CrowdStrike Falcon
  • 4 Minutes to read
  • PDF

CrowdStrike Falcon

  • PDF

About this document

This document gives you the step-by-step procedure to configure CrowdStrike Falcon in SAFE.


You need the following connection details to establish the SAFE - CrowdStrike Falcon connection.

  • CrowdStrike URL
  • Client ID
  • Client Secret
To create API clients and secrets, you must have a Falcon Administrator role in CrowdStrike. The API client secret value is only shown when a new API client is created or while resetting it.

Follow the below step-by-step procedure to get the connector details:

  1. Login to your CrowdStrike instance.
  2. Navigate to the Support > API Clients and Keys menu.
  3. Click the Add new API Client. It opens an API scope view.
  4. Enter the details Client Name and Description
  5. Select the Read checkbox for Detections and Hosts available under the API Scopes section.
  6. Click the Add button.
  7. The system displays the connection details (URL, Client ID, and Client Secret). 
  8. Copy the connection details.  

Configure CrowdStrike

To configure CorwdStrike in SAFE:

  1. Navigate to the SAFE Hooks.
  2. Click the CorwdStrike Falcon card. 
  3. On the CrowdStrike Falcon configuration page, enter the connection details (CrowdStrike URL, Client ID, and Client Secret).
  4. (Optional) Enter the Tag Filters (Tag Names) to pull selective data from CrowdStrike to SAFE.
    Example: ['Tag1', admin...]
    Tag Filter: SAFE allows users to fetch filtered data from CrowdStrike to SAFE using Tags. If a user does not add any Tag Name in this field, the system fetches all the asset's data to which the user has access.
  5. If needed, uncheck the Onboard Asset checkbox.
    Onboard Assets - By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. To limit the integration to pull in findings of only the assets that are present in SAFE, this option can be unchecked.
  6. Enter the Auto Sync frequency in the number of days.
  7. Click the Test Connection button.
  8. Once the connection is validated, click the Save button.
  9. Once the configuration is saved, click the Sync Now button, to trigger the on-demand sync outside of the scheduled auto sync. The auto-sync time is 01:15 UTC.

CS integration

View Result

After a successful sync, the CrowdStrike assets along with the EDR data are automatically imported in SAFE.

To view the assets pulled from CrowdStrike:

  1. Navigate to Technology > Assets.
  2. Filter the asset list with source equals CrowdStrike.

CS integration 2(1)

To view the results for an asset:

  1. Navigate to Technology > Inside-out.
  2. Go to the asset details page for which you need to see the assessment result.
  3. Filter the control list for Assessment Tool as CrowdStrike.
  4. The system displays all the EDR findings and their status for CrowdStrike.


1. How is the CrowdStrike to SAFE asset type mapping done?

The CrowdStrike asset’s Operating System (os_version field returned by CrowdStrike APIs) is used to map it to the SAFE asset type. The mapping can be viewed or updated using GET and POST /settings/os-to-safe-asset-type-mapping API.

2. What assessment data does SAFE pull from Crowdstrike, and which type of assets?

SAFE does not perform any native assessment of the CrowdStrike assets. SAFE pulls the detections from CrowdStrike and adds/updates them as EDR findings in SAFE.

3. Which CrowdStrike detections are used for scoring of an asset in SAFE?

Only the detections which are in New, In Progress, True Positive, Ignored, or Re-Opened state in CrowdStrike will be used as EDR findings for scoring assets in SAFE.

4. How can I view the list of all EDR Findings of an asset in SAFE?

A list of all EDR Findings of an asset can be viewed by going to the asset details page and clicking on the number in the EDR Findings Count row. 

If there is no EDR Findings Count row displayed for that asset, the asset type is not supported for EDR assessments in SAFE.

5. Why is there a difference between the total count of EDR Controls and the EDR Findings count of an asset in SAFE?

EDR findings count contains all individual failing instances for EDR controls, which means EDR findings can be more than the number of EDR controls as there may be multiple failing instances of an EDR control.

6. How do I know if an EDR detection has multiple failing instances on an asset?

One way to identify whether an EDR finding has multiple failing instances is to check the observation section of the assessed control. Observation contains the different detection instances as returned by CrowdStrike. Another way is to go to that failed control’s details page and check if it has multiple instances.

7. How can I check the Sync status for CrowdStrike Integration?

To view the information related to any saved configuration GET /integrations/:instance_id can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

  "id": 1,
  "type": "edrplugin",
  "subtype": "crowdstrike",
  "config": {
    "url": "",
    "clientId": "username",
    "sensitiveFields": [
    "autoSyncFrequency": 1,
    "shouldImportAssets": true,
    "assetMatchingCriteria": [
  "state": {
    "error": null,
    "stage": "COMPLETED",
    "status": 0,
    "totalAssets": 43,
    "failedAssets": 0,
    "lastScanTriggerTs": "2022-08-30T12:30:29.502Z",
    "completionPercentage": 100,
    "lastScanCompletionTs": "2022-08-30T12:34:17.173Z"
  "isEnabled": true

8. What are the possible values of the state of CrowdStrike sync?

The following are the possible values for the sync stage:

QUEUEDSync request has been received and will begin soon
TRANSFORMINGSync is in progress
COMPLETEDFinished sync
ERRORError occurred during sync

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:

1In Progress
3Partial Success

9. What should be the type and subType of integration while adding a new CrowdStrike integration via POST /integration API?

The type of integration should be “edrplugin“ and subType should be “crowdstrike” while adding a new CrowdStrike integration using API.

10. Is it mandatory to provide tags in CrowdStrike Configuration?

No, it is not mandatory to provide the tags in CrowdStrike Configuration. tags help a user to configure a filter for the assets whose EDR data is being pulled by SAFE. This is useful in case EDR findings of only a set of assets need to be pulled into SAFE.

Was this article helpful?

What's Next