Connect CrowdStrike Falcon to Atomicwork to query, investigate, and manage security alerts as part of your IT and security workflows.
Usecases
By connecting CrowdStrike Falcon, your teams can:
Triage security alerts: Query alerts using filters to surface high-severity or new alerts for investigation. For example, a workflow can automatically pull all new critical-severity alerts every morning and post a summary to your security team's Slack channel.
Investigate alert details: Pull detailed alert information — including host details, detection context, and severity — directly from Atom or within a workflow. An agent handling a ticket about suspicious activity can ask Atom to pull the latest CrowdStrike alerts for that user's device without switching to the Falcon Console.
Automate alert response: Update alert status, assign alerts to analysts, and add comments or tags as part of automated incident response workflows. For example, when a critical alert is detected, a workflow can automatically assign it to the on-call security analyst, set the status to in-progress, and create an incident in Atomicwork for tracking.
Enable self-service security queries: Employees can ask Atom about security alerts affecting their devices without waiting for the security team — for example, "Are there any security alerts on my laptop?"
Permissions
To connect CrowdStrike Falcon to Atomicwork, you need:
Org admin access in Atomicwork
Admin access to the CrowdStrike Falcon Console with permission to create API clients
The integration authenticates using an API client configured in the Falcon Console. The API client requires the following scopes:
Permission | Purpose |
Alerts: Read | Query and retrieve alert details. Required for listing alerts and pulling alert information into workflows. |
Alerts: Write | Update alert status, add comments, manage tags, and assign or unassign alerts. Required for any action that modifies an alert. |
To create the API client:
In the Falcon Console, navigate to Support and Resources > API Clients and Keys.
Click Create API Client.
Assign the Alerts: Read and Alerts: Write scopes.
Note the Client ID and Client Secret — you'll need these to complete the setup in Atomicwork.
Setup
Before connecting, identify your CrowdStrike cloud region. The base URL must match your Falcon environment:
Region | Base URL |
US-1 | |
US-2 | |
EU-1 |
Using the wrong regional URL will cause authentication failures. If you're unsure which region your Falcon tenant is on, check with your CrowdStrike administrator or refer to your Falcon Console URL.
To connect:
Navigate to Settings > App Store > CrowdStrike Falcon.
Enter your credentials:
Client ID - Your CrowdStrike API Client ID from the Falcon Console.
Client secret - Your CrowdStrike API Client Secret from the Falcon Console.
Base URL - The regional base URL for your CrowdStrike cloud instance (see table above).
Click Connect to authorize the integration.
Atomicwork validates the connection by checking that the API client has the required Alerts: Read scope. If validation fails, you'll see a specific error message indicating what needs to be fixed.
Supported workflow actions
Once connected, you can automate the following CrowdStrike Falcon actions within your Atomicwork workflows:
Action | Description |
List alerts | Query alert IDs using filters, with optional sorting and pagination. Use this to find alerts by severity, status, or other criteria. |
Get alerts | Retrieve detailed alert information by alert ID, including severity, status, description, host information, and detection details. |
Update alert | Perform actions on one or more alerts — update status, add a comment, add or remove tags, or assign/unassign to a team member. |
Call API | Make a generic API call to any CrowdStrike Falcon endpoint for operations beyond the standard actions. |
Troubleshoot common issues
Error | Cause | Resolution |
Invalid credentials (401) | The Client ID or Client Secret is incorrect or has been revoked. | Generate a new API client in Falcon Console > Support and Resources > API Clients and Keys and update the credentials in Atomicwork. |
Insufficient permissions (403) | The API client is missing required scopes. | Verify that both Alerts: Read and Alerts: Write are assigned to the API client in the Falcon Console. |
Alerts read permission missing | The integration specifically checks for the Alerts: Read scope during connection. This scope is not assigned to the API client. | Edit the API client in the Falcon Console and add the Alerts: Read scope. |
Invalid base URL | The base URL is malformed or missing the protocol. | Ensure the URL includes |
Authentication failure after initial success | The regional base URL doesn't match your Falcon tenant's cloud instance. | Verify your cloud region and update the base URL in Settings > App Store > CrowdStrike Falcon. |
Token acquisition failure | The CrowdStrike API is unreachable or experiencing issues. | Verify network connectivity and check the CrowdStrike status page for any ongoing incidents. |
Action failure (403) | The API client lacks the specific scope required for the action being performed. | Check which action failed — list/get alerts requires Alerts: Read, update alerts requires Alerts: Write. Add the missing scope in the Falcon Console. |