CrowdStrike Falcon Permissions
Permissions to Fetch Assets
The following permissions are required to fetch specific asset types:
Permissions:
Assets:Read
API Permissions
<td></td>
</tr>
<tr>
<td>Host groups</td>
<td>Read</td>
<td></td>
</tr>
<tr>
<td>IOC Management</td>
<td>Read</td>
<td></td>
</tr>
<tr>
<td>Prevention policies</td>
<td>Read</td>
<td></td>
</tr>
<tr>
<td>Detections</td>
<td>Read</td>
<td></td>
</tr>
<tr>
<td>User Management</td>
<td>Read</td>
<td></td>
</tr>
<tr>
<td>Sensor Update Policies</td>
<td>Read</td>
<td></td>
</tr>
<tr>
<td>Indicators</td>
<td>Read</td>
<td>
Requires CrowdStrike Falcon Intelligence Add-on.
Used to discover shadow SaaS applications.
</td>
</tr>
<tr>
<td>Vulnerabilities</td>
<td>Read</td>
<td>
Requires an active CrowdStrike Falcon Vulnerability subscription.
May assist in discovering shadow SaaS applications.
</td>
</tr>
To fetch SaaS Applications data the following user permissions are required:
- View Quarantine File settings
- View Response policies
- And the following scopes:
| Scope | Permission |
|---|---|
| Hosts | Read |
| Host groups | Read |
| IOC Management | Read |
| Prevention policies | Read |
| Sensor update policies | Write |
| Device Control Policies | Read |
Permissions for Advanced Settings
The following permissions are required to use specific Advanced Settings:
| Advanced Setting Name | API Scope | Permission |
|---|---|---|
| Fetch users | User Management | Read |
| Enable vulnerability fetch (and all the settings listed in this section) | vulnerabilities:read | Read |
| Get Configuration Assessments for device Enrich Configuration Assessments with Rule Name | Falcon Configuration Assessment:read | Read |
| Get number of agent versions behind latest sensor installer for device' OS | Sensor Download | Read |
| Fetch installed patches from the following report | Scheduled Reports API | Read Additional requirement: a Spotlight subscription |
| Fetch Cases | Cases | Read |
Setting Up Installed Patches Permissions
In Spotlight, follow these steps:
-
Navigate to Scheduled Reporting > Vulnerability Management.
-
Select Installed Patches.
-
Include at least the Hostname in the report; add more filters as needed.
-
Name the report (to use in the adapter's Advanced Configuration) and click Next.
-
Schedule the report to run daily 2 hours before the start of the global fetch or custom adapter discovery time, then click Next.
-
Ensure that the scheduled report can be read by the credentials used in the adapter configuration. Then, click Next.
-
Skip the Sharing part and click Save.
-
In Axonius, enable the Fetch installed patches from the following report advanced setting, and enter the name of the Installed Patches report to fetch.
Permissions for Enforcement Actions
The following permissions are required to run CrowdStrike Falcon Related Enforcement Actions:
| Scope | Permission |
|---|---|
| Hosts | Write |
Updated 20 days ago
