# Crowdstrike Falcon ## Overview The Veza integration for Crowdstrike Falcon enables the discovery of Users, Roles, and permissions from the Crowdstrike Falcon platform. Veza uses Crowdstrike APIs to populate the Access Graph with entities and metadata. **Optional:** For customers with access to Crowdstrike Identity Protection, the integration supports bidirectional risk score synchronization between Veza and Falcon. See [Risk Score Integration](#risk-score-integration) for configuration details. This document explains how to enable and configure a Crowdstrike Falcon integration. ## Configuring Crowdstrike Before adding the integration to Veza, create an API client on the Crowdstrike platform for the connection. 1. Browse to your Crowdstrike Falcon instance (ex: `https://falcon.us-2.crowdstrike.com/`) and log in 2. Click the hamburger icon in the upper-left corner to open the navigation bar 3. Click **Support and resources** in the left navigation bar, then click **API clients and keys** in the **Resources and tools** section of the navigation submenu 4. Click **Create API client** in the upper-right corner of the screen 5. Enter the following details in the **Create API client modal** window: * **Client name**: a distinct name for the API client * **Description**: an optional description of the API client's purpose * **Scope**: * Locate **User management** and click the **Read** checkbox * If Risk Score import/export will be enabled, the following permissions are required:\\ | Scope | Permission | | ----------------------------------------- | ---------- | | Identity Protection Entities | READ/WRITE | | User Management | Read | | Identity Protection Assessment | Read | | Identity Protection Detections | Read | | Identity Protection Enforcement | Read | | Identity Protection Entities | Read | | Identity Protection GraphQL | Write | | Identity Protection Health | Read | | Identity Protection on-premise enablement | Read | | Identity Protection Timeline | Read | 6. Click **Create** at the bottom of the modal 7. From the **API client created** window, record the **Client ID**, **Secret**, and **Base URL** output values 8. Click **Done** to close the modal ## Configuring Crowdstrike on the Veza Platform To enable Veza to gather data from the Crowdstrike Falcon platform: 1. In Veza, open the **Integrations** page. 2. Click *Add New* and pick Crowdstrike as the type of integration to add 3. Enter the required information and *Save* the configuration | Field | Notes | | ----------------------------- | --------------------------------------------------------------------------------------- | | **Name** | A unique display name for the Crowdstrike Falcon connection | | **Crowdstrike Url** | The **Base URL** value recorded earlier | | **Crowdstrike Client Id** | The **Client ID** value recorded earlier | | **Crowdstrike Client Secret** | The **Secret** value recorded earlier | | **Import Risk Scores** | Check this to import risk scores from Falcon Identity to Veza | | **Export Risk Scores** | Check this to mark identities with a Veza Risk Score of 50 or higher in Falcon Identity | | **Veza API Key** | Required only if risk score import/export is enabled | | **Veza Tenant URL** | Required only if Risk Score import/export is enabled | ## Supported Entities The Veza integration for Crowdstrike Falcon discovers the following entities and attributes from the Crowdstrike API: {% hint style="info" %} Many entities include additional attributes populated by Veza's enrichment system (such as owners, identity classifications, and risk scores). See [Enrichment Configuration](/4yItIzMvkpAvMVFAamTf/integrations/configuration/enrichment.md) for details on configuring these attributes. {% endhint %} ### Identity Entities #### Crowdstrike User User account on the Crowdstrike Falcon platform. Users can be assigned to roles that grant permissions to perform actions within Falcon. **Attributes:** * `id` * `name` *(constructed from \[first\_name] and \[last\_name])* * `first_name` * `last_name` * `email` * `is_active` *(derived from \[status])* * `created_at` * `last_login_at` * `cid` **Identity Mapping:** * Users are mapped to identity providers via their email address #### Crowdstrike Role Role defining a set of permissions within the Crowdstrike Falcon platform. Roles are assigned to users to grant them specific capabilities. **Attributes:** * `id` * `name` *(derived from \[display\_name])* * `description` **Notes:** * Each role is associated with a permission entity that shares the same ID as the role ### Assignment Entities #### Crowdstrike Role Assignment Association linking a user to a role within the Crowdstrike Falcon platform. Role assignments determine the permissions available to each user. **Attributes:** * `user_uuid` * `role_id` * `role_name` * `cid` - Customer ID * `grant_type` **Notes:** * Each role automatically includes a permission with the same ID, representing the capabilities granted by that role assignment ## Risk Score Integration ### Risk Score Import When Risk Score import is enabled, Veza imports identity risk scores from Crowdstrike Falcon Identity Protection and applies them as custom tags on identities in Veza. **Supported Identity Sources:** * Okta users * Azure Active Directory / Entra users **Custom Tags Applied:** | Tag Name | Description | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | `crowdstrike_risk_score` | The numeric risk score (0-100) generated by the Falcon Identity Protection platform, formatted to two decimal places | | `crowdstrike_risk_score_severity` | The risk severity level (HIGH/MEDIUM/LOW) associated with the risk score | When Risk Score import is enabled: * Veza queries for Okta and Azure AD identities. * Risk scores are retrieved from CrowdStrike Identity Protection's GraphQL API. * Identities are matched by email address. * The risk score and severity are applied as custom tags to matched identities in Veza. * The integration automatically handles GraphQL API rate limits during the retrieval process. * Risk scores are only imported for identities that exist in both systems. * If multiple identities share the same email address, all will receive the same risk score tags. ### Risk Score Export When Risk Score export is enabled, Veza performs the following steps: * Queries for all identities with risk scores of 50 or higher. * Groups the identities by email address. * Marks the corresponding users in Crowdstrike Falcon for administrative investigation. This enables security teams to take action in Falcon based on risk signals detected by Veza's access analytics. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/crowdstrike.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.