
CrowdStrike Cloud Security
Cloud Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The CrowdStrike Cloud Security (CS) connector integrates with the CrowdStrike Falcon Container Security module, synchronizing container images, running containers, software packages, container vulnerabilities, and detection misconfigurations.
Data retrieved from CrowdStrike Cloud Securityโ
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| ๐ผ๏ธ Image | Yes | Container Image |
| ๐ฆ Container | Yes | Container |
| ๐ Package | Yes | Package |
| โ ๏ธ Vulnerability | Yes | Vulnerability |
| ๐ Vulnerability Definition | Yes | Vulnerability Definition |
| ๐ Detection | Yes | Violation |
| ๐ Detection Definition | Yes | Violation Definition |
Model relationshipsโ
For detailed steps on how to view the data retrieved from CrowdStrike Cloud Security in the Brinqa Platform, see How to view your data.
Connection settingsโ
When setting up a data integration, select CrowdStrike Cloud Security from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://<region>.crowdstrike.com | CrowdStrike API URL |
| Client ID | Yes | โ | CrowdStrike API client Id |
| Client secret | Yes | โ | CrowdStrike API client secret |
| Page size | No | 100 | The number of records to fetch for each paged request |
| Parallel requests | No | 4 (capped at available processors) | The maximum number of parallel requests |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
Authenticationโ
CrowdStrike uses OAuth 2.0 Client Credentials flow.
Endpointโ
| Method | URL |
|---|---|
POST | https://<region>.crowdstrike.com/oauth2/token |
Request Headersโ
| Header | Value |
|---|---|
Content-Type | application/x-www-form-urlencoded |
Request Bodyโ
client_id=<your-client-id>&client_secret=<your-client-secret>
Sample Responseโ
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
"expires_in": 1799,
"token_type": "bearer"
}
Response Fieldsโ
| Field | Type | Description |
|---|---|---|
access_token | String | Bearer token for API requests |
expires_in | Integer | Token lifetime in seconds |
token_type | String | Token type (always bearer) |
Usageโ
Once authenticated, all subsequent API requests include the bearer token:
Authorization: Bearer <access_token>
How to obtain CrowdStrike Cloud Security credentials
Generate a CrowdStrike client secretโ
For the CrowdStrike Cloud Security connector to use the CrowdStrike API, you must provide a client secret. CrowdStrike does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:
-
Log in to your organization's CrowdStrike Falcon portal as an administrator.
-
From the navigation menu, click Support and resources, and then click API clients and keys.
-
Click Create API client.
The Create API client window displays.
-
Fill out the Client name, Description, and select the appropriate API scopes for the user.
-
Click Create.
Your new client ID, client secret, and recommended Base URL display. You cannot view the client secret again after this. Copy and save it to a secure location.

Note: If you do not have permissions to create a client secret, contact your CrowdStrike administrator. For additional information, see CrowdStrike documentation.
Attribute mappingsโ
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
๐ผ๏ธ Image
| Source Field Name | SDM Attribute |
|---|---|
| Generated | STATUS |
| Generated | SOURCE_STATUS |
| Generated | CATEGORIES |
| Generated | LAST_CAPTURED |
ImageResource.aiRelated() | AI_RELATED |
ImageResource.architecture() | ARCHITECTURE |
ImageResource.baseOS() | BASE_OS |
ImageResource.cId() | CUSTOMER_ID |
ImageResource.detections() | DETECTIONS |
ImageResource.firstSeen() | FIRST_SEEN |
ImageResource.highestDetectionSeverity() | HIGHEST_DETECTION_SEVERITY |
ImageResource.highestVulnerabilitySeverity() | HIGHEST_VULNERABILITY_SEVERITY |
ImageResource.imageDigest() | DIGEST |
ImageResource.imageId() | UID |
ImageResource.imageId() | NAME |
ImageResource.lastSeen() | LAST_SEEN |
ImageResource.layersWithVulnerabilities() | LAYERS_WITH_VULNERABILITIES |
ImageResource.packages() | PACKAGES |
ImageResource.registry() | REGISTRY |
ImageResource.repository() | REPOSITORY |
ImageResource.tag() | TAGS |
ImageResource.vulnerabilities() | VULNERABILITIES |
๐ฆ Container
| Source Field Name | SDM Attribute |
|---|---|
ContainerResource.agents() | AGENTS |
ContainerResource.allowPrivilegeEscalation() | ALLOW_PRIVILEGE_ESCALATION |
ContainerResource.appName() | APP_NAME |
ContainerResource.cId() | CUSTOMER_ID |
ContainerResource.cloudAccountId() | CLOUD_ACCOUNT_ID |
ContainerResource.cloudInstanceId() | CLOUD_INSTANCE_ID |
ContainerResource.cloudName() | CLOUD_NAME |
ContainerResource.cloudRegion() | CLOUD_REGION |
ContainerResource.cloudService() | CLOUD_SERVICE |
ContainerResource.clusterId() | CLUSTER_ID |
ContainerResource.clusterName() | CLUSTER_NAME |
ContainerResource.containerId() | UID |
ContainerResource.containerName() | NAME |
ContainerResource.createdAt() | SOURCE_CREATED_DATE |
ContainerResource.firstSeen() | FIRST_SEEN |
ContainerResource.imageDigest() | DIGEST |
ContainerResource.imageId() | IMAGE_ID |
ContainerResource.imageRegistry() | REGISTRY |
ContainerResource.imageRepository() | REPOSITORY |
ContainerResource.imageTag() | IMAGE_TAG |
ContainerResource.lastSeen() | LAST_SEEN |
ContainerResource.namespace() | NAMESPACE |
ContainerResource.nodeName() | NODE_NAME |
ContainerResource.podId() | POD_ID |
ContainerResource.podName() | POD_NAME |
| Generated | STATUS |
| Generated | SOURCE_STATUS |
| Generated | CATEGORIES |
| Generated | LAST_CAPTURED |
๐ Package
| Source Field Name | SDM Attribute |
|---|---|
| Generated | CATEGORIES |
| Generated | LAST_CAPTURED |
PackageResource.aiRelated() | AI_RELATED |
PackageResource.allImages() | ALL_IMAGES |
PackageResource.cId() | CUSTOMER_ID |
PackageResource.cveId() | CVE_IDS |
PackageResource.fixResolution() | FIX_RESOLUTION |
PackageResource.license() | LICENSES |
PackageResource.packageNameVersion() | UID |
PackageResource.packageNameVersion() | NAME |
PackageResource.packageNameVersion() | PACKAGE_NAME_VERSION |
PackageResource.runningImages() | RUNNING_IMAGES |
PackageResource.severity() | SEVERITY |
PackageResource.type() | TYPE |
PackageResource.vulnerabilityDescription() | VULNERABILITY_DESCRIPTION |
โ ๏ธ Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
| Computed | STATUS_CATEGORY |
| Generated | UID |
| Generated | NAME |
| Generated | TYPE |
| Generated | PROVIDER_STATUS |
| Generated | LAST_CAPTURED |
| Normalized | STATUS |
| Normalized | SOURCE_STATUS |
VulnerabilityDetailsResource.exploitedStatus() | EXPLOITED_STATUS |
VulnerabilityDetailsResource.layerCommand() | LAYER_COMMAND |
VulnerabilityDetailsResource.layerIndex() | LAYER_INDEX |
VulnerabilityDetailsResource.packageNameVersion() | PACKAGE_NAME_VERSION |
VulnerabilityDetailsResource.packagePath() | PACKAGE_PATH |
VulnerabilityDetailsResource.remediationAvailable() | REMEDIATION_AVAILABLE |
VulnerabilityResource.aiRelated() | AI_RELATED |
VulnerabilityResource.cId() | CUSTOMER_ID |
VulnerabilityResource.firstSeen() | FIRST_FOUND |
VulnerabilityResource.imageId() | TARGETS |
VulnerabilityResource.lastSeen() | LAST_FOUND |
๐ Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
| Calculated | SEVERITY_SCORE |
| Generated | UID |
| Generated | NAME |
| Generated | LAST_CAPTURED |
| Normalized | SEVERITY |
VulnerabilityResource.cveId() | CVE_RECORDS |
VulnerabilityResource.cveId() | CVE_IDS |
VulnerabilityResource.cvssScore() | CVSS_V3_BASE_SCORE |
VulnerabilityResource.source() | SOURCE |
VulnerabilityResource.vulnerabilityCpsRating() | VULNERABILITY_CPS_RATING |
VulnerabilityResource.vulnerabilityDescription() | DESCRIPTION |
VulnerabilityResource.vulnerabilitySeverity() | SOURCE_SEVERITY |
๐ Detection
| Source Field Name | SDM Attribute |
|---|---|
| Computed | STATUS_CATEGORY |
DetectionResource.aiRelated() | AI_RELATED |
DetectionResource.cId() | CUSTOMER_ID |
DetectionResource.detectionName() | TYPE |
DetectionResource.firstSeen() | FIRST_FOUND |
DetectionResource.imageId() | TARGETS |
DetectionResource.lastSeen() | LAST_FOUND |
| Generated | UID |
| Generated | NAME |
| Generated | STATUS |
| Generated | SOURCE_STATUS |
| Generated | PROVIDER_STATUS |
| Generated | LAST_CAPTURED |
๐ Detection Definition
| Source Field Name | SDM Attribute |
|---|---|
| Calculated | SEVERITY_SCORE |
DetectionResource.detectionName() | UID |
DetectionResource.detectionName() | NAME |
DetectionResource.detectionSeverity() | SOURCE_SEVERITY |
DetectionResource.detectionType() | CATEGORIES |
DetectionResource.source() | SOURCE |
| Generated | LAST_CAPTURED |
| Normalized | SEVERITY |
Operations & APIโ
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
๐ผ๏ธ Image
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/image-assessment/images/v1 - Default filters: When
sinceis set, an FQL filterfirst_seen:>='<timestamp>'is applied (plus any user-suppliedfilteroption)
๐ฆ Container
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/containers/v1 - Default filters: When
sinceis set, an FQL filterfirst_seen:>='<timestamp>'is applied (plus any user-suppliedfilteroption)
๐ Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/packages/v2 - Default filters: Only the user-supplied
filteroption is applied (no timestamp filter)
โ ๏ธ Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/images/export/v1 - Default filters:
expand_vulnerabilities=true; whensinceis set, an FQL filterfirst_seen:>='<timestamp>'is applied (plus any user-suppliedfilteroption)
๐ Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/images/export/v1 - Default filters:
expand_vulnerabilities=true; whensinceis set, an FQL filterfirst_seen:>='<timestamp>'is applied (plus any user-suppliedfilteroption)
๐ Detection
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/images/export/v1 - Default filters:
expand_detections=true; whensinceis set, an FQL filterfirst_seen:>='<timestamp>'is applied (plus any user-suppliedfilteroption)
๐ Detection Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST ยท Endpoint:
GET /container-security/combined/images/export/v1 - Default filters:
expand_detections=true; whensinceis set, an FQL filterfirst_seen:>='<timestamp>'is applied (plus any user-suppliedfilteroption)
Changelogโ
The CrowdStrike Cloud Security connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.22 | Improvements - Connector-sourced attribute values now take precedence over non-connector data channels (manual edits, bulk imports, UI input) when the platform consolidates records, so CrowdStrike data is no longer overridden by lower-priority sources. | N/A |
| 3.2.21 | No changes in this release. | N/A |
| 3.2.20 | No changes in this release. | N/A |
| 3.2.19 | No changes in this release. | N/A |
| 3.2.18 | Dependency Upgrades - Updated shared connector framework and data-model libraries to their latest releases. | N/A |
| 3.2.17 | No changes in this release. | N/A |
| 3.2.16 | No changes in this release. | N/A |
| 3.2.15 | No changes in this release. | N/A |
| 3.2.14 | No changes in this release. | N/A |
| 3.2.13 | No changes in this release. | N/A |
| 3.2.12 | Dependency Upgrades - Updated the shared data-model library and removed an unused CVSS calculation dependency. | N/A |
| 3.2.11 | No changes in this release. | N/A |
| 3.2.10 | No changes in this release. | N/A |
| 3.2.9 | Bug Fixes - Vulnerability findings now sync reliably when container image details cannot be resolved or return no detail record, instead of failing the sync. Findings without a matching image are still synced, just without the extra image-level detail. | N/A |
| 3.2.8 | No changes in this release. | N/A |
| 3.2.7 | Bug Fixes - Package syncs now always retrieve the full set of packages rather than restricting incremental runs to recently seen packages, ensuring packages are not missed on subsequent syncs. | N/A |
| 3.2.6 | No changes in this release. | N/A |
| 3.2.5 | New Features - Added the Container model, synchronizing running and historical containers with their cloud, cluster, namespace, and pod context. - Added the Package model, synchronizing software packages discovered in container images. Improvements - Vulnerability findings now include additional detail from CrowdStrike, including exploited status, remediation availability, package path, package name and version, and image layer information. | N/A |
| 3.2.4 | No changes in this release. | N/A |
| 3.2.3 | No changes in this release. | N/A |
| 3.2.2 | No changes in this release. | N/A |
| 3.2.1 | Bug Fixes - The Vulnerability Definition CVSS v3 base score is now stored as a numeric value instead of text, and blank scores are no longer recorded, enabling correct numeric filtering and sorting. | N/A |
| 3.2.0 | Overview The CrowdStrike Cloud Security connector integrates with CrowdStrike Falcon Cloud Security to synchronize container images, image vulnerabilities and their definitions, and runtime detections and their definitions. Category: Cloud Security Models | N/A |