AISEC

by CipherFort Security

Sign inGet started
Integration Guide · CrowdStrike

CrowdStrike Integration

The CrowdStrike connector authenticates with the Falcon API via OAuth2 client credentials and collects active detections, prevention policy status, endpoint count, and Spotlight vulnerability data. All operations are read-only.

Active detection count and severity breakdownPrevention policy coverageManaged endpoint inventorySpotlight CVE count (requires Spotlight licence)

OAuth2

Authentication method

Read-only

Falcon API scopes needed

A.8.7, A.8.16

Example ISO 27001 control mappings

Prerequisites

Create a Falcon API client

Falcon API clients are created in the Falcon Console and scoped to specific API resources.

Create the API client

In Falcon Console → Support and resources → Resources and tools → API clients and keys → Add new API client.

  • Client name: aisec-evidence-collector
  • Description: AISEC compliance evidence integration
  • Note the Client ID and Client Secret — the secret is shown only at creation time

Required API scopes

Assign the following read scopes to the client. Do not grant write access.

  • Detections: Read
  • Device control policies: Read
  • Hosts: Read
  • Prevention policies: Read
  • Spotlight vulnerabilities: Read (only if Spotlight is licensed)

Configuration

Connect CrowdStrike in AISEC

Enter the API client credentials in Settings → Integrations → CrowdStrike → Configure.

Step-by-step

  • Client ID: the ID shown in the Falcon API clients list
  • Client Secret: the secret copied at client creation time (if lost, create a new client)
  • API Base URL (optional): defaults to https://api.crowdstrike.com; use https://api.eu-1.crowdstrike.com for EU tenants
  • Sync frequency: hourly is recommended for active threat monitoring
  • Click Connect, then Sync now

Evidence collected

What appears in your evidence register

Up to four evidence items per sync, depending on licensed modules.

Active Detections

Count of new/in-progress Falcon detections with high/critical severity breakdown.

  • Maps to ISO 27001: A.8.16, A.5.25
  • Maps to SOC 2: CC7.2

Prevention Policies

Enabled vs total prevention policy count across platforms (Windows, Mac, Linux).

  • Maps to ISO 27001: A.8.7, A.8.8
  • Maps to SOC 2: CC6.8

Managed Endpoints

Total device count enrolled in Falcon for endpoint protection coverage.

  • Maps to ISO 27001: A.8.9, A.8.19
  • Maps to SOC 2: CC7.1

Spotlight CVEs (if licensed)

Open vulnerability count with CVSS score > 7.0 across all managed endpoints.

  • Maps to ISO 27001: A.8.8, A.8.19
  • Maps to SOC 2: CC7.1

Troubleshooting

Common issues

  • 401 on token endpoint — verify the client ID and secret are correct and the client has not been deleted in the Falcon Console.
  • 403 on detections or hosts — the API client is missing the required read scope; edit the client in Falcon Console and add the scope.
  • Spotlight returns 403 — Spotlight is not included in your Falcon licence; the connector skips this collection gracefully.
  • EU tenants — use https://api.eu-1.crowdstrike.com as the API Base URL, not the default US endpoint.

Related

Keep exploring

All integrations

AWS Config guide

Datadog guide

Ready to connect?

Create an API client in the Falcon Console with read scopes, then enter the client ID and secret in AISEC.