CrowdStrike Onboarding
Follow these steps to connect your CrowdStrike environment with SailPoint Entro.
Prerequisites
-
CrowdStrike administrator access
-
Access to Support and Resources → API Clients and Keys
-
Generated Client ID and Client Secret
Step‑by‑Step Configuration
-
Log in to CrowdStrike Falcon Console
Log in as an administrator.
-
Open API Clients and Keys
Navigate to Support and Resources → API Clients and Keys.
-
Create API Client
Click Create API Client in the top‑right corner.
-
Name the Client
Under Client Name, enter
Entro Security Integration. -
Assign Scopes
Assign the following scopes:
-
Hosts – Read
-
Real-Time Response – Read
-
Identity Protection (GraphQL) – Write
-
Identity Protection Entities – Read
-
Identity Protection Detections – Read
-
Identity Protection Timeline – Read
-
NGSIEM - Read & Write
If you want to enable endpoint secrets scanning, include the following optional scopes:
-
Real time response (admin) – Write
-
Real-Time Response – Read & Write
Important
For Identity Protection, you must explicitly enable the GraphQL permission in CrowdStrike. When creating the API client and selecting the Identity Protection scope, ensure the GraphQL option is checked.
-
-
Create and copy credentials
Click Create and copy both Client ID and Client Secret values.
-
Add CrowdStrike account in SailPoint Entro
In SailPoint Entro, go to Management → Accounts & Integrations → Add New Account → CrowdStrike.
-
Enter credentials in SailPoint Entro
Paste the credentials into the onboarding form fields:
-
Nickname: Name of this integration instance
-
Client ID: From previous step
-
Client Secret: From previous step
-
Worker Group (Connector): Select appropriate group
-
-
Connect and verify
Click Connect. The status should display Verified once validated.
Security & Compliance Notes
-
SailPoint Entro performs read‑only API calls.
-
All secrets are encrypted with AES‑256.
-
TLS 1.2+ required.