Console URL:
RegionConsole URL
US-1https://falcon.crowdstrike.com
US-2https://falcon.us-2.crowdstrike.com
EU-1https://falcon.eu-1.crowdstrike.com
US-GOV-1https://falcon.laggar.gcw.crowdstrike.com
US-GOV-2https://falcon.us-gov-2.crowdstrike.com
The “Sign in to your Falcon Console” link in the form updates to point at the region you select.

Step 2 — Create an API client in Falcon

  1. Sign in to the Falcon Console for your region.
  2. Go to Support and resourcesAPI clients and keys.
  1. Click Create API client and grant the scopes listed in the Clarion setup instructions.

Scopes

Grant Read access to the following scopes so Clarion can poll detections, cases, and supporting context: Alerts, App Logs, Apps, Cases, Correlation Rules, Custom IOA rules, Detections, Device Content, Device control policies, Hosts, Firewall management, IOC Management, IOCs (Indicators of Compromise), Prevention policies, Quarantined Files, Real time response (admin), Real time response app, Real time response audit, Real time response, Response policies, Event streams.
If you want Clarion to interact with Cases, Real-Time Response, and similar surfaces and make remediation or containment actions, also grant Write access to the relevant scopes. Most write actions require human approval in Clarion before the agent executes them.
  1. Copy the generated Client ID and Client Secret.
Copy the Client Secret immediately — Falcon only shows it once. Store it securely.

Step 3 — Enter the credentials in Clarion

  1. Back in the Clarion monitor form, paste the Client ID and Client Secret.
  2. Click Save.
Clarion validates the credentials and begins polling Falcon every minute for new detections and cases.

What happens next

Once connected, Clarion will:
  • Poll Falcon every minute for new detections (surfaced as signals) and cases (surfaced as alerts)
  • Run your configured signal rules against incoming detections to promote matching events into alerts
  • Hand alerts to any connected triage agents
You can manage the monitor — pause polling, rotate credentials, or view sync status — from the Monitors section on the CrowdStrike integration page.

Agent tools

Once connected, your triage agents can use CrowdStrike tools to investigate and respond to alerts directly in Falcon:
  • Endpoint Detection & Response — Investigate Falcon alerts, inspect hosts, contain compromised endpoints, manage IOCs, and run Real-Time Response sessions.
Attach these tools to a skill in the skill editor. Destructive actions (host containment, IOC creation, Real-Time Response commands) require human approval by default and can be reviewed before the agent executes them.

Monitoring multiple Falcon tenants

CrowdStrike is configured per monitor: each Falcon tenant (each Client ID / Client Secret pair) is its own monitor in Clarion, with its own cursors and sync health. To monitor a second tenant, click Add Monitor again on the integration page and enter that tenant’s credentials.

Sync historical cases

The monitor only polls forward from the moment it’s connected. To pull in cases and detections from before that point:
  1. Open the monitor from the Monitors section on the Integrations → CrowdStrike page.
  2. Click Sync historical cases.
  3. Confirm the action.
Clarion rewinds the monitor’s cursors to 7 days ago and replays everything Falcon has created since. Items already imported are deduplicated by Falcon id, so this is safe to re-run.

Update or rotate credentials

To replace a Client Secret (for example, after rotating it in Falcon):
  1. Generate a new Client Secret in Falcon under Support and resources → API clients and keys.
  2. In Clarion, open the monitor.
  3. Paste the new secret into Update Client Secret and click Save. Leave the field blank to keep the existing secret when you only want to change the cloud region or Client ID.

Troubleshooting

The connection fails or events stop arriving

  • Confirm the cloud region matches your Falcon Console URL exactly (e.g. a US-2 tenant paired with a US-1 selection will not authenticate).
  • Verify the API client in Falcon has the scopes listed in the Clarion setup instructions and has not been revoked.
  • Use Sync now on the monitor to trigger an immediate poll and surface the underlying Falcon error in the toast.