CrowdStrike Falcon Permissions

Permissions to Fetch Assets

The following permissions are required to fetch specific asset types:

Permissions:

API Permissions

Scope	Permission	Notes
Hosts	Read
Host groups	Read
IOC Management	Read
Prevention policies	Read
Detections	Read
User Management	Read
Sensor Update Policies	Read
Indicators	Read	Requires CrowdStrike Falcon Intelligence Add-on. Used to discover shadow SaaS applications.
Vulnerabilities	Read	Requires an active CrowdStrike Falcon Vulnerability subscription. May assist in discovering shadow SaaS applications.

The following permissions are required to use specific Advanced Settings:

Advanced Setting Name	API Scope	Permission
Fetch users	User Management	Read
Enable vulnerability fetch (and all the settings listed in this section)	vulnerabilities:read	Read
Get Configuration Assessments for device Enrich Configuration Assessments with Rule Name	Falcon Configuration Assessment:read	Read
Fetch installed patches from the following report	Scheduled Reports API	Read Additional requirement: a Spotlight subscription

In Spotlight, follow these steps:

Navigate to Scheduled Reporting > Vulnerability Management.
Select Installed Patches.
Include at least the Hostname in the report; add more filters as needed.
Name the report (to use in the adapter's Advanced Configuration) and click Next.
Schedule the report to run daily 2 hours before the start of the global fetch or custom adapter discovery time, then click Next.
Ensure that the scheduled report can be read by the credentials used in the adapter configuration. Then, click Next.
Skip the Sharing part and click Save.
In Axonius, enable the Fetch installed patches from the following report advanced setting, and enter the name of the Installed Patches report to fetch.

The following permissions are required to run CrowdStrike Falcon Related Enforcement Actions:

Scope	Permission
Hosts	Write

Updated about 3 hours ago