CrowdStrike Falcon Permissions

Permissions to Fetch Assets

The following permissions are required to fetch specific asset types:

Permissions:

  • Assets:Read

API Permissions

  <td></td>
</tr>

<tr>
  <td>Host groups</td>
  <td>Read</td>

  <td></td>
</tr>

<tr>
  <td>IOC Management</td>
  <td>Read</td>

  <td></td>
</tr>

<tr>
  <td>Prevention policies</td>
  <td>Read</td>

  <td></td>
</tr>

<tr>
  <td>Detections</td>
  <td>Read</td>

  <td></td>
</tr>

<tr>
  <td>User Management</td>
  <td>Read</td>

  <td></td>
</tr>

<tr>
  <td>Sensor Update Policies</td>
  <td>Read</td>

  <td></td>
</tr>

<tr>
  <td>Indicators</td>
  <td>Read</td>

  <td>
    Requires CrowdStrike Falcon Intelligence Add-on.
    Used to discover shadow SaaS applications.
  </td>
</tr>

<tr>
  <td>Vulnerabilities</td>
  <td>Read</td>

  <td>
    Requires an active CrowdStrike Falcon Vulnerability subscription.
    May assist in discovering shadow SaaS applications.
  </td>
</tr>

Permissions for Advanced Settings

The following permissions are required to use specific Advanced Settings:

Advanced Setting NameAPI ScopePermission
Fetch usersUser ManagementRead
Enable vulnerability fetch (and all the settings listed in this section)vulnerabilities:readRead
Get Configuration Assessments for device
Enrich Configuration Assessments with Rule Name
Falcon Configuration Assessment:readRead
Get number of agent versions behind latest sensor installer for device' OSSensor DownloadRead
Fetch installed patches from the following reportScheduled Reports APIRead
Additional requirement: a Spotlight subscription
Fetch CasesCasesRead

Setting Up Installed Patches Permissions

In Spotlight, follow these steps:

  1. Navigate to Scheduled Reporting > Vulnerability Management.

  2. Select Installed Patches.

  3. Include at least the Hostname in the report; add more filters as needed.

  4. Name the report (to use in the adapter's Advanced Configuration) and click Next.

  5. Schedule the report to run daily 2 hours before the start of the global fetch or custom adapter discovery time, then click Next.

  6. Ensure that the scheduled report can be read by the credentials used in the adapter configuration. Then, click Next.

  7. Skip the Sharing part and click Save.

  8. In Axonius, enable the Fetch installed patches from the following report advanced setting, and enter the name of the Installed Patches report to fetch.

Permissions for Enforcement Actions

The following permissions are required to run CrowdStrike Falcon Related Enforcement Actions:

ScopePermission
HostsWrite

Did this page help you?