Skip to main content
Sign in

Creating an extended integration for CrowdStrike Falcon assets

  • May 28, 2026 16:20
  • Updated

Sync CrowdStrike with Oomnitza to gain visibility of your assets as data from CrowdStrike is transformed into consumable information and actionable insights.

You can choose one of the following CrowdStrike asset integrations:

  • CrowdStrike Falcon Asset Load: Retrieves host detail information.
  • CrowdStrike Falcon Asset Load with Filtering: Retrieves host details, but with a filtering option. If you use the US Commercial Cloud URL, https:// api.crowdstrike .com, there is a limit of 100,000 assets when you run the extended integration for CrowdStrike assets. If you specify any other CrowdStrike Cloud environment, the limit is 10,000 assets. To address these limits, you can use the CrowdStrike Falcon Asset Load with Filtering. 

Note
The latest version of the CrowdStrike Falcon Asset Load and CrowdStrike Falcon Asset Load with Filtering uses version 2 of the CrowdStrike API (devices/entities/devices/v2). 

toc_icon_32px.svg Contents

Before you start

To easily find the records that are uploaded to Oomnitza, it's best practice to create a dedicated user account for each integration. This will make it easier for you to retrieve the records that are uploaded to Oomnitza from the vendor application. 

small_blue_link.svg Creating integration users 

Before you create the integration with Oomnitza:

  • Add your CrowdStrike credentials to Oomnitza

  • Add the value of your cloud environment as a global variable. 

Adding your CrowdStrike OAUTH credentials to Oomnitza

To add your credentials, you must retrieve the following information from CrowdStrike:

  • CrowdStrike cloud environment. You enter the same value that you enter for the global variable. For example, if your base URL is https://api.us-2.crowdstrike.com, , you enter api.us-2.crowdstrike as the value.
  • Client ID and client secret

Retrieving the information from CrowdStrike

  1. Log in to the Falcon UI.
  2. Go to Support > API Clients and Keys.
  3. Click Add new API Client.
  4. Enter a name.
    1. Select the Hosts (Read) and Host Groups (Read) scopes for the asset integration. If you plan to run asset workflows, you must also have Write access.
    2. Select the User management (Read) scope for the user integration and SaaS workflow. If you plan to run one or more of the following user workflows, you must also have Write access: CrowdStrike Change User Name, CrowdStrike Change User Roles, CrowdStrike Delete User, and CrowdStrike Remove User Role.
  5. Click Save.  Make sure you copy the base URL, client ID, and secret.

 See CrowdStrike Authentication Guide

Make life easier and add your credentials to Oomnitza before you create the integration.  

  1. In Oomnitza, click Configuration > Security > Credentials.
  2. Click Add new credential (+).
  3. Search for the integration, and then click the forward arrow > to select the integration.
  4. Enter your client credentials and any other additional information.
  5. Click Authenticate. You are prompted to log in to authorize your request.
  6. Click CREATE.

Adding your CrowdStrike cloud environment as a global variable

global_setting.svg Adding global variables

Save time when you create integrations and run workflows by adding connection information as global variables.

  1. Click Configuration > General > Global Settings.
  2. Click Add new variable.
  3. Add the key value, which is the name of the variable.
  4. Enter the value.
  5. Save your changes.

global_setting.svgThe name of the variable is CrowdStrike Falcon.Api Domain.

To enter the value for CrowdStrike Falcon.Api Domain, you trim the prefix https:// and the suffix .com from the base URL. Let's say your base URL is https://api.us-2.crowdstrike.com, , you enter api.us-2.crowdstrike as the value.

CrowdStrike base URLs might change or new base URLs might be added. The source of truth is the CrowdStrike Falcon Wiki. To check out the base URLs, go to the Glossary of Terms, and open the Base URL page.

CrowdStrike Falcon asset load with filtering

This integration uses Falcon Query Language, which allows you to filter the integration response to optimize the data retrieval process. 

The filter has the following format property_name:'STRING_VALUE' .The value is encapsulated in single quotes. Boolean and integer values do not use quotes. 

  1. To filter by host status: status:'normal', status:'contained', status:'lift_containment_pending', or status:'containment_pending'
  2. To filter by host status using a wildcard use: status:'containment*'
  3. To filter by host status using an exact search use: status:['normal']
  4. To filter by date use an operator < then the value: first_seen:<='2022-10-22T00:00:00Z'
  5. To filter using AND or OR conditions use + or ,, example: platform_name:'Windows'+ hostname='string'or status:'normal', status:'contained'or first_seen:>='2022-10-22T00:00:00Z'+first_seen:<='2022-11-10T00:00:00Z'
  6. To filter using a complex expression that evaluates more than one expression use the(and)characters, for example: (platform_name:'Windows', hostname='string'),(platform_name:'Linux', hostname=!'is not other string')

See Filtering examples in CrowdStrike Falcon Asset Load with Filtering and Falcon Query Language.

Creating the asset integration

  1. In Oomnitza, click Configuration> Integrations> Overview.
  2. Click Block view block_view.PNG
  3. Scroll down to the Extended section for asset integrations.
  4. Click NEW INTEGRATION.
  5. Select the integration in the sidebar.
  6. Click ADD.

Integration details overview

More information is provided about the following fields to help you complete the integration:

Software data

Depending on the asset integration, an option might be available to ingest desktop software information such as the name and version of the software installed on an asset. To view the software information in Oomnitza, you must have the software module. 

Installation types

  • Cloud. Store credentials in the Oomnitza cloud.
  • Local. Store credentials locally. If you want to sync Oomnitza with vendor applications that require AWS or OAUTH authentication, select cloud as the type of installation. Local installations don't support AWS and OAuth authentication. 

Integration preferences

  • Create & Update. Add and update records.
  • Create only. Add records.
  • Update only. Update records.

Integration details

To review or update the integrations details, click Edit edit_black_pencil_icon.svg.

TipBulb_Icon_small.svg When you edit the Integration details section, you can select the name or names of integration contacts.  Integration contacts will receive an in-app notification and an email, when the integration fails, when the integration fails to complete within 24 hours, or when the scheduled integration fails to run.

  1. Update the integration name.
  2. Select an installation type.
  3. For integration preferences, select an option.
  4. Enter the name of the integration user.  

Credential details

If you selected Cloud as the installation type, choose one of the following options:

  • Select the credentials that were created for the integration.
  • Edit the credentials that were created for the integration.
  • Create new credentials

Scheduling the integration

By default, data is synced once every day. Change the interval or the time so that the data is streamed when your system isn't busy.

  1. Click Edit edit_black_pencil_icon.svg.
  2. Make and save your changes.

Mapping fields to Oomnitza

To map the fields to Oomnitza, click Edit edit_black_pencil_icon.svg.

 cog_red_dot_small_icon.svg Select Edit integration to add rules for syncing data. small_blue_link.svg Filtering integration results.  

Click SMART MAPPING.

You can add new fields to your integration by selecting Add new field  add_grey_rectangel_icon.svg on the mapping page. 
small_blue_link.svg Creating custom API fields. 

Create custom mappings

Map the CrowdStrike Falcon fields to Oomnitza fields and create custom mappings to get the information that you need to manage your assets.

Complete these actions:

  1. Click Smart Mapping to automatically detect appropriate mapping fields. Values from the integration can also be dragged to the appropriate field on the Oomnitza side, or selected from the integration field dropdown.
  2. Create a custom mapping for the Crowdstrike Device ID. Complete the following steps:
    1. Click the down arrow on the Device ID field.
    2. Select Add new Oomnitza assets field.
    3. Change the name of the field to Crowdstrike Device ID.
    4. Select the Unique checkbox
    5. Click CREATE
  3. Map and assign a sync key to a unique field, such as the Crowdstrike Device ID. We recommend that you do not sync on Serial Number as it has the potential to be non-unique or blank.
  4. Click UPDATE

Tracking information for asset loads 

When the integration is run, you can track the name of the credentials that were used and the source of the data. To do this, you map the following fields to Oomnitza:   

  • Connect: Credentials
  • Connect: CrowdStrike Cloud Environment
  • Connect: Filter on Status (for Crowdstrike Falcon Asset Load with Filtering)

Standard CrowdStrike Falcon to Oomnitza mappings

Agent Local Time
Agent Version
Bios Manufacturer
Bios Number
Bios Version
CID
CPU Signature
Config ID Base
Config ID Build
Config ID Platform
Cloud Environment
Connector Sync Time
Device Device Control Policy Applied
Device Device Control Policy Applied Date
Device Device Control Policy Assigned Date
Device Device Control Policy ID
Device Device Control Policy Type
Device Global Config Policy Applied
Device Global Config Policy Applied Date
Device Global Config Policy Assigned Date
Device Global Config Policy ID
Device Global Config Policy Settings Hash
Device Global Config Policy Type
Device ID
Device Prevention Policy Applied
Device Prevention Policy Applied Date
Device Prevention Policy Assigned Date
Device Prevention Policy ID
Device Prevention Policy Rule Groups
Device Prevention Policy Type
Device Remote Response Policy Applied
Device Remote Response Policy Applied
Device Remote Response Policy Applied Date
Device Remote Response Policy Applied Date
Device Remote Response Policy Assigned Date
Device Remote Response Policy Assigned Date
Device Remote Response Policy ID
Device Remote Response Policy ID
Device Remote Response Policy Rule Set ID
Device Remote Response Policy Settings Hash
Device Remote Response Policy Type
Device Remote Response Policy Type
Device Sensor Update Policy Applied
Device Sensor Update Policy Applied Date
Device Sensor Update Policy Assigned Date
Device Sensor Update Policy ID
Device Sensor Update Policy Type
Device Sensor Update Policy Uninstall Protection
External IP
First Seen
Group Hash
Groups
Hostname
Instance ID
Last Seen
Local IP
MAC Address
Machine Domain
Major Version
Minor Version
Modified Timestamp
OS Version
OU List
Platform ID
Platform Name
Policies Policy Type
Product Type
Product Type Description
Provision Status
Reduced Functionality Mode
Serial Number
Service Pack Major
Service Pack Minor
Service Provider
Service Provider Account ID
Site Name
Status
System Manufacturer
System Product Name
Tags

CrowdStrike Falcon to Oomnitza with Filtering mappings

Agent Load Flags
Agent Local Time
Agent Version
Bios Manufacturer
Bios Version
Build Number
Cid
Config Id Base
Config Id Build
Config Id Platform
 Cloud Environment
Connector Sync Time
Cpu Signature
Device Id
Device Policies Device Control Applied Date
Device Policies Device Control Assigned Date
Device Policies Device Control Policy Id
Device Policies Device Control Policy Type
Device Policies Firewall Applied Date
Device Policies Firewall Assigned Date
Device Policies Firewall Policy Id
Device Policies Firewall Policy Type
Device Policies Firewall Rule Set Id
Device Policies Global Config Applied Date
Device Policies Global Config Assigned Date
Device Policies Global Config Policy Id
Device Policies Global Config Policy Type
Device Policies Global Config Settings Hash
Device Policies Prevention Applied Date
Device Policies Prevention Assigned Date
Device Policies Prevention Policy Id
Device Policies Prevention Policy Type
Device Policies Prevention Rule Groups List
Device Policies Prevention Settings Hash
Device Policies Remote Response Applied Date
Device Policies Remote Response Assigned Date
Device Policies Remote Response Policy Id
Device Policies Remote Response Policy Type
Device Policies Remote Response Settings Hash
Device Policies Sensor Update Applied Date
Device Policies Sensor Update Assigned Date
Device Policies Sensor Update Policy Id
Device Policies Sensor Update Policy Type
Device Policies Sensor Update Settings Hash
Device Policies Sensor Update Uninstall Protection
External Ip
First Seen
Group Hash
Groups List
Hostname
Instance ID
Instance Id
Is Device Policies Device Control Applied
Is Device Policies Firewall Applied
Is Device Policies Global Config Applied
Is Device Policies Prevention Applied
Is Device Policies Remote Response Applied
Is Device Policies Sensor Update Applied
Last Seen
Local Ip
Mac Address
Machine Domain
Major Version
Meta Version
Minor Version
Modified Timestamp
Os Build
Os Version
Ou List
Platform Id
Platform Name
Pointer Size
Product Type
Product Type Desc
Provision Status
Reduced Functionality Mode
Serial Number
Service Pack Major
Service Pack Minor
Service Provider
Service Provider Account ID
Site Name
Slow Changing Modified Timestamp
Status
System Manufacturer
System Product Name
Tags List

Launching the integration

Your integration is in Draft mode until the required mandatory fields are added. When added, click Launch to activate your integration. 

small_blue_link.svg If you selected Cloud as the installation type when creating the integration, see Running an extended integration

small_blue_link.svg If you selected Local as the installation type when creating the integration, see Running an extended integration locally.

Viewing data ingested by Oomnitza

Viewing ingested asset data

For asset integrations, click Hardware. If the asset integration also ingests software data, click Software.

Viewing ingested user data

For user integrations, click People. If you chose the option to ingest User and SaaS user data, click Software > SaaS, click the SaaS app, and then click the Users tab. 

Related Links

Using API presets to create asset workflows

To reduce costs by automating repetitive and  complex tasks, take advantage of the built-in presets for assets.

To add a preset to a workflow, complete these steps:

  1. Click Configuration > Workflows 
  2. Click Add (+) and select Assets from the list.
  3. Edit the Begin Block and add rules to trigger the workflow. For example, if you set the  Actions to New, the workflow will run for every new asset record added to Oomnitza.
  4. Drag and drop the API block onto the Sandbox.
  5. Click Edit on the API block and enter CrowdStrike in the search field. 
  6. Select a preset from the list below. To choose a preset, click the forward arrow (>).
    • CrowdStrike Add or Remove Device Tags
    • CrowdStrike Perform Device Action
  7. Select the credentials that you created for CrowdStrike. 
  8. Select Advanced Mode.
  9. Select the Body tab. You will notice that the Device ID is referenced in the property {{crowdstrike_device_id}}. Follow the mapping steps when creating the asset integration so that this property exists in Oomnitza and is populated with information before you run this workflow.
  10. Select the Response tab. You can map the entire response by placing {{response}} in the Response field and mapping it to a custom long text Oomnitza field, such as API Response. Once you have the entire response, you can then parse the JSON response values to custom Oomnitza fields.
  11. Connect the Blocks. 
  12. Save, validate, and activate your workflow.

See Understanding Workflows

Related articles

Comments

0 comments

Please sign in to leave a comment.