baton-crowdstrike is a connector for CrowdStrike built using the Baton SDK. It works with the CrowdStrike Falcon API to sync data about users and their roles.
Check out Baton to learn more about the project in general.
Connector requires client id and secret to exchange for access token that is later used throughout the communication with API. To obtain these credentials, you have to create API client in CrowdStrike. You must be designated as Falcon administrator role to create API client in CrowdStrike (more info on obtaining access and creating clients here).
| Scope | Required | Description |
|---|---|---|
| User Management: Read | Yes | Required to sync users and roles |
| Identity Protection Entities: Read | No | Required to sync identity risk scores (security insights) |
After you have obtained client id and secret, you can use them with connector. You can do this by setting BATON_CROWDSTRIKE_CLIENT_ID and BATON_CROWDSTRIKE_CLIENT_SECRET environment variables or by passing them as flags to baton-crowdstrike command.
Along with credentials, you can also specify region that you want to use. By default, connector will use us-1 region. You can change this by setting BATON_REGION environment variable or by passing --region flag to baton-crowdstrike command.
brew install conductorone/baton/baton conductorone/baton/baton-crowdstrike
BATON_CLIENT_ID=client_id BATON_CLIENT_SECRET=client_secret baton-crowdstrike
baton resources
docker run --rm -v $(pwd):/out -e BATON_CLIENT_ID=client_id BATON_CLIENT_SECRET=client_secret ghcr.io/conductorone/baton-crowdstrike:latest -f "/out/sync.c1z"
docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources
go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-crowdstrike/cmd/baton-crowdstrike@main
BATON_CLIENT_ID=client_id BATON_CLIENT_SECRET=client_secret baton-crowdstrike
baton resources
baton-crowdstrike will fetch information about the following CrowdStrike resources:
- Users
- Roles
- Security Insights (identity risk scores)
We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!
See CONTRIBUTING.md for more details.
baton-crowdstrike
Usage:
baton-crowdstrike [flags]
baton-crowdstrike [command]
Available Commands:
capabilities Get connector capabilities
completion Generate the autocompletion script for the specified shell
help Help about any command
Flags:
--client-id string The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
--client-secret string The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
--crowdstrike-client-id string required: CrowdStrike client ID used to generate the access token. ($BATON_CROWDSTRIKE_CLIENT_ID)
--crowdstrike-client-secret string required: CrowdStrike client secret used to generate the access token. ($BATON_CROWDSTRIKE_CLIENT_SECRET)
-f, --file string The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
-h, --help help for baton-crowdstrike
--log-format string The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
--log-level string The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
-p, --provisioning This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
--region string required: CrowdStrike region to connect to. Options include 'us-1', 'us-2', 'eu-1', and 'us-gov-1'. ($BATON_REGION) (default "us-1")
--skip-full-sync This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
--ticketing This must be set to enable ticketing support ($BATON_TICKETING)
-v, --version version for baton-crowdstrike
Use "baton-crowdstrike [command] --help" for more information about a command.
The connector syncs identity risk scores from CrowdStrike Identity Protection. This includes:
- Risk Score: A numerical score (0-1) indicating the identity's risk level
- Risk Factors: The factors contributing to the risk score (e.g., "WEAK_PASSWORD (HIGH)", "MFA_NOT_ENABLED (MEDIUM)")
To sync security insights, your CrowdStrike API client must have the Identity Protection Entities: Read scope enabled. The security_insight resource type is disabled by default and can be enabled through ConductorOne.