Skip to main content

This guide is specific to the CrowdStrike Falcon Complete service. For CrowdStrike Falcon, use the CrowdStrike Falcon article instead.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • If you plan to enroll in the Expel Hunting service, a Falcon Data Replicator subscription is required.

Step 1: Enable console access

Expel is a CrowdStrike Certified Managed Security Provider partner. To allow the Expel partner console access to your console, do the following:

  1. Print, complete, and sign the CrowdStrike MSP Authorization Form. This form can be provided by the Expel customer success engineer.

  2. Attach the completed form in an email to CrowdStrike Falcon Complete Support. An Expel customer success engineer can help and can provide a template to send to CrowdStrike Falcon Complete Support.

To integrate the technology with Expel, we need to create secure credentials to the API.

Step 2: Enabling the OAuth2 API

To enable the OAuth2 API, follow the steps below:

  1. After you log into the Falcon UI, navigate to Support > API Clients and Keys.

  2. If API Clients and Keys doesn't appear in your CrowdStrike Falcon Complete UI, we need to reach out to CrowdStrike Falcon Complete Support to get it enabled for the integration. An Expel customer success engineer can help you with this.

  3. Select Add new API Client.

  4. Type Expel as the Client Name.

  5. Type Expel API Access as the Description.

  6. Select the following permissions:

    • Read for Detections.

    • Read for Hosts.

    • Read for Incidents.

    • Read for IOCs (Indicators of Compromise).

    • Read for Real Time Response.

  7. Make a record of your Client, Client Secret and Base URL for the API.

  8. Go to Step 3 to enter these credentials into Workbench.

Step 3: Configure the technology in Workbench

  1. Login to

  2. For Name type the host name of the device.

  3. For Location type the geographic location of the appliance.

  4. After typing the name and location, complete the remaining fields using the credentials and information you collected in Step 2 above.

    • API Username and API Key can be left blank.

    • Type OAuth2 Client ID from Step 2 in Client ID.

    • Type OAuth2 Secret from Step 2 in Client secret.

    • Leave Mark in console blank because the API access is read-only.

    • Type the Base URL from Step 2 in CrowdStrike API access.

    • Enable CrowdScore ingest, type y.


      Requires the incidents:read permission to work.