Skip to content

CrowdStrike

Cloudflare Zero Trust can integrate with Crowdstrike to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Crowdstrike. Devices are identified by their serial numbers.

Prerequisites

Device posture with Crowdstrike requires:

  • Falcon Enterprise plan or above
  • Crowdstrike agent is deployed on the device.
  • Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to Service providers.

Set up CrowdStrike as a service provider

1. Obtain CrowdStrike settings

The following CrowdStrike values are needed to set up the CrowdStrike posture check:

  • Client ID
  • Client Secret
  • Base URL
  • Customer ID

To retrieve those values:

  1. Log in to your Falcon Dashboard.

  2. Go to Support and resources > API Clients and Keys.

  3. Select Add new API client and enter any name for the client.

  4. Enable the Read API Scope for Zero Trust Assessment, Hosts, Detections, Event Streams, and User Management.

  5. Select Add.

  6. Copy the Client ID, Client Secret, and Base URL to a safe place.

  7. Go to Host setup and management > Sensor downloads and copy your Customer ID.

  8. Get an auth token from your CrowdStrike API endpoint:

    Terminal window
    curl -X POST "<BASE_URL>/oauth2/token" \
    -H "accept: application/json" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>"

    This POST request authorizes Cloudflare Zero Trust to add CrowdStrike as a service provider. For more information, refer to the Crowdstrike auth token documentation.

2. Add CrowdStrike as a service provider

  1. In Zero Trust, go to Settings > WARP Client.
  2. Scroll down to Device posture providers and select Add new.
  3. Select CrowdStrike.
  4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection.
  5. Enter the Client ID and Client secret you noted down above.
  6. Enter your Rest API URL.
  7. Enter your Customer ID.
  8. Choose a Polling frequency for how often Cloudflare Zero Trust should query CrowdStrike for information.
  9. Select Save.

You will see the new provider listed under Settings > WARP Client > Device posture providers. To ensure the values have been entered correctly, select Test.

3. Configure the posture check

  1. In Zero Trust, go to Settings > WARP Client > Service provider checks.
  2. Select Add new.
  3. Select the Crowdstrike provider.
  4. Configure a device posture check and enter any name.
  5. Select Save.

Next, go to Logs > Posture and verify that the service provider posture check is returning the expected results.

Device posture attributes

Device posture data is gathered from the CrowdStrike Zero Trust Assessment APIs. To learn more about how scores are calculated, refer to the CrowdStrike Zero Trust Assessment documentation.

SelectorDescriptionValue
OSOS signal score1 to 100
OverallOverall ZTA score1 to 100
Sensor configSensor signal score1 to 100
VersionZTA score version2.1.0
StateCurrent online status of the deviceOnline, Offline, or Unknown
Last seenElapsed time since the device was last seen. Only returned if its state is online or unknown.In the last 1 hour, 3 hours, 6 hours, 12 hours, 24 hours, 7 days, 30 days, or more than 30 days