Crowdstrike Source Plugin Configuration Reference

Authentication #

Example Configuration #

kind: source
spec:
  name: crowdstrike
  path: cloudquery/crowdstrike
  registry: cloudquery
  version: "v1.5.1"
  tables: ["*"]
  destinations: ["postgresql"]
  backend_options:
    table_name: "cq_state_crowdstrike"
    connection: "@@plugins.postgresql.connection"

  spec:
    auth_method: "client_secret"
    client_id: "${CROWDSTRIKE_CLIENT_ID}"
    client_secret: "${CROWDSTRIKE_CLIENT_SECRET}"

    # optional
    # base_path_override: "/"
    # cloud: "autodiscover"
    # host_override: ""
    # member_cid: ""

Configuration Reference #

• auth_method (string) (optional, default: client_secret)

  This plugin supports different authentication methods when communicating with the CrowdStrike API. Depending on the chosen authentication method, additional configuration parameters are required.

  Supported values are client_secret and access_token. If the client_secret method is selected, the following additional configuration parameters will be used. If the access_token method is selected, the following additional configuration parameters will be used.
• cloud (string) (optional, default: autodiscover)

  Region where the CrowdStrike backend is hosted. autodiscover can automatically discover the region when using API Client authentication.

  When using Access Token authentication method, a specific cloud region is required:

  spec:
    access_token: "${CROWDSTRIKE_ACCESS_TOKEN}"
    cloud: us-1 # possible values are: us-1, us-2, eu-1, us-gov-1

• host_override (string) (optional, default: empty)

  A specific API host to use when making API requests. This must be a fully qualified domain name without a scheme or slashes.

  When set, the value of cloud will be ignored.

  spec:
    access_token: "${CROWDSTRIKE_ACCESS_TOKEN}"
    host_override: api.mysubdomain.crowdstrike.com

• base_path_override (string) (optional, default: /)

  Sets the URL path to prepend when making API requests. With or without a leading slash.
• member_cid (string) (optional, default: empty)

  A specific CID to use. This value can be used for filtering when the Client has access to multiple CIDs.
• concurrency (integer) (optional, default: 10000)

  A best effort maximum number of Go routines to use. Lower this number to reduce memory usage.
• scheduler (string) (optional, default: dfs)

  The scheduler to use when determining the priority of resources to sync. Supported values are dfs (depth-first search), round-robin, shuffle and shuffle-queue.

  For more information about this, see performance tuning.
• table_options (Table Options spec) (optional)

  Options to apply to specific tables. See table options for more information.

Incremental Syncing #

• crowdstrike_discover_hosts

Crowdstrike Table Options Spec #

• crowdstrike_discover_hosts

  • filter (string) (optional)

    Host filter in Falcon Query Language (FQL).
• crowdstrike_vulnerabilities

  • filter (string) (optional) (default: created_timestamp:>'2000-01-01T01:00:00Z')

    Vulnerability filter in Falcon Query Language (FQL).
  • facet ([]string) (optional) (default: ["host_info", "remediation", "cve", "evaluation_logic"])

    Facet filtering for vulnerabilities.

Client Secret Configuration Reference #

• client_id (string) (required)

  The ID of the CrowdStrike Client to use.
• client_secret (string) (required)

  The secret to authenticate the client with ID client_id.

Access Token Configuration Reference #

• access_token (string) (required)

  The OAuth 2.0 Access Token to authenticate with (recommendation: Use environment variable instead of a hardcoded token in the config).