Part 1: Crowdstrike Data Ingestion
Set up a CrowdStrike Falcon API client so ConfigView can pull your endpoint security and Falcon Cloud Security (Azure) data into the dashboard.Step 1: Create an API Client
- Log in to your CrowdStrike Falcon Console.
- Navigate to Support and resources > API Clients and Keys.
- Click Add new API client.
-
Give it a name (e.g.
ConfigView) and grant the Read scopes below for the data sets you want to ingest:Scope Access Powers Hosts Read Device IDs, Host Details Alerts Read Alerts (Detections) Incidents Read Incidents Host Groups Read Host Groups Prevention Policies Read Prevention Policies Sensor Update Policies Read Sensor Update Policies Falcon Cloud Security (CSPM registration) Read Azure Accounts, Misconfigurations (IOM), Policies - Click Add and copy the Client ID and Client Secret — the secret is shown only once.
Cloud region: these scripts default to the US-1 cloud (https://api.crowdstrike.com). If your tenant is on US-2, EU-1, or GovCloud, update theBASE_URLconstant at the top of eachcrowdstrike_get_*.pyand the health check to the matching API host.
Step 2: Add the Credentials to ConfigView
- Go to your ConfigView dashboard:
https://{companyname}.configview.com/admin/secret/ - Click Add Secret
- Create the following secrets:
CROWDSTRIKE_CLIENT_IDCROWDSTRIKE_CLIENT_SECRET
- Click Save
Step 3: Enable the Crowdstrike App in ConfigView
- Go to:
https://{companyname}.configview.com/admin/cron/ - You should see Crowdstrike in the list of available apps
- Select the scripts you want to run.
- Click Save
Step 4: Verify
- Go to:
https://{companyname}.configview.com/admin/status/ - Run the Crowdstrike health check.
- All checks should pass. The health check probes each read scope individually, so a failed check names the exact scope to grant on the API client.
Available Scripts
| Script | Table | Description |
|---|---|---|
| Device IDs | crowdstrike_ids | Managed device IDs (run first) |
| Host Details | crowdstrike_ids_details | Sensor, OS, and host metadata per device |
| Alerts (Detections) | crowdstrike_alerts | EDR detections — severity, tactic/technique, host, status (last 90 days) |
| Incidents | crowdstrike_incidents | Correlated incidents — score, state, affected hosts |
| Host Groups | crowdstrike_host_groups | Static / dynamic host groups and assignment rules |
| Prevention Policies | crowdstrike_prevention_policies | Prevention policy config, enabled state, assigned groups |
| Sensor Update Policies | crowdstrike_sensor_update_policies | Sensor build targets and uninstall protection |
| Cloud Security — Azure Accounts | crowdstrike_cspm_azure_accounts | Registered Azure subscriptions and CSPM status |
| Cloud Security — Azure Misconfigurations (IOM) | crowdstrike_cspm_iom | Indicators of Misconfiguration across Azure services |
| Cloud Security — Azure Policies | crowdstrike_cspm_policies | CSPM policy catalog for Azure with severity and state |
Note: The Alerts script ingests the last 90 days of detections by default. Adjust theLOOKBACK_DAYSconstant incrowdstrike_get_alerts.pyto widen or narrow the window.
Data Tables
Once the scripts run, the corresponding Crowdstrike tables will be created in your database. All tables include arun_at column for historical tracking and a raw
JSON column with the full CrowdStrike object for each record.