Back to plugin list


This plugin is in preview.

Sync data from Crowdstrike APIs


Latest version




Date Published



Set up process

brew install cloudquery/tap/cloudquery

1. Download CLI and login

See installation options

2. Create source and destination configs

Plugin configuration

cloudquery sync crowdstrike.yml postgresql.yml

3. Run the sync

CloudQuery sync


A crowdstrike source plugin for CloudQuery Falcon that loads data from crowdstrike to any database, data warehouse or data lake supported by CloudQuery, such as PostgreSQL, BigQuery, Athena, and many more.


  • Detections – Extracts details for Falcon detections, including behavior, severity, host, timestamps, and more.
  • Hosts – Extracts host details including OS, version, sensor specific data, and more.
  • Incidents - Extracts incidents and their details
  • Vulnerabilities - Extracts vulnerabilities and their details
  • Disover Hosts - Extracts managed host details from Discover data
  • Discover Applications - Extracts application information from Discover for all managed hosts


Export the following environment variables to configure CrowdStrike:
  • FALCON_CLIENT_ID - Falcon ClientID
  • FALCON_SECRET - Falcon Secret
To obtain an OAuth2 API Client navigate to the CrowdStrike Falcon / API clients and keys portal.
CloudQuery should only have read access to CrowdStrike resources. The intent is to index all resources in CrowdStrike, so all scopes should be accessible, but read-only.
  • Alerts
  • Custom IOA rules
  • Detections
  • Hosts
  • Falcon Discover
  • Falcon Complete Dashboard
  • Actors (Falcon Intelligence)
  • Reports (Falcon Intelligence)
  • Host groups
  • Incidents
  • Installation Tokens
  • IOC Management
  • IOCs (Indicators of Compromise)
  • Message Center for Overwatch
  • Message Center
  • Machine Learning Exclusions
  • On-demand scans (ODS)
  • OverWatch Dashboard
  • Prevention policies
  • Quarantined Files
  • Real time response (admin)
  • Real time responseResponse policies
  • Scheduled ReportsIOA Exclusions
  • Sensor DownloadSensor update policies
  • Sensor Visibility Exclusions
  • Spotlight vulnerabilities
  • Event streams
  • User management
  • Zero Trust Assessment


# crowdstrike.yml
kind: source
  name: "crowdstrike"
  registry: "cloudquery"
  path: "justmiles/crowdstrike"
  version: "v2.0.0"
  # use this to enable incremental syncing - unimplemented
  # backend_options:
  #   table_name: "cq_state_crowdstrike"
  #   connection: "@@plugins.postgresql.connection"
  destinations: ["sqlite"]
  tables: ["*"]
    # plugin spec section

Plugin Spec

  • concurrency (int, optional, default: 1000): Best effort maximum number of Go routines to use. Lower this number to reduce memory usage.


Run tests

make test

Run linter

make lint

Generate docs

make gen-docs

Release a new version

  1. Run git tag v1.0.0 to create a new tag for the release (replace v1.0.0 with the new version number)
  2. Run git push origin v1.0.0 to push the tag to GitHub
Once the tag is pushed, a new GitHub Actions workflow will be triggered to build the release binaries and create the new release on GitHub. To customize the release notes, see the Go releaser changelog configuration docs.

Publish a new version to the Cloudquery Hub

After tagging a release, you can build and publish a new version to the Cloudquery Hub by running the following commands. Replace v1.0.0 with the new version number.
# "make dist" uses the README as main documentation and adds a generic release note. Output is created in dist/
VERSION=v1.0.0 make dist

# Login to cloudquery hub and publish the new version
cloudquery login
cloudquery plugin publish --finalize
After publishing the new version, it will show up in the hub.
For more information please refer to the official Publishing a Plugin to the Hub guide.

Subscribe to product updates

Be the first to know about new features.

© 2024 CloudQuery, Inc. All rights reserved.