Integrating your Software Asset Management application with the CrowdStrike enables you to view CrowdStrike active host sensors information and check license compliance.

Important: Minimize security risks and protect information by granting access only to the necessary user or API permissions.
Table 1. Minimal user permissions
Process Required user role in the CrowdStrike application Authentication scopes
Download consumption Falcon administrator Sensor usage scope with read permissions

This process is applicable for Yokohama Patch 1, Software Asset Management - SaaS License Management (sn_sam_saas_int) 15.0.8, and Software Asset Management (sn_itam_samp) 2.1.0 version onwards. If you are on any version for Yokohama below Patch 1, refer KB1801232.

Register a CrowdStrike OAuth application

Register the CrowdStrike OAuth application to access the CrowdStrike API and to receive a Client ID and Client secret.

Before you begin

The CrowdStrike Integration Hub spoke must be active. For more information, see CrowdStrike spoke.

CrowdStrike Role required: Falcon administrator

Important:
  • To use the Sensor Usage APIs, your API client must be assigned the Sensor usage scope with Read permissions.
  • Contact your account team to enable the following feature flags:
    • Hourly usage data feature flag: This flag must be enabled for your Customer Identification (CID) to view hourly usage data.
    • Aggregated usage data feature flag: This flag must be enabled to get aggregated usage data in multi-CID (non-Flight Control) accounts.

Procedure

  1. Log in to Falcon using your admin credentials.
  2. Navigate to Support > API Clients and Keys.
  3. Select Add new API Client.
  4. Provide the client name and description.
  5. Select the Read check box for the Sensor usage scope.
  6. Select ADD.
    The API client created screen is displayed.
  7. Copy the Client ID and Client secret for later use.

Create a CrowdStrike integration profile

Create a CrowdStrike integration profile to track software subscriptions and optimize licensing for your CrowdStrike applications.

Before you begin

The Software Asset Management - SaaS License Management plugin (sn_sam_saas_int) must be installed from the ServiceNow Store.

ServiceNow Role required: admin or sam_integrator

Important: You must select the CrowdStrike Spoke check box for this integration while installing optional features on the Application Manager page. For more information about choosing the required SaaS applications, see Request SaaS License Management.

About this task

If you’re using Software Asset Workspace, the option to create the CrowdStrike integration profile in Core UI is inactive.

Note: When upgrading to Yokohama patch 1 with Software Asset Management - SaaS License Management (sn_sam_saas_int) 15.0.8 and Software Asset Management (sn_itam_samp) 2.1.0 store applications installed, you must delete the entitlements for the existing CrowdStrike integration profiles. Then, create entitlements for various CrowdStrike products, such as Falcon Endpoint Protection and Falcon Discover, based on their license metrics. These metrics include Reserved Hourly Average Sensor and Sensor Subscription, which are found under the CrowdStrike license metric group.
  • If any existing CrowdStrike profiles are in the Draft state, create new integration profiles and delete the existing ones.
  • If any existing CrowdStrike profiles are in the Published state, their state changes to Draft.

If you are on any version for Yokohama below patch 1, refer KB1801232.

Procedure

  1. Navigate to the integration profile.
    InterfaceAction
    Core UI
    1. Navigate to All > Software Asset > SaaS License > Direct Integration Profiles.
    2. Select New.
    3. Select CrowdStrike Integration Profile.
    Software Asset Workspace
    1. Navigate to License operations > User Subscriptions > Direct integration profiles.
    2. Select New.
    3. Select CrowdStrike from the drop-down list.
    4. Select Continue.
  2. On the form, fill in the fields.
    Table 2. Integration profile form
    Field Value
    Display name Name of the integration profile. For example, CrowdStrike integration.
    Status Status of the integration profile.
    • If you have not published the integration profile, this field is automatically set to  Draft.
    • If you have already published the integration profile, this field is automatically set to  Published.
    Profile type Type of integration profile. This field is automatically set to CrowdStrike Subscription.
  3. Review the required user roles or API permissions specified in the Vendor configuration field for the process to minimize security risks and optimize SaaS licenses.
    Note: The Download consumptions check box is selected by default and you can't clear it. Verify that the Subflow field is set to CrowdStrike Download Weekly and Hourly Sensor Usage.

    For more information about the required roles and scopes, see Minimal user permissions table.

  4. Select Save.
    A draft integration profile is created.

    The Connection & Credential field appears and is automatically set to sn_crowdstrk_spoke.CrowdStrike.

  5. Open the connection & credential aliases record by selecting the preview icon (Preview icon.) next to the Connection & Credential field and then selecting Open Record in the record preview.
  6. On the Connection & Credential Aliases form, select the Create New Connection & Credential related link.
  7. In the Create Connection and Credential dialog box, fill in the fields.
    Table 3. Create Connection and Credential dialog box
    Field Value
    Connection Information
    Connection Name Name of the CrowdStrike connection. This field populates automatically.
    Connection URL URL for the connection. This field is automatically set to https://api.crowdstrike.com.
    Each CrowdStrike cloud has a different base URL. Use the base URL that corresponds to the cloud where your integration is hosted.
    • US-1: https://api.crowdstrike.com
    • US-2: https://api.us-2.crowdstrike.com
    • EU-1: https://api.eu-1.crowdstrike.com
    • US-GOV-1: https://api.laggar.gcw.crowdstrike.com
    • US-GOV-2: https://api.us-gov-2.crowdstrike.mil
    Credential Information
    OAuth Client ID Client ID that you generated while configuring the CrowdStrike API settings.
    OAuth Client Secret Client Secret that you generated while configuring the CrowdStrike API settings.
    OAuth Redirect URL https://<instance name>/oauth_redirect.do, where the instance name is the name of your ServiceNow instance.
  8. Select Create and Get OAuth Token.
    Note: For the role required to perform this step, refer to the Minimal user permissions table.
    The OAuth token is generated successfully.
  9. On the Integration Profile form, proceed with the Workload product mapping by selecting the CrowdStrike Product Workload Mappings tab.

    Workload mapping is essential for accurately associating specific products with the types of workloads they manage (for example, servers, desktops, containers). This is because CrowdStrike provides data on workloads and not direct product-to-machine connections. With workload mapping, you can correctly count license usage and ensure compliance. The system adds up the relevant workloads for each product based on this mapping, preventing over- or under-counting. This new approach replaces previous methods and aligns with how CrowdStrike now tracks usage, making it easier to manage compliance.

    1. On the CrowdStrike Product Workload Mappings page, select New.
      Note: The software entitlements and software models must be created before proceeding to the next step.
    2. On the form, fill in the fields.
      Table 4. CrowdStrike Product Workload Mapping form
      Field Description
      Integration profile This field is automatically set to the integration profile for which the workload mapping is being created.
      Workload Endpoints are physical or virtual devices, such as a computer, server, laptop, desktop computer, mobile, cellular, container, pod, or virtual machine image.

      Endpoints are sometimes referred to as workloads.

      For example,
      • containers
      • public_cloud_with_containers
      • servers_without_containers
      • chrome_os
      Software model Profile of the software, which includes publisher, version, and discovery map.
      License metric License metric for the selected software model.
      • Reserved Hourly Average Sensor: This metric counts the number of unique active endpoints per clock-hour and averages them over a rolling 28-day period. The count of Reserved Hourly Average Sensor Licenses resets at the start of each clock-hour.
      • Sensor Subscription: This metric calculates license usage by averaging endpoint counts over four consecutive weeks. Weekly endpoint counts are based on the total number of endpoints consumed in the previous seven days.
    3. Select Save.
  10. On the integration profile form, select Validate Connection to verify the connection and credential details of this integration.
    You can also validate connections before creating CrowdStrike product workload mappings.
    Important: You must provide the Workload product mapping before publishing the profile.
  11. After the connection is verified and the workload product mapping is provided, select Publish.
  12. In the Publish Confirmation dialog box, select OK.

Result

This integration pulls or creates usage records in the CrowdStrike Product Usage [samp_crowdstrike_product_usage] table and CAL records in the Client Access [samp_sw_client_access] table.

What to do next

If you want to set up multiple integration profiles with unique connections, create child aliases to manage different configurations and settings for each integration profile. For more information, see Create a child alias to set up multiple integration profiles.

Reconciliation also runs on your subscriptions as a scheduled job or on-demand. You can view your reconciliation results in the License Workbench (Software Asset Management classic application) or the License usage view (Software Asset Workspace). Use these results to determine your license compliance position and to remediate any non-compliance.