Skip to main content
The CrowdStrike Falcon integration syncs your managed device inventory, open detections, and prevention policy configuration. Use it to maintain a complete device inventory, track endpoint security posture, and generate compliance evidence for Axiom Codex.

What you’ll need

  • CrowdStrike Falcon console access with permission to create API clients.
  • Two minutes.

Set it up

1

Create an API client in CrowdStrike

In the Falcon console, go to Support and resources → API clients and keys and click Create API client.
  • Name: Axiom Layer
  • Scopes: enable Read for Hosts, Detections, and Prevention Policies
Copy the Client ID and Client Secret. The secret is only shown once.
2

Paste credentials into Layer

In Layer, go to Integrations, find CrowdStrike, and click Connect. Paste the Client ID and Client Secret, then click Connect.
If your CrowdStrike tenant uses a non-default regional API endpoint (for example https://api.us-2.crowdstrike.com), enter it in the Base URL field. Leave it blank for the default US-1 endpoint.
3

Wait for the first sync

The initial sync runs immediately. Fleets under 5,000 devices typically finish in under 10 minutes.

What gets synced

ObjectFieldsRefresh cadence
Deviceshostname, device ID, platform (Windows/macOS/Linux), OS version, serial number, last seen, statusDaily
Detectionsdetection ID, status (new/in-progress/resolved)Daily
Prevention policiespolicy ID, policy countDaily

Compliance evidence

CrowdStrike data generates evidence records for the following SOC 2 controls:
EvidenceControls
Device inventory with OS and status breakdownCC6.1, CC6.7
Open detections countCC7.2, CC7.3
Prevention policy inventoryCC6.1, CC6.7
See the SOC 2 evidence catalog for full control descriptions.

Troubleshooting

Double-check that you copied the Client ID and Client Secret correctly. If the secret was rotated or the API client was disabled, create a new one in the Falcon console.
Verify the API client has the Hosts → Read scope enabled. Also confirm your CrowdStrike tenant has devices enrolled — a newly created tenant with no sensor deployments will return an empty inventory.
Enter your regional API base URL when connecting (for example https://api.eu-1.crowdstrike.com for EU). If you connected without specifying a base URL, disconnect and reconnect with the correct endpoint.