Endpoint Detection and Response (EDR) Integration
CrowdStrike Falcon on your phone — triage detections and isolate hosts from anywhere.
PocketSOC connects to CrowdStrike Falcon through a customer-created OAuth2 API client. SOC analysts can view Falcon detections, assign or close alerts, and isolate or lift isolation on hosts — all from iOS or Android. Authentication uses scoped API credentials that you manage in the Falcon console, so access can be rotated or revoked at any time.
Supported actions for CrowdStrike
- View Falcon detections with severity, host, and process context
- Assign and close detections from the mobile app
- Isolate compromised hosts using Falcon Real-Time Response
- Lift host isolation once an investigation is complete
- Filter alerts by severity threshold and host tag
- Receive push notifications for new high-severity detections
Authentication and credentials
CrowdStrike Falcon uses an OAuth2 API client that you create in the Falcon console under API Clients & Keys. PocketSOC requires the following scopes: Alerts (read, write), Hosts (read, write), and User Management (read). PocketSOC does not use Personal Access Tokens — CrowdStrike does not issue PATs for the Falcon API. Credentials are stored in iOS Keychain or Android Keystore on each device, never written to logs.
How PocketSOC authenticates to security platforms · Where credentials are stored · Trust Center
Quick setup for CrowdStrike
- In Falcon Console, go to API Clients & Keys → Create OAuth2 API Client
- Grant scopes: Alerts (R/W), Hosts (R/W), User Management (R)
- Copy Client ID and Client Secret
- In PocketSOC, choose your Falcon region (US-1, US-2, EU-1, or US-GOV-1)
- Paste credentials and connect
See the full Quick Start guide for Organization-mode setup with the PocketSOC Portal.
CrowdStrike integration FAQ
Which Falcon regions does PocketSOC support?
PocketSOC supports the four Falcon commercial and government regions: US-1, US-2, EU-1, and US-GOV-1. You select your region during setup; PocketSOC uses the matching Falcon API base URL for all requests.
Does PocketSOC support Real-Time Response (RTR)?
Not in the current version. PocketSOC supports host isolation and lift isolation through Falcon's containment APIs, but it does not start RTR sessions or run commands on endpoints. See the RTR FAQ entry for the future roadmap.
Can I rotate or revoke CrowdStrike credentials?
Yes. Because PocketSOC uses a customer-created OAuth2 API client, you can rotate the client secret or revoke the client entirely from the Falcon console at any time. PocketSOC will prompt for new credentials on the next request. See how PocketSOC authenticates.
Is PocketSOC affiliated with CrowdStrike?
No. PocketSOC is an independent third-party application developed by WeaveHub Technologies LLC. CrowdStrike does not endorse or operate PocketSOC. CrowdStrike® and Falcon® are trademarks of CrowdStrike Holdings, Inc. See the affiliation FAQ entry.
See the full PocketSOC FAQ covering all vendors and security topics.