Skip to main content

Integrating with Crowdstrike Falcon – Full Guide

Learn how to integrate CrowdStrike Falcon with Hyver to import assets, findings, and vulnerability data.

Updated over a week ago

1. Introduction

Hyver integrates with the CrowdStrike Falcon platform to automatically import host-type assets and vulnerability data into your Hyver environment. Once connected, Hyver processes these findings to correlate, consolidate, and contextualize the data, helping you prioritize risks and remediation efforts according to your business needs.

CrowdStrike Falcon

2. Prerequisites

Before setting up the integration, make sure the following requirements are met:

  • CrowdStrike Spotlight is enabled in your CrowdStrike console.

  • API credentials are generated in CrowdStrike (Client ID and Secret).

  • The API client has the following scopes:

    • Hosts: Read

    • Vulnerabilities: Read

    • Configuration Assessments: Read

Required CrowdStrike Scopes

Hyver requires several read-only API scopes in CrowdStrike to ingest data. Make sure these scopes are available in your CrowdStrike portal before you set up the integration. If a scope is missing, your organization may not have the necessary CrowdStrike licenses (for example, both EDR and Exposure Management are required):

  • Hosts + Host Groups (Read)
    Hyver pulls detailed host information, such as OS type and version.
    This data ensures that host assets in Hyver are enriched with accurate and up-to-date details.

  • Vulnerabilities (Read)
    Hyver ingests vulnerabilities identified by CrowdStrike.
    These are grouped in Hyver to remediations asset inside 'Usage of Outdated and Vulnerable Technologies' finding.

  • Configuration Assessments (Read)
    Hyver imports configuration assessment results from CrowdStrike.
    These findings are enriched with NIST mappings in Hyver and factored into your security maturity scoring.

For more details, you can refer to the official CrowdStrike API documentation here.

Note: The first part of the URL (for example, falcon.us-2) may be different depending on your organization’s CrowdStrike environment. Be sure to use the correct base URL that appears in your own portal.

Important Notes

  • You must have a Falcon administrator role in CrowdStrike to create API clients and secrets.

  • You must be a Hyver administrator to add and manage this integration.

Required IP Addresses

For the integration to work smoothly, you may need to allow traffic from Hyver’s servers in your firewall or network configuration. This ensures that Hyver can securely connect to your environment and perform scans without being blocked.

Depending on your region and the type of scan, add the following IP addresses:

  • General IPs:

    • Europe18.198.79.197

    • America52.1.10.176, 35.171.70.87

  • IPs for Azure and AWS Scans:

    • Europe18.158.77.90

    • America34.206.252.13

In most cases, you only need to add the IPs relevant to your region and use case.

Multi-Company Dashboard and Integrations

This section explains how Hyver’s Multi-Company Dashboard works in general, and how integrations behave when used in a Multi-Company setup.

What is the Multi-Company Dashboard?

Hyver’s Multi-Company Dashboard is designed for large enterprises with multiple subsidiaries. It gives you:

  • A centralized view of cybersecurity risk across the entire organization

  • Key metrics like exposure, cost of breach, and maturity scores

  • The ability to switch between subsidiaries and view their individual data

  • Parent admins and power users can view aggregated and subsidiary-level risk, while detailed findings remain visible only to members of the specific subsidiary

  • Data that updates in real time

To enable Multi-Company, contact your CYE Technical Account Manager.

How Integrations Work in Multi-Company

Here’s the important part:

  • Integrations are created only at the subsidiary level

  • Findings from an integration appear only in that subsidiary’s dashboards and reports

  • Parent companies cannot create integrations — they can only view the aggregated results

Best Practices for Combining Integrations with Multi-Company

To get the most out of Multi-Company with integrations, we recommend:

  • Each subsidiary should create its own integration, using credentials that only grant access to data relevant to that subsidiary

  • In some cases, it’s useful to also have a dedicated “General” company, which holds findings that apply to the entire enterprise and cannot be tied to a single subsidiary

  • The parent company then combines these insights and metrics from all subsidiaries and the General company — but remember, integrations cannot be connected directly to the parent company.

3. Configuring on the CrowdStrike Side

This integration is straightforward: you create an API key in CrowdStrike, enter its details in Hyver, and the connection is ready. To make sure everything is clear, let’s walk through the process step by step.

Create API and Secret Keys

To allow Hyver to authenticate with CrowdStrike, you’ll need to create an API client ID and secret key.

Note: The client secret is displayed only once during creation (or when reset). Make sure to copy it before leaving the page.

Steps in CrowdStrike

  1. Log in to your CrowdStrike console:

  2. From the menu, go to: Support and Resources > API Clients and Keys:

  3. Click Create API Client (top right):

  4. Enter a Client Name and a Description:

  5. Assign the following API scopes:

    • Hosts: Read

    • Vulnerabilities: Read

  6. Click Create to generate the API client.

  7. Copy the following details:

    1. Client ID – After creating an API client (with a name, description, and the required scopes), the Client ID will appear in the table on the right side of the page:

    1. CrowdStrike Falcon Secret – A Secret is generated along with the API client. It is displayed only once at the time of creation, so make sure to copy it immediately. If you miss it, you’ll need to create a new client and copy the new secret when it appears.

    2. CrowdStrike Falcon Base URL – This value is shown at the top left of the API Clients page. Simply copy it from there and paste it into Hyver when setting up the integration:

You’ll need these three details in the next Step - Configuring in Hyver.

4. Configuring in Hyver

Now that you’ve created your API credentials in CrowdStrike, the next step is to create and authenticate the integration in Hyver.

Creating the Integration in Hyver

  1. In Hyver, go to Settings > Integrations.

  2. Find the CrowdStrike Falcon tile and click Add Integration:

  3. Enter a Name for the integration (choose something easy to recognize later):

  4. Provide the following details you generated in Step 1:

    • CrowdStrike Falcon Client ID

    • CrowdStrike Falcon Secret

    • CrowdStrike Falcon Base URL

    • Advanced Tip: You can hover over the exclamation mark icons next to two of these fields in Hyver to see a reminder of where to find them in the CrowdStrike interface.

  5. Copy each value into the corresponding field in Hyver.

  6. Click Verify Connection.

If everything is correct, a green confirmation message will appear next to the button. Once verified, click Save.

5. Viewing Results

What Happens Next

  • On saving, Hyver initiates a data synchronization.

  • Findings from CrowdStrike are automatically populated in Hyver.

  • Engagements are created if they don’t already exist.

  • Note: CrowdStrike Falcon is added as a technology asset type in Hyver and is included in maturity calculations.

Viewing CrowdStrike Findings

You can easily locate CrowdStrike findings in Hyver by using the filtering options on the Findings page:

  1. Go to the Findings page.

  2. Open the Filter panel.

  3. Filter by Source and select CrowdStrike.

  4. (Optional) Add additional filters, such as Creation Date, to narrow results.

This allows you to quickly distinguish between findings coming from Hyver directly and those ingested from CrowdStrike.

Collected Endpoints

Collected endpoints are the data points Hyver retrieves from an integrated platform. They represent the information Hyver uses to enrich its risk analysis, display findings, and calculate exposure.

For the CrowdStrike integration, Hyver collects the following endpoints:

  • Applications installed on company endpoints – An inventory of the software running on your organization’s devices.

  • CVEs found in applications installed on company endpoints – A list of known vulnerabilities (Common Vulnerabilities and Exposures) identified in those applications.

In simple terms, these collected endpoints give Hyver visibility into both what software is present across your endpoints and which of those applications contain known security vulnerabilities. This data is then factored into Hyver’s risk calculations, helping you prioritize remediation efforts more effectively.

6. Types of Fetched Entities

CrowdStrike Findings in Hyver

Once the integration is active, Hyver automatically generates findings from CrowdStrike data.

  • Findings are created dynamically based on configuration assessment rules in CrowdStrike.

  • CrowdStrike CVEs (from vulnerability management) are mapped in Hyver as a finding titled:
    Usage of Outdated and Vulnerable Technologies

7. Deleting the Integration

Deleting the Integration

  1. Go to Settings > Integrations.

  2. Find the CrowdStrike Falcon integration and click Delete Integration.

  3. Confirm the deletion.

Important:

  • Once deleted, the connection to CrowdStrike is terminated immediately.

  • No new data will be ingested or processed.

  • All existing data that was previously pulled into Hyver remains available.

Editing the Integration

  1. Go to Settings > Integrations.

  2. Find the CrowdStrike Falcon integration and click Edit Integration.

  3. Update the details as needed.

  4. Click Save to apply your changes.

8. Troubleshooting

If you see an error message, double-check your network connectivity and the credentials from Step 1. Copy them again into Hyver if needed.

9. FAQ

  1. Do I need to take any customer-side actions (like approving permissions in the AWS Console)?
    No. The integration only requires an API token with the appropriate permissions. For some scopes, your organization must also hold the relevant CrowdStrike licenses.

  2. What data is collected, and how?

    Hyver collects the following from CrowdStrike:

    1. Vulnerabilities

    2. Configuration assessments

    3. Host data

  3. How often is data pulled into Hyver?
    Data is refreshed once a day.

  4. When will results appear in Hyver?
    Findings typically appear within 24 hours after the integration is created.

  5. Which CrowdStrike products are supported, and what findings should I expect?
    Hyver connects to specific CrowdStrike scopes. What you see in Hyver depends on the licensed products tied to those scopes (refer to CrowdStrike’s documentation for full details):

    1. Vulnerabilities scope – generates the Usage of Outdated and Vulnerable Technologies finding.

    2. Configuration assessments scope – imports CrowdStrike configuration findings, enriches them with NIST mappings, and connects them to Hyver metrics.

    3. Hosts scope – enriches asset data in Hyver, making host details clearer and easier to interpret.

  6. How does this work for multi-company environments?
    Each client defines a token with the required permissions on their side and provides it to Hyver. Hyver then pulls all available data for that token. Clients can create multiple integrations using different tokens, whether for the same company or across different companies.

Wrap-up

In this guide, we learned how to integrate CrowdStrike Falcon with Hyver, from setting up API credentials to completing the connection in Hyver. We also explored how findings are ingested and viewed, and how to edit or delete the integration when needed.

Related Articles
Hyver Integrations Overview
Integrating with WIZ – Full Guide
Integrating with Rapid7 InsightVM – Full Guide
Integrating with Tenable Vulnerability Management – Full Guide
Integrating with SentinelOne – Full Guide
Did this answer your question?