> ## Documentation Index
> Fetch the complete documentation index at: https://support.configview.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Crowdstrike setup

## Part 1: Crowdstrike Data Ingestion

Set up a CrowdStrike Falcon API client so ConfigView can pull your endpoint
security and Falcon Cloud Security (Azure) data into the dashboard.

***

### Step 1: Create an API Client

1. Log in to your CrowdStrike Falcon Console.

2. Navigate to **Support and resources > API Clients and Keys**.

3. Click **Add new API client**.

4. Give it a name (e.g. `ConfigView`) and grant the **Read** scopes below for the
   data sets you want to ingest:

   | Scope                                     | Access | Powers                                            |
   | ----------------------------------------- | ------ | ------------------------------------------------- |
   | Hosts                                     | Read   | Device IDs, Host Details                          |
   | Alerts                                    | Read   | Alerts (Detections)                               |
   | Incidents                                 | Read   | Incidents                                         |
   | Host Groups                               | Read   | Host Groups                                       |
   | Prevention Policies                       | Read   | Prevention Policies                               |
   | Sensor Update Policies                    | Read   | Sensor Update Policies                            |
   | Falcon Cloud Security (CSPM registration) | Read   | Azure Accounts, Misconfigurations (IOM), Policies |

5. Click **Add** and copy the **Client ID** and **Client Secret** — the secret is
   shown only once.

> **Cloud region:** these scripts default to the US-1 cloud
> (`https://api.crowdstrike.com`). If your tenant is on US-2, EU-1, or GovCloud,
> update the `BASE_URL` constant at the top of each `crowdstrike_get_*.py` and the
> health check to the matching API host.

***

### Step 2: Add the Credentials to ConfigView

1. Go to your ConfigView dashboard: `https://{companyname}.configview.com/admin/secret/`
2. Click **Add Secret**
3. Create the following secrets:
   * `CROWDSTRIKE_CLIENT_ID`
   * `CROWDSTRIKE_CLIENT_SECRET`
4. Click **Save**

***

### Step 3: Enable the Crowdstrike App in ConfigView

1. Go to: `https://{companyname}.configview.com/admin/cron/`
2. You should see **Crowdstrike** in the list of available apps
3. Select the scripts you want to run.
4. Click **Save**

***

### Step 4: Verify

1. Go to: `https://{companyname}.configview.com/admin/status/`
2. Run the **Crowdstrike** health check.
3. All checks should pass. The health check probes each read scope individually, so
   a failed check names the exact scope to grant on the API client.

If a check fails, verify that your secrets are saved correctly and the API client
has the required Read scopes from Step 1.

***

### Available Scripts

| Script                                         | Table                                | Description                                                              |
| ---------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------ |
| Device IDs                                     | `crowdstrike_ids`                    | Managed device IDs (run first)                                           |
| Host Details                                   | `crowdstrike_ids_details`            | Sensor, OS, and host metadata per device                                 |
| Alerts (Detections)                            | `crowdstrike_alerts`                 | EDR detections — severity, tactic/technique, host, status (last 90 days) |
| Incidents                                      | `crowdstrike_incidents`              | Correlated incidents — score, state, affected hosts                      |
| Host Groups                                    | `crowdstrike_host_groups`            | Static / dynamic host groups and assignment rules                        |
| Prevention Policies                            | `crowdstrike_prevention_policies`    | Prevention policy config, enabled state, assigned groups                 |
| Sensor Update Policies                         | `crowdstrike_sensor_update_policies` | Sensor build targets and uninstall protection                            |
| Cloud Security — Azure Accounts                | `crowdstrike_cspm_azure_accounts`    | Registered Azure subscriptions and CSPM status                           |
| Cloud Security — Azure Misconfigurations (IOM) | `crowdstrike_cspm_iom`               | Indicators of Misconfiguration across Azure services                     |
| Cloud Security — Azure Policies                | `crowdstrike_cspm_policies`          | CSPM policy catalog for Azure with severity and state                    |

> **Note:** The **Alerts** script ingests the last 90 days of detections by default.
> Adjust the `LOOKBACK_DAYS` constant in `crowdstrike_get_alerts.py` to widen or
> narrow the window.

***

### Data Tables

Once the scripts run, the corresponding Crowdstrike tables will be created in your
database. All tables include a `run_at` column for historical tracking and a `raw`
JSON column with the full CrowdStrike object for each record.
