From 72518c9d5d9791e6db6e69aed1919be994f92264 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 3 Mar 2026 15:20:27 -0800 Subject: [PATCH 1/5] Add external insights docs for CrowdStrike - New product/admin/external-insights.mdx overview page covering how external insights work, where risk scores surface, and prerequisites - Update baton/crowdstrike.mdx to add capabilities note and new "Enable risk score ingestion" section with early access callout Both pages are marked early access with placeholder Notes for the CrowdStrike API scopes and ConductorOne UI toggle steps, which are pending finalization. Co-Authored-By: Claude Sonnet 4.6 --- baton/crowdstrike.mdx | 48 +++++++++++++++++++++++++++++ product/admin/external-insights.mdx | 48 +++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 product/admin/external-insights.mdx diff --git a/baton/crowdstrike.mdx b/baton/crowdstrike.mdx index f1b4bd93..1ad31f32 100644 --- a/baton/crowdstrike.mdx +++ b/baton/crowdstrike.mdx @@ -13,6 +13,9 @@ sidebarTitle: "CrowdStrike" | Accounts | | | | Roles | | | +**Additional functionality:** +The CrowdStrike connector supports [external insights](/product/admin/external-insights) when your organization has a Falcon Identity Protection license. See [Enable risk score ingestion](#enable-risk-score-ingestion) for setup instructions. + ## Gather CrowdStrike credentials Configuring the connector requires you to pass in credentials generated in CrowdStrike. Gather these credentials before you move on. @@ -223,4 +226,49 @@ spec: +## Enable risk score ingestion + + +**Early access.** This feature is in early access, which means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the ConductorOne Support team if you'd like to try it out or share feedback. + + +The CrowdStrike connector can ingest Falcon identity risk scores and surface them in ConductorOne during access reviews and access request approvals. See [External insights](/product/admin/external-insights) for an overview of where risk data appears. + +### Before you begin + +Confirm that: + +- Your organization has a **CrowdStrike Falcon Identity Protection** license +- You have the **Falcon Administrator** role in CrowdStrike +- Your CrowdStrike connector is already set up and syncing in ConductorOne + +### Add required API scopes + +The CrowdStrike API client you created during connector setup needs additional scopes to access risk score data. + + + + Sign into the Falcon console and navigate to **Support** > **API Clients and Keys**. + + + Find the API client you created for the ConductorOne integration and click to edit it. + + + In the **API SCOPES** section, add the following scopes: + + + The specific scopes required for risk score ingestion will be documented here once finalized. + + + + Click **Save**. + + + +### Enable ingestion in ConductorOne + + +The ConductorOne configuration steps for enabling risk score ingestion will be documented here once the UI is finalized. + +Once enabled, CrowdStrike risk scores sync on the next connector sync cycle and appear in the ConductorOne user inventory, access review campaigns, and access request approvals. diff --git a/product/admin/external-insights.mdx b/product/admin/external-insights.mdx new file mode 100644 index 00000000..ebbf3ff4 --- /dev/null +++ b/product/admin/external-insights.mdx @@ -0,0 +1,48 @@ +--- +title: "External insights" +description: "Bring identity risk scores from your security tools into ConductorOne to inform access reviews and approval decisions." +og:title: "External insights" +og:description: "Bring identity risk scores from your security tools into ConductorOne to inform access reviews and approval decisions." +--- + +{/* Editor Refresh: 2026-03-03 */} + + +**Early access.** This feature is in early access, which means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the ConductorOne Support team if you'd like to try it out or share feedback. + + +External insights brings identity risk data from your security tools into ConductorOne, where it appears alongside the identities it describes. Reviewers and approvers see risk scores in context — during access reviews and at the moment of approval — so they can make more informed decisions without switching tools. + +## How external insights work + +When you configure an external insights source, ConductorOne syncs risk data from that tool through its connector. ConductorOne matches each risk score to an identity in your directory by email address and attaches it to that identity's profile and any accounts they hold in connected apps. + +Once synced, risk scores appear in the ConductorOne UI wherever that identity appears in an access decision. + +## Where insights appear + +**User inventory** + +Each identity in the inventory displays its current risk score and severity from connected sources. + +**Access review campaigns** + +Reviewers see an identity's risk score and severity on each review task, alongside entitlement data. The risk factors — the specific reasons CrowdStrike assigned that score — are available inline. Reviewers can use this context to prioritize high-risk identities and make more informed certify or revoke decisions. + +**Access request approvals** + +Approvers see an identity's current risk score and severity before acting on a request. + +## Supported sources + + + + Ingest Falcon identity risk scores into ConductorOne. Requires a CrowdStrike Falcon Identity Protection license. + + + +## Prerequisites + +- The **Connector Administrator** or **Super Administrator** role in ConductorOne +- A configured, syncing connector for each source you want to enable +- Any vendor-specific license required for risk data access (see each source's setup page for details) From 98ebb4ae88f0a81aa7e77759d01e46311916e379 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 3 Mar 2026 18:36:49 -0800 Subject: [PATCH 2/5] edits --- baton/crowdstrike.mdx | 12 ++------ product/admin/external-insights.mdx | 47 +++++++++++++++++++++-------- 2 files changed, 37 insertions(+), 22 deletions(-) diff --git a/baton/crowdstrike.mdx b/baton/crowdstrike.mdx index 1ad31f32..ff1b66b0 100644 --- a/baton/crowdstrike.mdx +++ b/baton/crowdstrike.mdx @@ -14,6 +14,7 @@ sidebarTitle: "CrowdStrike" | Roles | | | **Additional functionality:** + The CrowdStrike connector supports [external insights](/product/admin/external-insights) when your organization has a Falcon Identity Protection license. See [Enable risk score ingestion](#enable-risk-score-ingestion) for setup instructions. ## Gather CrowdStrike credentials @@ -254,21 +255,14 @@ The CrowdStrike API client you created during connector setup needs additional s Find the API client you created for the ConductorOne integration and click to edit it. - In the **API SCOPES** section, add the following scopes: + In the **API SCOPES** section, add the following scopes: TBD - - The specific scopes required for risk score ingestion will be documented here once finalized. - Click **Save**. -### Enable ingestion in ConductorOne +**That's it!** Your CrowdStrike connector will now sync risk score data into ConductorOne. See [External insights](/product/admin/external-insights) for details on where to see this data in the UI. - -The ConductorOne configuration steps for enabling risk score ingestion will be documented here once the UI is finalized. - -Once enabled, CrowdStrike risk scores sync on the next connector sync cycle and appear in the ConductorOne user inventory, access review campaigns, and access request approvals. diff --git a/product/admin/external-insights.mdx b/product/admin/external-insights.mdx index ebbf3ff4..e1a2b3d6 100644 --- a/product/admin/external-insights.mdx +++ b/product/admin/external-insights.mdx @@ -11,38 +11,59 @@ og:description: "Bring identity risk scores from your security tools into Conduc **Early access.** This feature is in early access, which means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the ConductorOne Support team if you'd like to try it out or share feedback. -External insights brings identity risk data from your security tools into ConductorOne, where it appears alongside the identities it describes. Reviewers and approvers see risk scores in context — during access reviews and at the moment of approval — so they can make more informed decisions without switching tools. +External insights brings identity risk data from your security tools into ConductorOne, where it appears alongside the identities it describes. Reviewers and approvers see risk scores in context, such as during access reviews and at the moment of approval, so they can make more informed decisions without switching tools. ## How external insights work -When you configure an external insights source, ConductorOne syncs risk data from that tool through its connector. ConductorOne matches each risk score to an identity in your directory by email address and attaches it to that identity's profile and any accounts they hold in connected apps. +When you configure an external insights source, ConductorOne syncs risk data from that tool through its connector. ConductorOne matches each risk score to an identity in your directory by email address and attaches it to that identity's profile and any accounts they hold in other connected apps. Once synced, risk scores appear in the ConductorOne UI wherever that identity appears in an access decision. -## Where insights appear +## Enable or disable external insights -**User inventory** + +This task requires the **Super Administrator** or **Connector Administrator** role in ConductorOne. + + +External insights are enabled automatically when a connector that is a supported external insight source is configured and syncing. No additional setup is required. + +If needed, you can manually turn risk score syncing on or off from the connector's settings page in ConductorOne: -Each identity in the inventory displays its current risk score and severity from connected sources. + + +Go to **Integrations** > **Connectors** and select the relevant connector. + + +On the connector's **Details** tab, find the **Capabilities** section and click **Edit**. + + +Under **Resource capabilities**, enable or disable **Identity Risk Score** as needed. + + +Click **Save**. + + + +## Where external insights appear **Access review campaigns** -Reviewers see an identity's risk score and severity on each review task, alongside entitlement data. The risk factors — the specific reasons CrowdStrike assigned that score — are available inline. Reviewers can use this context to prioritize high-risk identities and make more informed certify or revoke decisions. +Reviewers see an identity's risk score and risk factors on each review task, under the **Insights** tab. Risk factors are the specific reasons the source tool assigned that score — for example, `STALE_ACCOUNT` or `WEAK_PASSWORD_POLICY`. Reviewers can use this context to prioritize high-risk identities and make more informed certify or revoke decisions. + +**Task log** + +The task log includes an **Insights** column. Hovering over the insights indicator for a task shows a summary of the identity's risk score and risk factors inline, with a link to view the full details. **Access request approvals** -Approvers see an identity's current risk score and severity before acting on a request. +Approvers can see an identity's current risk score and risk factors in a request task before submitting their decision. -## Supported sources +## Supported external insights sources - + Ingest Falcon identity risk scores into ConductorOne. Requires a CrowdStrike Falcon Identity Protection license. -## Prerequisites -- The **Connector Administrator** or **Super Administrator** role in ConductorOne -- A configured, syncing connector for each source you want to enable -- Any vendor-specific license required for risk data access (see each source's setup page for details) From 36f342268cd050622570b2d461740bb68148c782 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 3 Mar 2026 18:42:17 -0800 Subject: [PATCH 3/5] Add CrowdStrike API scope for risk score ingestion Identity Protection Entities: Read scope is required to sync identity risk scores (confirmed in baton-crowdstrike README). Co-Authored-By: Claude Sonnet 4.6 --- baton/crowdstrike.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/baton/crowdstrike.mdx b/baton/crowdstrike.mdx index ff1b66b0..e06d6763 100644 --- a/baton/crowdstrike.mdx +++ b/baton/crowdstrike.mdx @@ -255,9 +255,11 @@ The CrowdStrike API client you created during connector setup needs additional s Find the API client you created for the ConductorOne integration and click to edit it. - In the **API SCOPES** section, add the following scopes: TBD + In the **API SCOPES** section, enable the following scope: - + - **Identity Protection Entities: Read** + + Click **Save**. From 08d8aaec4f0819d8107d1ace2e656f831f596a12 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 3 Mar 2026 18:46:06 -0800 Subject: [PATCH 4/5] Add external insights to nav under Access intelligence Co-Authored-By: Claude Sonnet 4.6 --- docs.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs.json b/docs.json index fce5edaa..6503bd9d 100644 --- a/docs.json +++ b/docs.json @@ -156,7 +156,8 @@ "group": "Access intelligence", "pages": [ "product/admin/query", - "product/admin/inventory" + "product/admin/inventory", + "product/admin/external-insights" ] }, { From a28cf99044eb7596920174a158cd86d67148faf0 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 3 Mar 2026 18:49:59 -0800 Subject: [PATCH 5/5] Add sidebarTitle to external insights page Co-Authored-By: Claude Sonnet 4.6 --- product/admin/external-insights.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/product/admin/external-insights.mdx b/product/admin/external-insights.mdx index e1a2b3d6..3a6a226c 100644 --- a/product/admin/external-insights.mdx +++ b/product/admin/external-insights.mdx @@ -3,6 +3,7 @@ title: "External insights" description: "Bring identity risk scores from your security tools into ConductorOne to inform access reviews and approval decisions." og:title: "External insights" og:description: "Bring identity risk scores from your security tools into ConductorOne to inform access reviews and approval decisions." +sidebarTitle: "Gain context from identity risk scores" --- {/* Editor Refresh: 2026-03-03 */} @@ -62,7 +63,7 @@ Approvers can see an identity's current risk score and risk factors in a request - Ingest Falcon identity risk scores into ConductorOne. Requires a CrowdStrike Falcon Identity Protection license. + Ingest Falcon identity risk scores into ConductorOne.