PocketSOC is launching soon. Get PocketSOC launch updates.
10-minute setup

Quick Start: Connect PocketSOC securely

One guided flow for CrowdStrike Falcon, Microsoft Defender for Endpoint, Microsoft Defender for Cloud, or AWS GuardDuty. PocketSOC stays independent; you stay in control of scopes and revocation.

1

Create credentials

Prefer per-user clients so actions stay attributable and easy to revoke.

CrowdStrike Falcon

  • Falcon Console → API Clients & Keys → Create OAuth2 API Client
  • Scopes: Alerts (read/write), Hosts (read/write), User Mgmt (read)
  • Copy Client ID and Client Secret

Microsoft Defender for Endpoint

  • Azure Portal → App registrations → New registration
  • Select Application or Delegated permissions
  • Assign Alert.ReadWrite.All and Machine.ReadWrite.All; grant admin consent
  • Create client secret; capture Tenant ID, Client ID, Client Secret

Microsoft Defender for Cloud

  • Azure Portal → App registrations → New registration
  • Add user_impersonation (Delegated) or assign Security Reader/Admin RBAC role
  • Capture Tenant ID, Client ID, Subscription ID
  • Create client secret if using App permissions

AWS GuardDuty

  • AWS Console → IAM → Users → Create user (PocketSOC)
  • Attach AmazonGuardDutyReadOnlyAccess policy
  • Create access key; copy Access Key ID and Secret Access Key
  • Note the AWS region where GuardDuty is enabled
2

Add vendor configuration in the portal

Go to portal.pocketsoc.com → Settings → Vendor Configurations → Add Configuration. Select your vendor and enter the credentials from Step 1.

  • CrowdStrike: Base URL (cloud region), Client ID, Client Secret
  • Defender for Endpoint: Tenant ID, Client ID, Client Secret (if App permissions)
  • Defender for Cloud: Tenant ID, Subscription ID, Application ID, Client Secret (if App permissions)
  • AWS GuardDuty: AWS Region, Access Key ID, Secret Access Key

The app automatically pulls configurations assigned to your user.

Revoke credentials in your vendor console anytime No personal access tokens
3

Enable push notifications

Optional but recommended for fast triage.

  • CrowdStrike: copy your PocketSOC webhook URL from Portal Settings; configure Falcon notification forwarding
  • Defender for Endpoint: forward alerts via Sentinel Analytics rule or a Logic App to your PocketSOC webhook URL
  • Defender for Cloud: set up an Azure Logic App + Workflow Automation to forward alerts. See setup guide
  • AWS GuardDuty: create an EventBridge rule to forward findings. See setup guide
4

Use Demo Mode anytime

Evaluate without touching a real tenant.

  • Toggle Demo Mode on the Sign In screen
  • Uses mock data only; no external calls
  • Turn off anytime from Settings
5–10 minutes to first alert
Assuming creds ready and scopes granted

Security guardrails

  • Customer-owned API clients; rotate or revoke anytime
  • Credentials encrypted at rest (AES-256-GCM) on server; stored in platform-native secure storage (iOS Keychain / Android Keystore) on-device. Never logged
  • Alert payloads processed transiently for delivery
  • Regional endpoints supported (US/EU/Gov/custom)