Skip to main content

Using CrowdStrike Integrations with Multiple CIDs

  • Updated

Overview

Beyond Identity's Secure Workforce platform now supports integration with CrowdStrike environments where devices are managed across multiple CrowdStrike Customer IDs (CIDs) under a single parent CID structure.

This allows administrators to leverage device posture data from their entire multi-CID CrowdStrike fleet within Beyond Identity access policies.

Prerequisites

  • Beyond Identity Secure Workforce platform tenant.
  • A CrowdStrike environment configured with a parent CID and one or more child CIDs.
  • API credentials associated with the parent CrowdStrike CID, possessing the necessary permissions as outlined in the standard CrowdStrike Integration Guide.

Configuration

Configuring the integration for a multi-CID environment requires using the API credentials associated with your parent CrowdStrike CID.

  1. Navigate to Integrations > Endpoint Management in the Beyond Identity Admin Console.
  2. Add or Edit your CrowdStrike Falcon integration.
  3. When prompted for CrowdStrike API credentials (Base URL, Client ID, Client Secret), enter the credentials generated from your parent CrowdStrike CID.
  4. Follow the remaining steps as outlined in the main CrowdStrike Integration Guide. No additional configuration specific to multi-CID is needed beyond using the parent CID credentials.

Verification

Once the integration is saved with the parent CID credentials, Beyond Identity will attempt to fetch device data from all associated CIDs.

  1. Monitor the Beyond Identity Activity Log (under Events).
  2. Look for a successful data fetch event related to the CrowdStrike integration.
  3. Within the details of this event, you will find an entity_count field. This number represents the total count of devices successfully ingested from across all parent and child CIDs associated with the provided API credentials. You can optionally cross-reference this entity_count with the total number of hosts reported across your relevant CrowdStrike CIDs to ensure complete data ingestion.

Important Limitation: ZTA Score Incompatibility

When configuring a CrowdStrike integration using parent CID credentials to cover multiple CIDs, the Overall ZTA Score policy attribute cannot be used. Policies attempting to evaluate the ZTA score attribute will not function correctly in a multi-CID setup.

All other CrowdStrike policy attributes (e.g., agent presence, OS version, specific security settings) remain functional and can be used in your access policies for devices across all integrated CIDs. Ensure your policies rely on these other available attributes if operating in a multi-CID environment.

Related Articles

Related articles

Comments

0 comments

Please sign in to leave a comment.