CrowdStrike Integration
The RegScale CLI integrates with CrowdStrike Falcon to synchronize alerts, vulnerabilities, assets, compliance posture, and evidence into RegScale.
Prerequisites
- RegScale CLI installed and configured (
regscale init) - A CrowdStrike Falcon tenant with API access
- A CrowdStrike API client with the required scopes (see below)
CrowdStrike API Client Setup
Create an API client in the CrowdStrike Falcon console under Support and resources > API clients and keys.
Required API Scopes
Add the following scopes based on the commands you plan to use:
| Scope | Required For |
|---|---|
alerts:read | sync_incidents, query_incidents, collect_evidence |
alerts:write | Alert tagging and assignment (optional) |
hosts:read | sync_assets, collect_evidence |
spotlight-vulnerabilities:read | sync_vulnerabilities |
prevention-policies:read | sync_policies, collect_evidence |
host-group:read | sync_policies (resolving assigned host groups) |
user-management:read | Incident assignment lookups (optional) |
intel:read | Threat intelligence (optional) |
Minimum scopes for full integration: alerts:read, hosts:read, spotlight-vulnerabilities:read, prevention-policies:read, host-group:read
Note: As of March 2026, CrowdStrike has deprecated the Incidents API (
/incidents/) in favor of the Alerts API (/alerts/). RegScale CLI v6.32+ uses the Alerts API. Ensure your API client hasalerts:readrather than the legacyincidents:readscope.
Configuration
Add the following to your init.yaml:
crowdstrikeBaseUrl: "https://api.crowdstrike.com"
crowdstrikeClientId: "your-client-id"
crowdstrikeClientSecret: "your-client-secret"
Base URL values by cloud:
| CrowdStrike Cloud | Base URL |
|---|---|
| US-1 | https://api.crowdstrike.com |
| US-2 | https://api.us-2.crowdstrike.com |
| EU-1 | https://api.eu-1.crowdstrike.com |
| US-GOV-1 | https://api.laggar.gcw.crowdstrike.com |
Commands
Sync Incidents
Syncs alerts from CrowdStrike into RegScale as incidents, along with associated device assets and MITRE ATT&CK properties (tactics, techniques).
regscale crowdstrike sync_incidents --id <REGSCALE_ID> --module <MODULE>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale parent record ID |
--module, -m | Yes | RegScale parent module (e.g., securityplans) |
--dry_run | No | Return item counts without syncing |
--offset | No | Skip this many items from the start |
--limit | No | Process at most this many items |
Example:
regscale crowdstrike sync_incidents --id 6 --module securityplans
Scopes required: alerts:read
Query Incidents
Query alerts from CrowdStrike using Falcon Query Language (FQL) filters and create RegScale incidents from the results.
regscale crowdstrike query_incidents --id <REGSCALE_ID> --module <MODULE>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale parent record ID |
--module, -m | Yes | RegScale parent module |
--filter | No | FQL filter string (e.g., status:'new') |
Example:
regscale crowdstrike query_incidents --id 6 --module securityplans --filter "status:'new'"
Scopes required: alerts:read
Sync Vulnerabilities
Syncs vulnerabilities from CrowdStrike Spotlight into RegScale as issues. Uses the Spotlight combined endpoint for efficient retrieval with pagination.
regscale crowdstrike sync_vulnerabilities --id <REGSCALE_ID>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale security plan ID |
--dry_run | No | Return item counts without syncing |
--offset | No | Skip this many items from the start |
--limit | No | Process at most this many items |
Example:
regscale crowdstrike sync_vulnerabilities --id 6
Scopes required: spotlight-vulnerabilities:read
Sync Assets
Syncs hosts and devices from CrowdStrike Falcon into RegScale as assets. Captures device details including hostname, OS, IP addresses, sensor version, and serial number.
regscale crowdstrike sync_assets --id <REGSCALE_ID>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale security plan ID |
--dry_run | No | Return item counts without syncing |
--offset | No | Skip this many items from the start |
--limit | No | Process at most this many items |
Example:
regscale crowdstrike sync_assets --id 6
Scopes required: hosts:read
Sync Compliance
Maps CrowdStrike compliance data against the control implementations on a RegScale security plan. Auto-detects the compliance framework or accepts a manual override.
regscale crowdstrike sync_compliance --id <REGSCALE_ID>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale security plan ID |
--framework | No | Framework override: NIST, CSF, SOC2, CMMC, ISO, CIS, OWASP. Auto-detected if omitted. |
Supported frameworks:
- NIST 800-53 — Direct mapping from CrowdStrike compliance data
- CSF (NIST Cybersecurity Framework) — Direct mapping
- SOC2 — Cross-walked from NIST mapping
- CMMC — Cross-walked from NIST mapping
- ISO 27001 — Cross-walked from NIST mapping
- CIS Controls — Cross-walked from NIST mapping
- OWASP — Cross-walked from NIST mapping
Ensure a security profile has been applied to the security plan before running.
Example:
# Auto-detect framework from existing control implementations
regscale crowdstrike sync_compliance --id 6
# Explicitly specify framework
regscale crowdstrike sync_compliance --id 6 --framework SOC2
Sync Policies
Fetches all prevention policies (server, workstation, general) from CrowdStrike, generates an auditor-friendly HTML report, and creates an Evidence record in RegScale linked to the specified security plan.
regscale crowdstrike sync_policies --id <REGSCALE_ID>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale security plan ID |
Example:
regscale crowdstrike sync_policies --id 6
Scopes required: prevention-policies:read, host-group:read
Collect Evidence
Collects a comprehensive CrowdStrike evidence package for audit purposes. Generates three evidence records attached to the security plan:
- Host inventory summary — Count by OS, status, and sensor version
- Prevention policy configurations — Policy settings with assigned host groups
- Recent alerts/detections — Alert details with timestamps
Designed for SOC2 CC.6.8.1 (antivirus configurations) and similar audit evidence requests.
regscale crowdstrike collect_evidence --id <REGSCALE_ID>
| Option | Required | Description |
|---|---|---|
--id, -i | Yes | RegScale security plan ID |
--alert_days, -d | No | Number of days to look back for alerts (default: 30) |
--alert_limit, -l | No | Maximum number of alerts to include (default: 10) |
Example:
# Default: last 30 days, up to 10 alerts
regscale crowdstrike collect_evidence --id 6
# Custom: last 90 days, up to 50 alerts
regscale crowdstrike collect_evidence --id 6 --alert_days 90 --alert_limit 50
Scopes required: alerts:read, hosts:read, prevention-policies:read, host-group:read
Troubleshooting
404 errors on API calls
If you receive 404 errors, verify your API client has the correct scopes enabled in the CrowdStrike console. A missing scope will return 404, not 403.
Authentication failures
Verify crowdstrikeBaseUrl, crowdstrikeClientId, and crowdstrikeClientSecret in your init.yaml. Ensure the base URL matches your CrowdStrike cloud region.
No data returned
- sync_incidents: Ensure
alerts:readscope is enabled (not the legacyincidents:read) - sync_vulnerabilities: Ensure
spotlight-vulnerabilities:readscope is enabled and Spotlight is licensed on your tenant - sync_assets: Ensure
hosts:readscope is enabled
Updated 4 days ago