--- title: "CrowdStrike Falcon Spotlight" slug: "crowdstrike" tags: ["connectors", "crowdstrike", "connector setup"] updated: 2025-06-24T17:26:35Z published: 2025-06-24T17:26:35Z canonical: "help.nucleussec.com/crowdstrike" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt > Use this file to discover all available pages before exploring further. # CrowdStrike Falcon Spotlight ## Overview Nucleus enables you to sync your CrowdStrike Falcon Spotlight endpoint monitoring data directly from CrowdStrike into the Nucleus console using an automated connector. The connector uses the APIs provided by CrowdStrike to seamlessly sync data into your Nucleus project for use in analysis, triage, automation, and reporting. ## Connector Setup ### Connector Setup Checklist Follow the steps in this checklist to successfully set up this connector: 1. **API Access** Create a service account with appropriate permissions in CrowdStrike. 2. **Connector Configuration** Create and configure the connector in your Nucleus project. 3. **Vulnerability Scan Data Ingestion** Create one or more vulnerability scan ingest rules to ingest vulnerabilities from CrowdStrike. ### 1. API Access 1. Navigate to your CrowdStrike Central Console. 2. Under the **Manage**section, click **Authentication**. 3. Click the **Add User**button and create a new user account with the **Administrator**role, access to **All Projects**, and `read` access to the `hosts`, `host-groups` and `vulnerabilities` endpoints. Required CrowdStrike Permissions The **Administrator** role is required to view, create, or modify API clients or keys. Read access to the `hosts`, `host-groups` and `vulnerabilities` endpoints is required for the connector to pull data correctly. Learn more about CrowdStrike [API access](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) . ### 2. Connector Configuration 1. Open Nucleus and go to **Integration Hub > Connector Setup.** 2. Under the **Scanners** section, click the **CrowdStrike**icon. 3. In the **Setup CrowdStrike Connector**popup, enter the following information: | Field | Description | | --- | --- | | Name | (Optional) Enter a name for your connector. If left blank, this will default to CrowdStrike. | | Description | (Optional) Enter a description for your connector. | | CrowdStrike URL | Enter the URL to your CrowdStrike console. | | Client ID | Enter the client id associated with your CrowdStrike API client. | | Client Secret | Enter the client secret associated with your CrowdStrike API client. | | Member CID | (Optional) Enter a member CID to restrict data ingestion to that member’s data. This setting will mostly only be used by MSSPs activating the connector on behalf of their customers. | 1. Click **Connect to CrowdStrike.** 2. If you checked Enable CrowdStrike Projects, select the projects that you want to ingest scans from. 3. Click **Save & Finish**. ### 3. Vulnerability Scan Data Ingestion 1. Go to **Integration Hub > Import via Connector**. 2. Select the CrowdStrike connector you just created. 3. Select the method of import: All, or by Host Group 4. If you are importing by Host Group, select the groups to import. 5. Select a schedule to import scans into the project. 6. Click **Save & Finish**. ### What products are supported from CrowdStrike? The Nucleus CrowdStrike connector currently supports ingestion from CrowdStrike's Spotlight service. ## Connector Behavior ### Ingest methods The Crowdstrike connector allows you to select from two options for choosing what data to ingest - All - The All method will ingest all hosts in all host groups from your Crowdstrike CID. - Host Group - The Host Group method will enable users to select the Host Groups they want to ingest into Nucleus ### Asset-sync mode > [!NOTE] > Limited Availability Product > > Asset-sync mode is a Limited Availability product. Contact your account representative or Nucleus support to enable. When in asset-sync mode, the Crowdstrike connector will download and update asset information only. This mode is activated by Nucleus upon customer request — all configuration and ingest method options are the same for the customer. ### Finding Evaluation Logic Customers map opt-in to ingesting evaluation logic from Crowdstrike into the finding output field in Nucleus. Please contact support or your Nucleus customer success manager if you would like this enabled. > [!WARNING] > Performance Note > > The evaluation logic provided by Crowdstrike is large relative to the other finding related information. The inclusion of this data may impact download and ingestion times depending on the size of your environment. ### Finding Reference Links Findings from Crowdstrike include CVE Reference URL’s and Vendor Advisory links. These are capped at 20 each per finding. If a finding contains more than 20, please refer to the threat intelligence tab for more information on the identified CVE. ### Other questions If you have any questions, please contact us through [the support center](https://nucleussec.atlassian.net/servicedesk/customer/portal/3).