CrowdStrike Falcon Identity Protection Plugin for User Risk Exchange

CrowdStrike Falcon Identity Protection Plugin for User Risk Exchange

This document explains how to configure the CrowdStrike Identity Protect URE integration with the User Cloud Risk Exchange module of the Netskope Cloud Exchange platform. This integration collects user email and their scores from CrowdStrike’s Identity Protection platform to Netskope.


To complete this configuration, you need:

API Details

We’ve used the falconpy (1.2.11) SDK for developing this plugin. Refer to the approach mentioned in this document for more details.

We’ve used the api_preempt_proxy_post_graphql method of the falconpy SDK, which internally uses the /identity-protection/combined/graphql/v1 API.

API swagger link:

Fetched record typesUsers
ActionsNo Actions
Identity Protection GraphQLYes
DataTime taken to store
110021 minute 16 seconds
500005 minute 39 seconds


  1. Create your CrowdStrike API credentials.
  2. Configure the Crowdstrike Plugin for User Risk Exchange.
  3. Configure Business Rules for the CrowdStrike plugin.
  4. Configure Actions for the CrowdStrike plugin.
  5. Validate the CrowdStrike plugin.

Click play to watch a video.


Create CrowdStrike API Credentials

  1. Log in into your Crowdstrike platform. Go to the Menu Icon > Support and then Resources > API Clients and Keys.
  2. Click Add New API Client.
  3. Add the following scopes while adding the API Client:
    Identity Protection GraphQLYes
  4. Copy the Base URL, Client ID, and Client Secret.
  5. Save your changes.

Configure the CrowdStrike Falcon Identity Protection Plugin

      1. In Cloud Exchange, go to Settings > Plugins. Search for and click on the CrowdStrike Falcon Identity Protection (URE) plugin box.
      2. Add a Configuration Name, Sync Interval, and Use System Proxy (if needed) for configuring the plugin.
      3. Click Next and enter the Base URL, Client ID, Client Secret, and an Initial Range.
      4. Click Next and set the score range from the Select Range page (recommend that you keep the default).
      5. Your plugin configuration will be seen in User Risk Exchange > Plugins.

Configure a User Risk Exchange Business Rule for CrowdStrike Falcon Identity Protection

    1. Go to User Risk Exchange > Business Rule.
    2. Click Create New Rule.
    3. Enter the Rule Name and configure the query based on your requirements. The below example fetches all the users/hosts fetched by the CrowdStrike Identity Protection configuration.
    4. Click Save.

    Configure Actions for CrowdStrike Falcon Identity Protection

    The User Risk Exchange CrowdStrike plugin supports the following action types:

    No Action: This action does not perform any action on the host but can generate alerts in CTO if generate Alerts is enabled.

    To configure this action:

      1. Go to User Risk Exchange > Actions.
      2. Click Add Action Configuration.
      3. Select a Business Rule, a plugin configuration, and leave the default action.
      4. To generate Alerts in the Ticket Orchestrator module, enable Generate Alert, and similarly, enable Perform Action during Maintenance Window if you wish to perform this action during the Maintenance Window.
      5. Click Save.

    Validate the CloudStrike Falcon Identity Protection Plugin

    Validate in Cloud Exchange

      1. Go to the User Risk Exchange > Users.
      2. You’ll see users similar to what is shown below.




    The user score you’ll see will be different from what you see in the CrowdStrike Identity Protection Platform.

    Formula to Convert CrowdStrike’s Identity Protection Risk Score to Netskope Cloud Exchange Risk Score

    Netskope Risk Score scale: 0 – 1000 (0-maximum risk 1000- minimum risk)

    CrowdStrike Risk score scale: 0 – 1 ( 0 -> minimum risk 1 -> maximum risk)

    Formula: |(1 – (CrowdStrike Identity Protection Risk Score))| *1000

    Validate in CrowdStrike Identity

      1. Log in to CrowdStrike Falcon platform.
      2. Go to Identity Protection > Users.
      3. Here you’ll see the users. As shown in the below screenshot.

      Known Behaviors

        • If the API response has no value in the emailAddresses field, the record will not be ingested.

        • If the API response has multiple email addresses in the emailAddresses field only the first value in emailAddresses will be pulled in CE.

        • The plugin will pull only the unarchived users from the CrowdStrike Identity Protection platform.

Share this Doc
In this topic ...