CrowdStrike Permissions Reference
This page lists all required API scopes and access levels for the CrowdStrike integration.
Overview
SailPoint Entro requires read‑only and limited write scopes to enrich device and NHI data, while maintaining least‑privilege access.
Required API Scopes
| Scope | Permission | Purpose | API | Features |
|---|---|---|---|---|
| Hosts | Read | List devices for scanning | /devices/queries/devices-scroll/v1 /devices/queries/devices-scroll/v1 |
All |
| Real-Time Response | Read/Write (GraphQL) | Create RTR sessions and execute commands on devices - Read is mandatory for AI MCP File lookup - Write is optional for secrets scanning only | /real-time-response/entities/command/v1/real-time-response/entities/sessions/v1 |
Shadow Agentic AI Secrets Scanning |
| NGSIEM | Read/Write | EDR Telemetry to classify AI Agents, MCPs on endpoints and their activity | - | Shadow Agentic AI |
| Identity Protection | Read (GraphQL) | List identities (human, programmatic, groups) | /identity-protection/combined/graphql/v1 |
Active Directory Identities |
| Identity Protection Entities | Read | Retrieve identity entity details | /identity-protection/entities/* |
Active Directory Identities |
| Identity Protection Detections | Read | Retrieve identity-based threat detections | /identity-protection/detections/* |
Active Directory Identities |
| Identity Protection Timeline | Read | Access identity activity timeline | /identity-protection/timeline/* |
Active Directory Identities |
Write Permissions
Write permissions are restricted and only granted for:
-
Real Time Response (used for remote secrets scanning)
-
NGSIEM (creation of telemetry query)
Compliance and Security Notes
-
All other access operates under read‑only mode.
-
TLS 1.2+ is enforced for all API calls.
-
Token storage complies with SOC 2 Type II and ISO 27001.