CrowdStrike Spoke

  • Release version: Washingtondc
  • Updated January 20, 2025
  • 3 minutes to read

    • Manage licenses for CrowdStrike Falcon protection suite by fetching details of devices with active Falcon sensors installed and checking license compliance.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Integration Hub subscription

    This spoke requires an Integration Hub subscription. For more information, see Legal schedules - IntegrationHub overview.

    Spoke version

    CrowdStrike spoke v1.1.0 is the latest version.

    Spoke requirements

    CrowdStrike account with a Falcon administrator role.

    Spoke dependencies

    If you’re having trouble installing the app, ensure that these dependent plugins are installed:
    • ServiceNow Integration Hub Runtime (com.glide.hub.integration.runtime)
    • ServiceNow Integration Hub Action Step - REST (com.glide.hub.action_step.rest)
    Note:
    Some of these plugins are licensable features and require appropriate licenses when used outside the spoke implementation.

    Spoke actions

    The CrowdStrike spoke provides actions to automate CrowdStrike tasks when events occur in your ServiceNow instance.

    Category Action Description
    Host Management Look up Active Hosts Retrieves all active hosts. Active hosts are the hosts on which the last_seen date is greater than the date provided in the Active Since field.
    Look up Host Details Retrieves details of the hosts for the Device IDs passed in the Host IDs field.
    Sensor Management Look up Hourly Sensor Usage Retrieves a daily breakdown of your Customer Identification (CID) average hourly sensor usage by sensor category.
    Note:
    The usage data is retrieved up to two days prior to the current date.
    Look up Weekly Sensor Usage Retrieves a daily breakdown of your CID average weekly sensor usage by sensor category.
    Note:
    The usage data is retrieved up to two days prior to the current date.
    Note:
    This spoke has a Look up User action and Software Asset Management related actions only.

    Connection and credential alias requirements

    Integration Hub uses aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you don't need to update any actions that use the connection. For more information, see Connections and Credentials.

    Register a CrowdStrike OAuth application

    Register the CrowdStrike OAuth application to access the CrowdStrike API and to receive a Client ID and Client secret.

    Before you begin

    The CrowdStrike Integration Hub spoke must be active. For more information, see CrowdStrike spoke.

    Role required: CrowdStrike Falcon administrator

    Important:
    • To use the Sensor Usage APIs, your API client must be assigned the Sensor usage scope with read permissions.
    • To use the Look up Hourly Sensor Usage and Look up Weekly Sensor Usage actions, contact your account team to enable the following feature flags:
      • Hourly usage data feature flag: This flag must be enabled for your Customer Identification (CID) to view hourly usage data.
      • Aggregated usage data feature flag: This flag must be enabled to get aggregated usage data in multi-CID (non-Flight Control) accounts.

    Procedure

    1. Log in to Falcon using your admin credentials.
    2. Navigate to Support > API Clients and Keys.
    3. Select Add new API Client.
    4. Provide the client name and description.
    5. Select the appropriate check boxes for the following scopes:
      • To use the Look up Active Hosts and Look up Host Details actions, select the Read check box for the Hosts scope.
      • To use the Look up Hourly Sensor Usage and Look up Weekly Sensor Usage actions, select the Read check box for the Sensor usage scope
      • To use all the supported actions, select the Read check box for both Hosts and Sensor usage scopes.
    6. Select ADD.
      The API client created screen is displayed.
    7. Copy the Client ID and Client secret for later use.

    Create a CrowdStrike connection

    Create a connection between your CrowdStrike applications and your ServiceNow instance so that your instance can retrieve user data from your applications.

    Before you begin

    ServiceNow Role required: admin

    Procedure

    1. Log in to your ServiceNow instance.
    2. Navigate to Connection & Credentials > Connection & Credentials Aliases.
    3. Locate your CrowdStrike connection and select Create New Connection & Credential.
    4. In the dialog box, fill in the fields.
      Table 1. Create Connection and Credential dialog box
      Field Value
      Connection Information
      Connection Name Name of the CrowdStrike connection. This field populates automatically.
      Connection URL URL for the connection. This field is automatically set to https://api.crowdstrike.com.
      Each CrowdStrike cloud has a different base URL. Use the base URL that corresponds to the cloud where your integration is hosted.
      • US-1: https://api.crowdstrike.com
      • US-2: https://api.us-2.crowdstrike.com
      • EU-1: https://api.eu-1.crowdstrike.com
      • US-GOV-1: https://api.laggar.gcw.crowdstrike.com
      • US-GOV-2: https://api.us-gov-2.crowdstrike.mil
      Credential Information
      OAuth Client ID Client ID that you generated while configuring the CrowdStrike API settings.
      OAuth Client Secret Client Secret that you generated while configuring the CrowdStrike API settings.
      OAuth Redirect URL https://<instance name>/oauth_redirect.do, where the instance name is the name of your ServiceNow instance.
    5. Select Create and Get OAuth Token.
      The OAuth token is generated successfully.