Device Inventory
Retrieves detailed asset data on devices managed by CrowdStrike Falcon Spotlight for asset visibility and vulnerability mapping.
Sync Type: Full Synchronisation
Requirements
- Before you connect Monad to CrowdStrike, you need a Client ID and Client Secret. Log in to your CrowdStrike portal, and under Support & Resources, click on 'API Client and Keys' to create your credentials.
- Enter a Client Name, Description and API Scopes to define the API client. Ensure read roles for Hosts are enabled.
- Click Done.
- Copy the ClientID and ClientSecret key. You'll need them when you set up the Monad connector.
Details
Monad uses the cron field to run on specific intervals and returns all device details, performing a full sync of data each time.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Cron | string | Yes | Cron string for scheduling tasks. Ex: '0 0 * * *' for daily execution at midnight. |
| Cloud Type | string | No | Your cloud type for CrowdStrike. Ex: 'autodiscover', 'us-1', 'us-2', 'eu-1', 'us-gov-1'. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Client ID | string | Yes | Client ID for the CrowdStrike API. This is required to authenticate requests. |
| Client Secret | string | Yes | Client Secret for the CrowdStrike API. This is required to authenticate requests. |
OCSF Conversion
The following JQ transformation converts Crowdstrike Device Details data to OCSF Version 1.1.0 compliant format.
JQ Transformation
{
"metadata": {
"product": {
"name": .platform_name,
"version": .agent_version,
"feature": {
"name": "Host Information"
}
},
"version": "1.0.0"
},
"device": {
"hostname": .hostname,
"ip": [.local_ip, .connection_ip, .external_ip],
"mac": [.mac_address, .connection_mac_address],
"uid": .device_id,
"serial_number": .serial_number,
"domain": .machine_domain,
"product": {
"name": .system_product_name,
"type": .product_type,
"type_id": .product_type_desc,
"vendor_name": .system_manufacturer
},
"tags": .tags,
"group": {
"name": .groups,
"uid": .group_hash
}
},
"host": {
"os": {
"name": .os_product_name,
"version": .os_version,
"build": .os_build,
"kernel_version": .kernel_version,
"type": (if .os_product_name | startswith("Windows") then "windows"
elif .kernel_version != null then "linux"
else "unknown" end)
},
"users": [
{
"name": .last_login_user,
"uid": .last_login_uid,
"domain_uid": .last_login_user_sid,
"email_addr": .email
}
],
"hw": {
"cpu": { "vendor": .cpu_vendor, "signature": .cpu_signature },
"bios": { "vendor": .bios_manufacturer, "version": .bios_version },
"chassis": { "type": .chassis_type, "desc": .chassis_type_desc }
}
},
"cloud": {
"provider": .service_provider,
"account": { "uid": .service_provider_account_id },
"instance": { "uid": .instance_id }
},
"container": {
"pod": {
"name": .pod_name,
"uid": .pod_id,
"namespace": .pod_namespace,
"ip": [.pod_ip4, .pod_ip6],
"host": {
"hostname": .pod_hostname,
"ip": [.pod_host_ip4, .pod_host_ip6]
},
"labels": .pod_labels,
"annotations": .pod_annotations,
"service_account": { "name": .pod_service_account_name }
},
"k8s": {
"cluster": {
"uid": .k8s_cluster_id,
"version": .k8s_cluster_version,
"git_version": .k8s_cluster_git_version
}
}
},
"state": {
"status": .status,
"first_seen_time": .first_seen,
"last_seen_time": .last_seen,
"last_reboot_time": .last_reboot,
"first_login_time": .first_login_timestamp,
"last_login_time": .last_login_timestamp,
"modified_time": .modified_timestamp
},
"agent": {
"version": .agent_version,
"local_time": .agent_local_time,
"load_flags": .agent_load_flags,
"config": {
"base": .config_id_base,
"build": .config_id_build,
"platform": .config_id_platform
}
},
"network": {
"default_gateway": {
"ip": .default_gateway_ip
}
},
"policy": {
"names": (.policies // []) | map(.policy_name)
},
"meta": .meta,
"org": {
"timezone_offset": .host_utc_offset,
"ou": .ou,
"site_name": .site_name,
"zone_group": .zone_group
},
"flags": {
"internet_exposure": .internet_exposure,
"deployment_type": .deployment_type,
"detection_suppression_status": .detection_suppression_status,
"host_hidden_status": .host_hidden_status,
"provision_status": .provision_status,
"reduced_functionality_mode": .reduced_functionality_mode,
"linux_sensor_mode": .linux_sensor_mode
}
}
OCSF Mapping Details
The JQ transformation converts Crowdstrike Device Details to OCSF Version 1.1.0 with the following key mappings:
Device Information
- Type ID: Maps directly from product_type_desc
- Hostname: Maps from hostname
- Name: Maps from hostname
- UID: Maps from device_id
- IP: Maps from an array of [local_ip, connection_ip, external_ip]
- MAC: Maps from an array of [mac_address, connection_mac_address]
- Is Managed: Derived from provision_status
- Serial Number: Maps from serial_number
- Domain: Maps from machine_domain
- Product:
- Name: Maps from system_product_name
- Type: Maps from product_type
- Type_id: Maps from product_type_desc
- Vendor_name: Maps from system_manufacturer
- Tags: Maps from tags
- Group:
- Name: Maps from groups
- UID: Maps from group_hash
Host Information
OS:
- Name: Maps from os_product_name
- Version: Maps from os_version
- Build: Maps from os_build
- Kernel_version: Maps from kernel_version
- Type: Derived from os_product_name (windows/linux/unknown)
Users: Array containing user information:
- Name: Maps from last_login_user
- UID: Maps from last_login_uid
- Domain_uid: Maps from last_login_user_sid
- Email_addr: Maps from email HW:
- CPU: Vendor and signature mapped from cpu_vendor and cpu_signature
- BIOS: Vendor and version mapped from bios_manufacturer and bios_version
- Chassis: Type and description mapped from chassis_type and chassis_type_desc
Cloud Information
Provider: Maps from service_provider
Account: UID maps from service_provider_account_id
Instance: UID maps from instance_id
Cloud Information
Provider: Maps from service_provider
Account: UID maps from service_provider_account_id
Instance: UID maps from instance_id
Operating System Information
Name: Concatenated from platform_name and os_version
Type ID: Mapped from platform_name:
- Mac → 300
- Windows → 100
- Linux → 200
- Others → 0
Version: Maps from os_version Build: Maps from os_build CPE Name: Generated for Mac systems
Container Information
Pod:
- Name: Maps from pod_name
- UID: Maps from pod_id
- Namespace: Maps from pod_namespace
- IP: Maps from an array of [pod_ip4, pod_ip6]
- Host:
- Hostname: Maps from pod_hostname
- IP: Maps from an array of [pod_host_ip4, pod_host_ip6]
- Labels: Maps from pod_labels
- Annotations: Maps from pod_annotations
- Service Account Name: Maps from pod_service_account_name K8s:
- Cluster:
- UID: Maps from k8s_cluster_id
- Version: Maps from k8s_cluster_version
- Git_version: Maps from k8s_cluster_git_version
State Information
Status: Maps from status
First_seen_time: Maps from first_seen
Last_seen_time: Maps from last_seen
Last_reboot_time: Maps from last_reboot
First_login_time: Maps from first_login_timestamp
Last_login_time: Maps from last_login_timestamp
Modified_time: Maps from modified_timestamp
Agent Information
Version: Maps from agent_version Local_time: Maps from agent_local_time Load_flags: Maps from agent_load_flags Config:
- Base: Maps from config_id_base
- Build: Maps from config_id_build
- Platform: Maps from config_id_platform
Network Information
Default_gateway: IP maps from default_gateway_ip
Policy Information
Names: Maps policy names from policies array
Additional Information
Meta: Maps from meta
Org:
-
Timezone_offset: Maps from host_utc_offset
-
OU: Maps from ou
-
Site_name: Maps from site_name
-
Zone_group: Maps from zone_group
Flags:
- Various flags mapped directly from corresponding fields
Metadata
- Version: Set to "1.1.0"
Product:
- Name: Maps from platform_name
- Version: Maps from agent_version
- Feature:
- Name: "Host Information"
Unmapped Fields
Additional fields not part of the OCSF schema are preserved in the unmapped object for reference and potential future use.
Customization
The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential device information and platform detection while providing appropriate handling for optional fields.
Sample Record
{
"agent_load_flags": "sample_load_flags",
"agent_local_time": "2024-07-16T10:00:00Z",
"agent_version": "1.0.0",
"bios_manufacturer": "Sample BIOS Manufacturer",
"bios_version": "1.2.3",
"build_number": "12345",
"chassis_type": "desktop",
"chassis_type_desc": "Desktop Chassis",
"cid": "sample_cid",
"config_id_base": "config_base",
"config_id_build": "config_build",
"config_id_platform": "config_platform",
"connection_ip": "55.32.80.189",
"connection_mac_address": "5e:ea:bc:fa:04:56",
"cpu_signature": "Intel-1234",
"cpu_vendor": "Intel",
"default_gateway_ip": "99.123.215.194",
"deployment_type": "production",
"detection_suppression_status": "inactive",
"device_id": "sample_device_id",
"device_policies": {
"policy_name": "sample_policy",
"policy_description": "Sample policy description"
},
"email": "carol.brown@example.com",
"external_ip": "203.0.113.10",
"first_login_timestamp": "2025-08-11T23:46:34.13962Z",
"first_seen": "2024-07-15T12:00:00Z",
"group_hash": "sample_hash",
"groups": [
"group1",
"group2"
],
"host_hidden_status": "visible",
"host_utc_offset": "+02:00",
"hostname": "sample-host",
"instance_id": "instance123",
"internet_exposure": "low",
"k8s_cluster_git_version": "v1.21.1",
"k8s_cluster_id": "cluster123",
"k8s_cluster_version": "1.21",
"kernel_version": "4.19.0-16-amd64",
"last_login_timestamp": "2025-08-11T23:46:34.139625Z",
"last_login_uid": "user123",
"last_login_user": "carol.brown@example.com",
"last_login_user_sid": "sid123",
"last_reboot": "2024-07-16T07:45:00Z",
"last_seen": "2025-08-11T23:46:34.139641Z",
"linux_sensor_mode": "active",
"local_ip": "10.40.141.145",
"mac_address": "c6:40:59:0d:f3:aa",
"machine_domain": "example-domain",
"major_version": "10",
"managed_apps": {
"app_name": "sample_app",
"app_version": "1.0.0"
},
"meta": {
"meta_field1": "value1",
"meta_field2": "value2"
},
"minor_version": "0",
"modified_timestamp": "2024-07-16T10:00:00Z",
"notes": [
"note1",
"note2"
],
"os_build": "19044.1288",
"os_product_name": "Windows 10 Pro",
"os_version": "10.0.19044",
"ou": [
"ou1",
"ou2"
],
"platform_id": "platform123",
"platform_name": "Sample Platform",
"pod_annotations": [
"annotation1",
"annotation2"
],
"pod_host_ip4": "62.176.19.50",
"pod_host_ip6": "2001:db8::1",
"pod_hostname": "pod-host",
"pod_id": "pod123",
"pod_ip4": "104.154.104.236",
"pod_ip6": "2001:db8::2",
"pod_labels": [
"label1",
"label2"
],
"pod_name": "sample-pod",
"pod_namespace": "default",
"pod_service_account_name": "svc-account",
"pointer_size": "64-bit",
"policies": [
{
"policy_name": "policy1",
"policy_description": "Policy 1 description"
},
{
"policy_name": "policy2",
"policy_description": "Policy 2 description"
}
],
"product_type": "desktop",
"product_type_desc": "Desktop Product",
"provision_status": "active",
"reduced_functionality_mode": "disabled",
"release_group": "group1",
"serial_number": "ABC123",
"service_pack_major": "1",
"service_pack_minor": "0",
"service_provider": "Sample Provider",
"service_provider_account_id": "provider123",
"site_name": "site123",
"status": "online",
"system_manufacturer": "Sample Manufacturer",
"system_product_name": "Sample Product",
"tags": [
"tag1",
"tag2"
],
"zone_group": "zone1"
}