Skip to main content

Part 1: Crowdstrike Data Ingestion

Set up a CrowdStrike Falcon API client so ConfigView can pull your endpoint security and Falcon Cloud Security (Azure) data into the dashboard.

Step 1: Create an API Client

  1. Log in to your CrowdStrike Falcon Console.
  2. Navigate to Support and resources > API Clients and Keys.
  3. Click Add new API client.
  4. Give it a name (e.g. ConfigView) and grant the Read scopes below for the data sets you want to ingest:
    ScopeAccessPowers
    HostsReadDevice IDs, Host Details
    AlertsReadAlerts (Detections)
    IncidentsReadIncidents
    Host GroupsReadHost Groups
    Prevention PoliciesReadPrevention Policies
    Sensor Update PoliciesReadSensor Update Policies
    Falcon Cloud Security (CSPM registration)ReadAzure Accounts, Misconfigurations (IOM), Policies
  5. Click Add and copy the Client ID and Client Secret — the secret is shown only once.
Cloud region: these scripts default to the US-1 cloud (https://api.crowdstrike.com). If your tenant is on US-2, EU-1, or GovCloud, update the BASE_URL constant at the top of each crowdstrike_get_*.py and the health check to the matching API host.

Step 2: Add the Credentials to ConfigView

  1. Go to your ConfigView dashboard: https://{companyname}.configview.com/admin/secret/
  2. Click Add Secret
  3. Create the following secrets:
    • CROWDSTRIKE_CLIENT_ID
    • CROWDSTRIKE_CLIENT_SECRET
  4. Click Save

Step 3: Enable the Crowdstrike App in ConfigView

  1. Go to: https://{companyname}.configview.com/admin/cron/
  2. You should see Crowdstrike in the list of available apps
  3. Select the scripts you want to run.
  4. Click Save

Step 4: Verify

  1. Go to: https://{companyname}.configview.com/admin/status/
  2. Run the Crowdstrike health check.
  3. All checks should pass. The health check probes each read scope individually, so a failed check names the exact scope to grant on the API client.
If a check fails, verify that your secrets are saved correctly and the API client has the required Read scopes from Step 1.

Available Scripts

ScriptTableDescription
Device IDscrowdstrike_idsManaged device IDs (run first)
Host Detailscrowdstrike_ids_detailsSensor, OS, and host metadata per device
Alerts (Detections)crowdstrike_alertsEDR detections — severity, tactic/technique, host, status (last 90 days)
Incidentscrowdstrike_incidentsCorrelated incidents — score, state, affected hosts
Host Groupscrowdstrike_host_groupsStatic / dynamic host groups and assignment rules
Prevention Policiescrowdstrike_prevention_policiesPrevention policy config, enabled state, assigned groups
Sensor Update Policiescrowdstrike_sensor_update_policiesSensor build targets and uninstall protection
Cloud Security — Azure Accountscrowdstrike_cspm_azure_accountsRegistered Azure subscriptions and CSPM status
Cloud Security — Azure Misconfigurations (IOM)crowdstrike_cspm_iomIndicators of Misconfiguration across Azure services
Cloud Security — Azure Policiescrowdstrike_cspm_policiesCSPM policy catalog for Azure with severity and state
Note: The Alerts script ingests the last 90 days of detections by default. Adjust the LOOKBACK_DAYS constant in crowdstrike_get_alerts.py to widen or narrow the window.

Data Tables

Once the scripts run, the corresponding Crowdstrike tables will be created in your database. All tables include a run_at column for historical tracking and a raw JSON column with the full CrowdStrike object for each record.