Skip to main content
The CrowdStrike Falcon integration syncs your managed device inventory, open detections, and prevention policy configuration. Use it to maintain a complete device inventory, track endpoint security posture, and generate compliance evidence for Axiom Codex.

What you’ll need

  • CrowdStrike Falcon console access with permission to create API clients.
  • Two minutes.

Set it up

1

Create an API client in CrowdStrike

In the Falcon console, go to Support and resources → API clients and keys and click Create API client.
  • Name: Axiom Layer
  • Scopes: enable Read for Hosts, Detections, and Prevention Policies
Copy the Client ID and Client Secret. The secret is only shown once.
2

Paste credentials into Layer

In Layer, go to Integrations, find CrowdStrike, and click Connect. Paste the Client ID and Client Secret, then click Connect.
If your CrowdStrike tenant uses a non-default regional API endpoint (for example https://api.us-2.crowdstrike.com), enter it in the Base URL field. Leave it blank for the default US-1 endpoint.
3

Wait for the first sync

The initial sync runs immediately. Fleets under 5,000 devices typically finish in under 10 minutes.

What gets synced

Compliance evidence

CrowdStrike data generates evidence records for the following SOC 2 controls: See the SOC 2 evidence catalog for full control descriptions.

Troubleshooting

Double-check that you copied the Client ID and Client Secret correctly. If the secret was rotated or the API client was disabled, create a new one in the Falcon console.
Verify the API client has the Hosts → Read scope enabled. Also confirm your CrowdStrike tenant has devices enrolled — a newly created tenant with no sensor deployments will return an empty inventory.
Enter your regional API base URL when connecting (for example https://api.eu-1.crowdstrike.com for EU). If you connected without specifying a base URL, disconnect and reconnect with the correct endpoint.