CrowdStrike Identity Protection Integration Guide
Overview
The CrowdStrike Identity Protection integration allows your NINA workflows to connect with CrowdStrike Falcon platform for identity security and zero trust assessment. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.
Capabilities
This integration provides access to 3 resources with 11 operations covering:
- Identity Entities: Operations for Identity Entities
- Identity Protection: Operations for Identity Protection
- Zero Trust Assessment: Operations for Zero Trust Assessment
Credential Configuration
Before using the CrowdStrike Identity Protection integration in your workflows, you need to configure credentials for authentication.
Authentication Method
CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.
| Field | Description | Required |
|---|---|---|
| Client ID | Your CrowdStrike API Client ID | Yes |
| Client Secret | Your CrowdStrike API Client Secret | Yes |
| Base URL | CrowdStrike API endpoint for your cloud region | Yes |
How It Works
- You provide the Client ID and Client Secret when creating a credential
- The integration exchanges these for an OAuth2 access token automatically
- Tokens are refreshed automatically when they expire
- No redirect URLs or user interaction required
CrowdStrike Cloud Regions
Select the Base URL that matches your CrowdStrike Falcon cloud region:
| Cloud Region | Base URL | Description |
|---|---|---|
| US-1 | https://api.crowdstrike.com | United States (default) |
| US-2 | https://api.us-2.crowdstrike.com | United States (secondary) |
| EU-1 | https://api.eu-1.crowdstrike.com | European Union |
| US-GOV-1 | https://api.laggar.gcw.crowdstrike.com | US Government Cloud |
How to Obtain API Credentials
- Log in to the CrowdStrike Falcon Console
- Navigate to Support and resources > API Clients and Keys
- Click Add new API client
- Configure the API client:
- Client Name: A descriptive name (e.g., "NINA Integration")
- Description: Purpose of this API client
- API Scopes: Select the permissions required for your use case (see Required Scopes below)
- Click Add to create the client
- Copy and securely store the Client ID and Client Secret immediately
Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.
Required API Scopes
The API scopes required depend on which operations you plan to use. Common scopes include:
| Scope | Permission | Use Case |
|---|---|---|
| Detections | Read/Write | View and manage detections |
| Hosts | Read/Write | Query and manage endpoints |
| Incidents | Read/Write | View and manage incidents |
| IOCs | Read/Write | Manage indicators of compromise |
| Prevention Policies | Read/Write | Manage prevention policies |
| Real Time Response | Read/Write | Execute RTR commands |
| Sensor Update Policies | Read/Write | Manage sensor updates |
Refer to the CrowdStrike API documentation for a complete list of available scopes.
Creating a CrowdStrike Credential in NINA
- Navigate to the Credentials section in NINA
- Click Add New Credential
- Fill in the credential details:
- Integration Service: Select "CrowdStrike Identity Protection"
- Client ID: Paste your CrowdStrike API Client ID
- Client Secret: Paste your CrowdStrike API Client Secret
- Base URL: Select your CrowdStrike cloud region URL
- Click Test Connection to verify the credentials work
- Click Save to store the credential securely
Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.
Supported Resources
| Resource | Description | Operations |
|---|---|---|
| Identity Entities | Operations for Identity Entities | 3 |
| Identity Protection | Operations for Identity Protection | 5 |
| Zero Trust Assessment | Operations for Zero Trust Assessment | 3 |
Resource Details
Identity Entities
Operations for Identity Entities
Operations
| Operation | Name | Description |
|---|---|---|
get_sensor_aggregates | Get Sensor Aggregates | SDK: identity_entities.GetSensorAggregates |
get_sensor_details | Get Sensor Details | SDK: identity_entities.GetSensorDetails |
list_sensors_by_filter | List Sensors By Filter | SDK: identity_entities.QuerySensorsByFilter |
Get Sensor Aggregates
SDK: identity_entities.GetSensorAggregates
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
date_ranges | object | Yes | date ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
exclude | string | Yes | exclude. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
extended_bounds | object | No | extended bounds. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
field | string | Yes | field. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
filter | string | Yes | filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
from | number | Yes | from. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
include | string | Yes | include. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
interval | string | Yes | interval. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
max_doc_count | number | No | max doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
min_doc_count | number | No | min doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
missing | string | Yes | missing. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
name | string | Yes | name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
q | string | Yes | |
ranges | object | Yes | ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
size | number | Yes | size. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
sort | string | Yes | sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
sub_aggregates | object | Yes | sub aggregates. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
time_zone | string | Yes | time zone. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
type | string | Yes | type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
Example:
{
"date_ranges": {},
"exclude": "<exclude>",
"extended_bounds": {},
"field": "<field>",
"filter": "<filter>",
"from": 10,
"include": "<include>",
"interval": "<interval>",
"max_doc_count": 10,
"min_doc_count": 10,
"missing": "<missing>",
"name": "<name>",
"q": "<q>",
"ranges": {},
"size": 10,
"sort": "<sort>",
"sub_aggregates": {},
"time_zone": "<time_zone>",
"type": "<type>"
}
Get Sensor Details
SDK: identity_entities.GetSensorDetails
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
ids | array | Yes | ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
Example:
{
"ids": ["<ids>"]
}
List Sensors By Filter
SDK: identity_entities.QuerySensorsByFilter
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
filter | string | No | The filter expression that should be used to limit the results |
limit | number | No | The maximum records to return. [1-200] |
offset | number | No | The offset to start retrieving records from |
sort | string | No | The property to sort by (e.g. status.desc or hostname.asc) |
Example:
{
"filter": "<filter>",
"limit": 10,
"offset": 10,
"sort": "<sort>"
}
Identity Protection
Operations for Identity Protection
Operations
| Operation | Name | Description |
|---|---|---|
apipreempt_proxy_delete_policy_rules | Apipreempt Proxy Delete Policy Rules | SDK: identity_protection.APIPreemptProxyDeletePolicyRules |
apipreempt_proxy_get_policy_rules | Apipreempt Proxy Get Policy Rules | SDK: identity_protection.APIPreemptProxyGetPolicyRules |
apipreempt_proxy_post_graphql | Apipreempt Proxy Post Graphql | SDK: identity_protection.APIPreemptProxyPostGraphql |
apipreempt_proxy_post_policy_rules | Apipreempt Proxy Post Policy Rules | SDK: identity_protection.APIPreemptProxyPostPolicyRules |
list_apipreempt_proxy_policy_rules | List Apipreempt Proxy Policy Rules | SDK: identity_protection.APIPreemptProxyGetPolicyRulesQuery |
Apipreempt Proxy Delete Policy Rules
SDK: identity_protection.APIPreemptProxyDeletePolicyRules
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
ids | array | No | Rule IDs |
Example:
{
"ids": ["<ids>"]
}
Apipreempt Proxy Get Policy Rules
SDK: identity_protection.APIPreemptProxyGetPolicyRules
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
ids | array | No | Rule IDs |
Example:
{
"ids": ["<ids>"]
}
Apipreempt Proxy Post Graphql
SDK: identity_protection.APIPreemptProxyPostGraphql
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | query. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
Example:
{
"query": "<query>"
}
Apipreempt Proxy Post Policy Rules
SDK: identity_protection.APIPreemptProxyPostPolicyRules
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
action | string | Yes | action. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
activity | object | No | activity. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
destination | object | No | destination. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
enabled | boolean | Yes | enabled. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
name | string | Yes | name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
simulationMode | boolean | Yes | simulation mode |
sourceEndpoint | object | No | source endpoint |
sourceUser | object | No | source user |
trigger | string | Yes | trigger. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/ |
Example:
{
"action": "<action>",
"activity": {},
"destination": {},
"enabled": true,
"name": "<name>",
"simulationMode": true,
"sourceEndpoint": {},
"sourceUser": {},
"trigger": "<trigger>"
}
List Apipreempt Proxy Policy Rules
SDK: identity_protection.APIPreemptProxyGetPolicyRulesQuery
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
enabled | boolean | No | Whether the rule is enabled |
name | string | No | Rule name |
simulation_mode | boolean | No | Whether the rule is in simulation mode |
Example:
{
"enabled": true,
"name": "<name>",
"simulation_mode": true
}
Zero Trust Assessment
Operations for Zero Trust Assessment
Operations
| Operation | Name | Description |
|---|---|---|
get_assessment_ | Get Assessment | SDK: zero_trust_assessment.GetAssessmentV1 |
get_assessments_by_score_ | Get Assessments By Score | SDK: zero_trust_assessment.GetAssessmentsByScoreV1 |
get_audit_ | Get Audit | SDK: zero_trust_assessment.GetAuditV1 |
Get Assessment
SDK: zero_trust_assessment.GetAssessmentV1
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
ids | array | No | One or more agent IDs, which you can find in the data.zta file, or the Falcon console. |
Example:
{
"ids": ["<ids>"]
}
Get Assessments By Score
SDK: zero_trust_assessment.GetAssessmentsByScoreV1
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
after | string | No | A pagination token used with the limit parameter to manage pagination of results. On your first... |
filter | string | No | FQL query specifying the filter score. |
limit | number | No | The number of scores to return in this response (min: 1, max: 1000, default: 100). Use with the `... |
sort | string | No | Sort accounts by their properties. A single sort field is allowed. Defaults to ascending. Support... |
Example:
{
"after": "<after>",
"filter": "<filter>",
"limit": 10,
"sort": "<sort>"
}
Get Audit
SDK: zero_trust_assessment.GetAuditV1
This operation has no parameters.
Example:
{
}
Best Practices
-
Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.
-
Implement Pagination: For operations returning large datasets, use
limitandoffsetparameters to paginate results. -
Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.
-
Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.
-
Use Specific Scopes: When creating API clients, only request the minimum required API scopes.
-
Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.
-
Validate IDs: Always validate resource IDs before using them in update or delete operations.
-
Error Handling: Implement comprehensive error handling for API failures and unexpected responses.
Troubleshooting
| Issue | Possible Solution |
|---|---|
| 401 Unauthorized | Verify Client ID and Client Secret are correct; check if credentials have expired |
| 403 Forbidden | Ensure API client has required scopes for the operation |
| 404 Not Found | Verify the resource ID exists and is accessible with your credentials |
| 429 Too Many Requests | Rate limit exceeded; implement delays between requests |
| Invalid Filter | Check FQL syntax; refer to CrowdStrike FQL documentation |
| Connection Timeout | Verify network connectivity and correct Base URL for your region |
| Empty Results | Verify filter criteria; check if resources exist in your environment |
Support
For issues with this integration, please contact support with:
- The operation you were attempting
- Any error messages received
- The parameters used (excluding sensitive data)
- Your CrowdStrike cloud region
For CrowdStrike API documentation, visit: CrowdStrike Developer Portal
Updated: 2026-02-05