Migrate from CrowdStrike Detects API to Alerts API

This section describes how to migrate your configuration to use the Alerts API and prevent disruption to your data ingestion.

Who is affected?

This change affects you if you meet both of the following conditions:

  • You have active data feeds using the CrowdStrike Detection Cloud Monitoring API connector, which maps to the CS_DETECTS log type.
  • Your configured CrowdStrike API client for this feed does not have read privileges for alerts.

To prevent service disruption, complete one of the following procedures before September 30, 2025.

Option 1: Update permissions for your existing CrowdStrike API client (Recommended)

This approach requires configuration changes only in your CrowdStrike Falcon console and has the lowest impact on existing detection rules that reference the CS_DETECTS log type.

Before you begin, identify API clients using the Detects API. CrowdStrike provides a dashboard to help you identify API clients that use deprecated endpoints. API clients used by the Google SecOps detection monitoring feed have a user agent string that starts with Google-Chronicle-Security.

To set up and use the dashboard, perform the following steps:

  1. Navigate to the CrowdStrike support article and download the YAML file, titled, PlannedDecommissionofthedetectsAPI(September30,2025), attached at the bottom of the page.
  2. In the Falcon console, navigate to Next-Gen SIEM > Log management > Dashboards.
  3. From the Create dashboard list, select Create new. Create new
  4. Click Import dashboards.
  5. Import the YAML file you downloaded. YAML file
  6. On the dashboard, navigate to the Calls to the deprecated "/detects" API endpoints table. This table lists the client IDs of all API clients calling the deprecated endpoint.
  7. For each API client ID identified in the previous step, grant the read permission for alerts as shown in the image. Read permissions
  8. In the Falcon console, navigate to OAuth2 API clients tab. You might need to go through multiple pages to find a specific client ID.
  9. Select the API client you want to modify, and click Edit API client.
  10. In the table on the Edit API client form, select the Read checkbox for alerts. Edit API client form
  11. Click Update client details.

  12. Verify the changes to ensure that the migration is successful.

    • Confirm that your CrowdStrike feeds in Google SecOps continue to receive data.
    • Check the dashboard in the Falcon console again after 30 minutes. The dashboard should no longer register any calls to the Detects API from the updated client IDs.

Option 2: Create and use a new CrowdStrike API client

Use this option if you have trouble identifying your existing API client IDs. The Google SecOps connector for the CS_DETECTS log type automatically attempts to use the Alerts API first. If the required permissions are missing, it uses the Detects API. By creating a new client with the correct permissions, you can ensure that the connector uses the modern Alerts API.

  1. In the CrowdStrike Falcon console, navigate to the OAuth2 API clients section.
  2. Click create API client.
  3. In the table on the Create API client form, select the Read checkbox for alerts.
  4. From the API client created form, copy the information in the Client ID, Secret, and Base URL fields.
  5. In Google SecOps, navigate to SIEM Settings > Feeds.
  6. Locate your CrowdStrike Detection Monitoring (CS_DETECTS) feed and click Edit Feed.
  7. Replace the existing credentials with the client ID and client secret you copied from the Falcon console.
  8. Review your feed configuration and click Submit.
  9. Repeat these steps for each CS_DETECTS feed across all your Google SecOps instances.

Verify the changes

After updating the feed, verify that the migration was successful:

  • Confirm that your CrowdStrike feed in Google SecOps continues to receive data.
  • Check the dashboard in the Falcon console as described in the recommended method. The dashboard should no longer register any calls to the detects API.

For more details, see the official CrowdStrike decommissioning notice.

Need more help? Get answers from Community members and Google SecOps professionals.