CrowdStrike Falcon (Prevent + Insight)

At a glance

Vendor	CrowdStrike Falcon (Prevent + Insight, with optional Discover / Spotlight / OverWatch modules)
Source type	xdr
Vendor ID (slug)	crowdstrike-falcon
Base URL	Regional. Default https://api.crowdstrike.com (US-1). Other regions: api.us-2.crowdstrike.com, api.eu-1.crowdstrike.com, api.laggar.gcw.crowdstrike.com (US-Gov).
Auth method	oauth2 — client-credentials to {base}/oauth2/token. Draxis mints an Authorization: Bearer <access_token> per run.
Schedule default	daily — override to hourly for tighter response on the 4h-unresolved and lateral-movement KRIs.
Licensing	Core KRIs need Falcon Prevent + Insight. Optional KRIs gated by separate Falcon modules: Discover (sensor coverage gap), Spotlight (firmware/BIOS vulns), OverWatch (escalations). Unlicensed modules return 403; the connector tolerates those and records the affected KRIs as 0 with a warn log line.
Availability	New in 2026.04.

Required scopes & roles

Draxis authenticates as a Falcon API client (not a human admin). Create a dedicated API client under Support → API Clients and Keys → Create API Client and grant only these Read scopes:

• Hosts: Read — list devices + read sensor state (backs the detection-only / RFM KRI and the test probe).
• Alerts: Read — read unified alerts v2 (backs the critical-unresolved, lateral-movement, and OverWatch KRIs).
• Detections: Read — legacy detect surface, kept for older tenants whose alerts haven't fully migrated to v2.
• Prevention Policies: Read — read prevention policy settings and member counts (for future refinement of the detection-only KRI; not strictly required today).
• IOC Manager APIs: Read — count active detect-type IOCs (backs the active-IOCs KRI).
• Vulnerabilities: Read — Spotlight API. Optional, required only for the firmware/BIOS vulnerability KRI.
• Falcon Discover: Read — optional, required only for the sensor-coverage-gap KRI.
• OverWatch Dashboard: Read — optional, required only for the OverWatch-escalations KRI (though the data also surfaces via the Alerts API with product:"overwatch").

Do not grant any Write scope. In particular Hosts: Write, Prevention Policies: Write, and Sensor Update Policies: Write are exceptionally dangerous if a Falcon API secret leaks — Draxis never needs them.

Setup steps

1. Identify your region. Sign in to the Falcon console and look at the browser URL. falcon.crowdstrike.com = US-1; falcon.us-2.crowdstrike.com = US-2; falcon.eu-1.crowdstrike.com = EU-1; falcon.laggar.gcw.crowdstrike.com = US-Gov. The matching API base is the same host with api. instead of falcon.. A US-2 customer pointed at the US-1 API returns 401 on every call — getting the region right is the single most common setup mistake.
2. Open API Clients and Keys. In the Falcon console, go to Support and resources → API Clients and Keys. You need the Falcon Administrator role (or equivalent) to create clients; ask your CS admin if you don't.
3. Create an API client. Click Create API client. Name it draxis-connector. Description: "Read-only Falcon API access for Draxis risk KRIs."
4. Grant only these API scopes (check Read on each; leave every Write unchecked):

   Hosts                       Read
   Alerts                      Read
   Detections                  Read
   Prevention Policies         Read
   IOC Manager APIs            Read
   Vulnerabilities             Read          (optional — Spotlight module)
   Falcon Discover             Read          (optional — Discover module)
   OverWatch Dashboard         Read          (optional — OverWatch module)

   The optional scopes are safe to add even if you don't currently hold the license — the connector tolerates 403 on those endpoints.
5. Copy the Client ID and Secret. Falcon shows the secret only once, at creation time. Copy it into your password manager right away. If you lose it, you'll have to delete the client and create a new one — old secrets can't be retrieved.
6. (Optional) Restrict by source IP. On the API client, under API scope restrictions, allowlist the Draxis egress IP range. Skip this on first setup and add it after you've confirmed the connector works.

Wire it into Draxis

1. Open Settings → Integrations in your tenant.
2. Click Add integration and pick Extended Detection & Response as the source type.
3. Pick CrowdStrike Falcon (Prevent + Insight) from the vendor dropdown. Draxis auto-fills the US-1 base URL, the OAuth auth method, and the daily schedule.
4. In API Base URL, override to your region if you're not on US-1 (see step 1 of the setup steps above).
5. In Client ID, paste the Falcon API client ID from step 5 above.
6. In Client Secret, paste the Falcon API secret value. Draxis encrypts it server-side with encryption.key before storage.
7. Click Test. Green means Draxis exchanged the credentials for a bearer token and listed one host successfully.
8. Under KRIs to import, tick the KRIs you want Draxis to manage. All seven falcon_* KRIs are checked by default; uncheck any module-gated ones you don’t license (e.g. drop the sensor-gap KRI if you don't have Falcon Discover — the connector would just report 0). Selected rows are created on save with the seeded thresholds. Unchecking a previously-imported KRI deletes it on save.
9. Save. The connector runs daily by default; use Run now from run history to trigger the first sync immediately.

KRIs produced

Slug	Meaning	Derivation
falcon_sensor_coverage_gap	Assets Falcon Discover has identified without a Falcon sensor	GET /discover/queries/unmanaged-accounts/v1?filter=entity_type:'asset'&limit=1, read meta.pagination.total. Requires Falcon Discover; 403 → 0 with warn.
falcon_detection_only_pct	% of hosts in a non-preventing state	round((count(hosts where reduced_functionality_mode != 'no') / count(all hosts)) * 100, 1). Proxy measurement — see quirks.
falcon_critical_detects_unresolved_4h	Open critical alerts raised more than 4h ago	GET /alerts/queries/alerts/v2?filter=severity:>=80+status:'new',!'closed',!'resolved'+created_timestamp:<'<now-4h>'&limit=1
falcon_active_iocs	Active detect-type IOCs in Falcon's IOC Manager	GET /iocs/queries/indicators/v1?filter=action:'detect'+deleted:false&limit=1
falcon_lateral_movement_7d	Alerts tagged MITRE Lateral Movement in the last 7 days	GET /alerts/queries/alerts/v2?filter=tactic:'Lateral Movement'+created_timestamp:>='<now-7d>'&limit=1
falcon_overwatch_escalations_7d	OverWatch-attributed alerts in the last 7 days	GET /alerts/queries/alerts/v2?filter=product:'overwatch'+created_timestamp:>='<now-7d>'&limit=1. Tenants without OverWatch licensing will see 0 (not an error — the filter simply matches nothing).
falcon_firmware_bios_vulns	Open Spotlight vulnerabilities flagged firmware / BIOS	GET /spotlight/queries/vulnerabilities/v1?filter=status:'open'+cve.types:'Firmware'&limit=1. Requires Spotlight; 403 → 0 with warn.

Each row is a slug the connector writes to. Draxis creates the matching kri rows automatically when you check them in the KRIs to import section of the integration form — no manual API call or seed script needed. Thresholds shown in the table are the seeded defaults; you can edit them freely in the KRIs tab afterwards.

Vendor quirks

• Region mismatch = 401 on everything. Falcon API clients only authenticate against their own region's endpoint. If Test returns 401 and your client ID/secret are definitely correct, you almost certainly have the wrong base URL. The Falcon console URL tells you the region (see step 1).
• "Detection-only %" is a proxy. True prevention-vs-detection classification requires inspecting each prevention policy's settings (quarantine, detect only, various ML sliders) and joining against host-to-policy membership. That's a ~dozen API calls per tenant per run and the schema drifts across Falcon versions. The connector instead uses Reduced Functionality Mode as a proxy: an RFM host can't prevent, regardless of why (OS incompatibility, detect-only policy, crashed sensor). It catches the operationally meaningful cases. A full policy-based classifier is on the roadmap.
• Module licensing gates three KRIs. falcon_sensor_coverage_gap requires Falcon Discover; falcon_firmware_bios_vulns requires Spotlight; falcon_overwatch_escalations_7d is meaningful only for OverWatch customers. Unlicensed modules return 403 on their endpoints — the connector catches that, records the KRI as 0, and logs a warn. Drop those KRIs from the import list if you don't have the license so a 0 isn't mistaken for a clean posture.
• Alerts v2 severity caps at 100. Falcon's severity scale is 0–100 (not the five-tier low/medium/high/critical of some other vendors). We treat severity:>=80 as critical; override by editing the filter expression in the KRI derivation if your org uses a different threshold.
• "Active IOCs" is a stock-of-intel metric, not a detections metric. The KRI counts active detect-type indicators in your IOC Manager — the things Falcon will alert on if it sees them — not how many of those indicators have actually fired lately. For a "how much hostile stuff did we see" metric, pair it with a detection-count KRI or use the critical-unresolved KRI.
• FQL timestamp filters want RFC 3339. Falcon's Falcon Query Language uses ISO 8601 with a trailing Z (e.g. 2026-04-19T00:00:00Z) — not unix epochs. The connector handles this correctly; flagging here because hand-crafted filters in custom KRIs will silently return empty if the timestamp format is wrong.
• Rate limits are generous but real. Falcon defaults to 6000 req/min per tenant across all API clients. The connector makes ~10 calls per run (one per KRI plus token + probe), so this is nowhere near the ceiling for daily scheduling. If you drop to hourly across many Draxis tenants pointing at the same Falcon CID, budget the math.
• API secrets don't rotate automatically. Falcon lets you create multiple API clients per CID; if you're rotating the Draxis client, create the new one first, update Draxis, then delete the old one — avoids a window where the connector fails 401.

Troubleshooting

• HTTP 401 on Test — most likely the base URL points at the wrong region (see quirks). If the URL is correct, the client secret is wrong or the API client was deleted. Generate a new secret and update Draxis.
• HTTP 403 with insufficient_scope — the API client is missing one of the required Read scopes above. Re-open API Clients and Keys, edit the client, tick the missing scope, and save.
• HTTP 403 on a specific module endpoint (Discover, Spotlight, OverWatch) — that module isn't licensed for your CID. Expected — the KRI records as 0 with a warn. Uncheck the KRI if you want to remove it from the list.
• falcon_detection_only_pct is 0 but you know you have RFM hosts — the FQL filter reduced_functionality_mode:!'no' requires hosts to have emitted telemetry in the last 24h. Ghost hosts from decommissioned endpoints don't show up here.
• falcon_overwatch_escalations_7d is always 0 — either you don't have OverWatch (expected), or the product:'overwatch' filter doesn't match your tenant's alert taxonomy. Older Falcon tenants used type:"OverWatch Detection" on legacy detects — open a support ticket if you think you should be seeing data.
• rowsSkipped > 0 and rowsWritten = 0 — your tenant hasn’t imported any KRIs for this integration yet. Open the integration in Settings → Integrations, tick the KRIs under KRIs to import, and save.
• Still stuck? Open a support ticket with the run ID (from Run history) and we'll dig in.