Skip to content

CrowdStrike Permissions Reference

This page lists all required API scopes and access levels for the CrowdStrike integration.

Overview

SailPoint Entro requires read‑only and limited write scopes to enrich device and NHI data, while maintaining least‑privilege access.

Required API Scopes

Scope Permission Purpose API Features
Hosts Read List devices for scanning /devices/queries/devices-scroll/v1 /devices/queries/devices-scroll/v1 All
Real-Time Response Read/Write (GraphQL) Create RTR sessions and execute commands on devices - Read is mandatory for AI MCP File lookup - Write is optional for secrets scanning only /real-time-response/entities/command/v1/real-time-response/entities/sessions/v1 Shadow Agentic AI Secrets Scanning
NGSIEM Read/Write EDR Telemetry to classify AI Agents, MCPs on endpoints and their activity - Shadow Agentic AI
Identity Protection Read (GraphQL) List identities (human, programmatic, groups) /identity-protection/combined/graphql/v1 Active Directory Identities
Identity Protection Entities Read Retrieve identity entity details /identity-protection/entities/* Active Directory Identities
Identity Protection Detections Read Retrieve identity-based threat detections /identity-protection/detections/* Active Directory Identities
Identity Protection Timeline Read Access identity activity timeline /identity-protection/timeline/* Active Directory Identities

Write Permissions

Write permissions are restricted and only granted for:

  • Real Time Response (used for remote secrets scanning)

  • NGSIEM (creation of telemetry query)

Compliance and Security Notes

  • All other access operates under read‑only mode.

  • TLS 1.2+ is enforced for all API calls.

  • Token storage complies with SOC 2 Type II and ISO 27001.