You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement comprehensive CrowdStrike connector feedback and cross-connector consistency updates
CrowdStrike-specific changes:
- Remove 'Connect' from title to match other connectors
- Remove private preview note and redundant sections (Private Preview access, Required API permissions)
- Add URBAC role options in Environmental Requirements
- Update verification step #4 to reference Getting value scenarios instead of dashboards/reports
- Add comprehensive Retrieved data section with asset/vulnerability/configuration details
- Standardize troubleshooting format to table with error codes and actions
- Update vulnerability findings to specify CVE findings only (not security misconfigurations)
Cross-connector consistency updates:
- Remove 'based on [vendor] findings' from Next steps security recommendations links across ALL connectors
- Update vulnerability descriptions to specify CVE findings only in Wiz and SentinelOne connectors
- Ensure consistent format and structure across all data connector documentation
Updated files: crowdstrike-data-connector.md, wiz-data-connector.md, sentinel-one-data-connector.md,
tenable-data-connector.md, qualys-data-connector.md, rapid7-data-connector.md, ServiceNow-data-connector.md
Copy file name to clipboardExpand all lines: exposure-management/crowdstrike-data-connector.md
+28-28Lines changed: 28 additions & 28 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,17 +4,15 @@ description: Learn how to set up and configure the CrowdStrike Falcon data conne
4
4
ms.service: exposure-management
5
5
ms.author: dlanger
6
6
author: DebLanger
7
+
manager: ornat-spodek
7
8
ms.topic: how-to
8
-
ms.date: 08/27/2025
9
+
ms.date: 09/01/2025
9
10
---
10
11
11
-
# Connect CrowdStrike Falcon data connector
12
+
# CrowdStrike Falcon data connector
12
13
13
14
This article describes how to configure the CrowdStrike Falcon data connector for Microsoft Security Exposure Management. The CrowdStrike Falcon data connector enables you to integrate your CrowdStrike Falcon data insights with your extended security posture management, enhancing your visibility and control over your IT assets and risks.
14
15
15
-
> [!NOTE]
16
-
> This feature is currently in Private Preview and available for design partners. By onboarding to the Private Preview, you will have the opportunity to be among the first to enjoy this new feature and gain extended exposure insights based on the additional data and context it offers.
17
-
18
16
## Prerequisites
19
17
20
18
Before you configure the CrowdStrike data connector, ensure you have:
@@ -26,6 +24,10 @@ Before you configure the CrowdStrike data connector, ensure you have:
26
24
- Global Administrator
27
25
- Security Administrator
28
26
- Security Operator
27
+
- Or alternatively, you can use [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) with the following permissions:
28
+
-**Exposure Management (read)** for read-only access to Exposure Management experiences
29
+
-**Exposure Management (manage)** for full access to manage Exposure Management experiences
30
+
-**Core security settings (manage)** for connecting or changing vendor configurations (located under Authorization and settings category)
29
31
30
32
### CrowdStrike Requirements
31
33
@@ -89,42 +91,40 @@ After configuring the data connector:
89
91
90
92
3. Review any error messages if the connection fails.
91
93
92
-
4. Verify that CrowdStrike data appears in your exposure management dashboards and reports.
93
-
94
-
## Troubleshooting
95
-
96
-
If you encounter issues with the CrowdStrike data connector:
97
-
98
-
**Connection failures**:
99
-
- Verify your CrowdStrike API credentials are correct
100
-
- Ensure the API client has the required **Assets (Read)** and **Vulnerabilities (Read)** permissions
101
-
- Check that the API Base URL matches your CrowdStrike cloud instance
102
-
- Confirm you have CrowdStrike Falcon administrator role
94
+
4. Verify that CrowdStrike data is integrated by checking the scenarios described in [Getting value from your data connectors](value-data-connectors.md).
103
95
104
-
**Missing data**:
105
-
- Verify that your CrowdStrike environment has asset and vulnerability data to synchronize
106
-
- Ensure the API client was created with the correct scopes
96
+
## Retrieved data
107
97
108
-
## Required API permissions
98
+
CrowdStrike connector retrieves data on compute devices, including endpoints and servers monitored by CrowdStrike Falcon, along with vulnerability findings from CrowdStrike on those assets. It also retrieves network and configuration information to identify those devices.
109
99
110
-
The CrowdStrike API client must have the following permissions:
100
+
Only devices that were active in the last 90 days are retrieved, based on the last activity timestamp in CrowdStrike Falcon.
111
101
112
-
-**Assets (Read)**: Access to asset information
113
-
-**Vulnerabilities (Read)**: Access to vulnerability data
|**Error code 401**: Authorization failure | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the CrowdStrike data. Check your credentials and make sure they're correct and valid. Also check that your API client has the required permissions. See the CrowdStrike [configuration section](#create-crowdstrike-api-client) for details on how to generate the appropriate API client with correct scopes. |
115
+
|**Error code 403:** Access forbidden error | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the [configuration section](#create-crowdstrike-api-client), and make sure your API client has the **Assets (Read)** and **Vulnerabilities (Read)** permissions. |
116
+
|**Error code 404:** Not found error | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your CrowdStrike API Base URL is correct, see the [configuration section](#create-crowdstrike-api-client) for details. |
117
+
|**Error code 429** 'Too many requests" | The system periodically pulls data from the configured external providers, which might have a limit on the number of concurrent requests. We recommend creating a dedicated API client for the connector to avoid reaching this limit. |
118
+
| 'Temporary disconnected' or 'Temporary failure' error message | In the case where this error message appears without any additional information, verify the connector configuration (API Base URL and credentials). If these are valid and the issue doesn't resolve on its own, contact Support. |
119
+
| Not seeing my assets or the vulnerabilities reported by CrowdStrike in the ingested data | See [Retrieved data](#retrieved-data) for a description of the data expected to be retrieved by the CrowdStrike connector. If there's still missing data, contact Support. |
120
+
| CrowdStrike allowed IPs need to be configured to enable Exposure Management connectors to access CrowdStrike | Read how to add the set of IPs to add to your allowlist here: [Allowlist IP addresses](configure-data-connectors.md#allowlist-ip-addresses). |
121
121
122
122
## Next steps
123
123
124
124
After configuring the CrowdStrike data connector:
125
125
126
126
-[Review your attack surface map](enterprise-exposure-map.md) to see CrowdStrike data
127
-
-[Explore security recommendations](security-recommendations.md) based on CrowdStrike findings
0 commit comments