# Crowdstrike FDR

In this guide, you will create new credentials for Crowdstrike FDR in order to pull endpoint events, alerts, incidents, and host details. This endpoint data is used to identify impacted identities who have clicked on malicious links and impacted devices in which malicious files were downloaded, as well as collect rich details about the impacted devices.&#x20;

At the end of this configuration, you will provide Radiant Security with the following values:

* **AWS Client ID**
* **AWS Secret Key**
* **SQS URL**

### **Prerequisites**

To complete the configuration, you will need the following:

* [ ] Admin access to CrowdStrike Falcon
* [ ] License: `Falcon Insight and Falcon Data Replicator`
* [ ] An active subscription to Falcon Data Replicator—must be enabled in Crowdstrike

{% hint style="warning" %}
**Important note**: If you are a customer that's already using FDR, please note that Crowdstrike will create two AWS S3 buckets and up to two AWS SQS queues per bucket for a maximum of four feeds. One of the S3 buckets must be reserved for Radiant Security.
{% endhint %}

### Create credentials for Crowdstrike FDR

1. Sign in to [CrowdStrike Falcon](https://falcon.us-2.crowdstrike.com/login/) with an admin account.
2. From the upper left corner, click the **Menu** icon.
3. Click **Support and resources**, then click **Falcon data replicator**.\
   ![image (15)](https://20705827.fs1.hubspotusercontent-na1.net/hubfs/20705827/Knowledge%20Base%20Articles/Crowdstrike%20FDR/image%20\(15\).png)
4. In the top right, click on the **Create feed** button.
5. On the **Create** **feed** page, enter a **Feed name**, set the feed status to **On**. Keep the default settings selected.\
   ![image (16)](https://20705827.fs1.hubspotusercontent-na1.net/hubfs/20705827/Knowledge%20Base%20Articles/Crowdstrike%20FDR/image%20\(16\).png)
6. Click **Next** to proceed.
7. On the next page, keep the default settings unchanged and click **Next**.\
   ![image (17)](https://20705827.fs1.hubspotusercontent-na1.net/hubfs/20705827/Knowledge%20Base%20Articles/Crowdstrike%20FDR/image%20\(17\).png)
8. Click the **Create feed** button.
9. Copy the **Client ID**, **Secret**, and **Notifications URL** for the next steps.\
   ![image (18)](https://20705827.fs1.hubspotusercontent-na1.net/hubfs/20705827/Knowledge%20Base%20Articles/Crowdstrike%20FDR/image%20\(18\).png)

{% hint style="warning" %}
**Important note**: Be sure to document and store the **Secret Key** carefully as it cannot be retrieved later.
{% endhint %}

### Add the credentials in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Credentials** and click **+ Add Credential**.
3. Select the correct vendor from the list and click **Configure** **Credential**.
4. Under **Credential** **Name**, give the credential an identifiable name like `Crowdstrike_FDR_Credentials` and fill in the **Required Credentials** fields with the values you copied from the previous step:
   * **AWS Client ID**
   * **AWS Secret Key**
   * The **SQS URL** should have a format like: `https://sqs.us-east-2.amazonaws.com/`
5. Click **Add** **Credential** to save the changes.

### Add the data connector in Radiant Security

1. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector** to create a new data connector.
2. Select the correct vendor from the list and click **Data Feeds**.
3. Select the applicable data feed and click **Credentials**.
4. From the drop-down, select the credential, or click **+ Add New Credential** to add a new credential if it doesn’t already exist.
5. Click **Add Connector** to finish creating the new data connector.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/crowdstrike-fdr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.