Skip to main content

Crowdstrike proof types and permissions

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.

When you create a Hypersync between Hyperproof and Crowdstrike, you can automatically collect proof based on:

  • List of Users

  • List of Host Groups

  • List of Hosts

    The List of Hosts proof type can collect up to 140,000 hosts before it times out. If your infrastructure exceeds this limit, we recommend applying an offered criteria filter such as 'Platform' (Windows, Mac, Linux) to reduce the volume of data in one sync.

  • Prevention Policies

  • Sensor Update Policies

  • Endpoint Detections

    The Endpoint Detections proof type can collect up to 10,000 detections before it times out. The Crowdstrike API stops sending records when a maximum of 10,000 is reached. If your detections exceed this limit, apply a Severity filter to reduce the volume of data in one sync.

Additional documentation

Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.

Configuring an API client in Crowdstrike

An API client must be created in Crowdstrike prior to setting up a Hypersync. This produces a Client ID and a Client Secret that are both needed to set up the Crowdstrike Hypersync.

Refer to the official Crowdstrike documentation for instructions on configuring an API client. Scroll to the Defining your first API Client section.

Tips

  • Only a Crowdstrike user with the Falcon Administrator role can view, create, or modify API clients.

  • API clients are not associated with a specific named user account. In Hyperproof Settings > Connected accounts, the Client ID can be found in the connection tile.

  • The following minimum API scopes are required for the Crowdstrike Hypersync to work. Providing read access for these scopes ensures that future Hypersyncs will work as intended.

    • Detections

    • Hosts

    • Host Groups

    • Prevention Policies

    • Sensor Update Policies

    • User Management

  • The Client Secret is only shown once, and should be stored in a secure place. The Client ID and Client Secret are needed for the Hypersync credentials.

  • The following regions are supported: US1, US2, and EU1.

  • Key rotation can be facilitated by creating multiple API clients for Hypersyncs.