Migrate from CrowdStrike Detects API to Alerts API

Caution: CrowdStrike is decommissioning itsDetects API on September 30, 2025. This APIis replaced by theCrowdStrike Alerts API.

This section describes how to migrate your configuration to use the Alerts API and prevent disruption to your data ingestion.

Who is affected?

This change affects you if you meet both of the following conditions:

  • You have active data feeds using the CrowdStrike Detection Cloud Monitoring API connector,which maps to theCS_DETECTS log type.
  • Your configured CrowdStrike API client for this feed doesn't have read privilegesfor alerts.

To prevent service disruption, complete one of the following procedures before September 30, 2025.

Option 1: Update permissions for your existing CrowdStrike API client (Recommended)

This approach requires configuration changes only in your CrowdStrike Falcon consoleand has the lowest impact on existing detection rules that reference theCS_DETECTS log type.

Before you begin, identify API clients using the Detects API. CrowdStrike providesa dashboard to help you identify API clients that use deprecated endpoints. API clients used by the Google SecOps detection monitoring feed havea user agent string that starts withGoogle-Chronicle-Security.

To set up and use the dashboard, perform the following steps:

  1. Navigate to theCrowdStrike support articleand download the YAML file, titled,PlannedDecommissionofthedetectsAPI(September30,2025),attached at the bottom of the page.
  2. In the Falcon console, navigate toNext-Gen SIEM >Log management>Dashboards.
  3. From theCreate dashboard list, selectCreate new.Create new
  4. ClickImport dashboards.
  5. Import the YAML file you downloaded.YAML file
  6. On the dashboard, navigate to theCalls to the deprecated "/detects" API endpointstable. This table lists the client IDs of all API clients calling the deprecated endpoint.
  7. For each API client ID identified in the previous step, grant the read permissionfor alerts as shown in the image.Read permissions
  8. In the Falcon console, navigate toOAuth2 API clients tab. You might need to go through multiple pages to find a specific client ID.
  9. Select the API client you want to modify, and clickEdit API client.
  10. In the table on theEdit API client form, select theRead checkbox for alerts.Edit API client form
  11. ClickUpdate client details.

  12. Verify the changes to ensure that the migration is successful.

    • Confirm that your CrowdStrike feeds in Google SecOps continueto receive data.
    • Check the dashboard in the Falcon console again after 30 minutes. The dashboard should no longer register any calls to the Detects API from the updated client IDs.

Option 2: Create and use a new CrowdStrike API client

Use this option if you have trouble identifying your existing API client IDs.The Google SecOps connector for theCS_DETECTS log type automaticallyattempts to use the Alerts API first. If the required permissions are missing, ituses the Detects API. By creating a new client with the correct permissions, you can ensure that the connector uses the modern Alerts API.

  1. In the CrowdStrike Falcon console, navigate to theOAuth2 API clients section.
  2. Clickcreate API client.
  3. In the table on theCreate API client form, select theRead checkbox for alerts.
  4. From theAPI client created form, copy the information in theClient ID,Secret, andBase URL fields.
  5. In Google SecOps, navigate toSIEM Settings >Feeds.
  6. Locate your CrowdStrike Detection Monitoring (CS_DETECTS) feed and clickEdit Feed.
  7. Replace the existing credentials with the client ID and client secret you copied from the Falcon console.
  8. Review your feed configuration and clickSubmit.
  9. Repeat these steps for eachCS_DETECTS feed across all your Google SecOpsinstances.

Verify the changes

After updating the feed, verify that the migration was successful:

  • Confirm that your CrowdStrike feed in Google SecOps continues to receive data.
  • Check the dashboard in the Falcon console as described in the recommended method.The dashboard should no longer register any calls to the detects API.

For more details, see the officialCrowdStrike decommissioning notice.

CrowdStrike Detections API deprecation in SOAR integration

The CrowdStrike Falcon SOAR integration used theDetections API within its actions and connectors. CrowdStrike's deprecation of this API affects the following actions and connectors:

  • Add Comment to Detection
  • Close Detection
  • Update Detection
  • CrowdStrike - Detections Connector

The SOAR CrowdStrike integration already supports theAlerts API, which replaces theDetections API. To use the newAlerts API, you must do the following:

  1. Install the CrowdStrike - Alerts Connector.
  2. Update playbooks to use theUpdate Alert andAdd Alert Comment actions.

Need more help?Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.