Skip to content
  • There are no suggestions because the search field is empty.

CrowdStrike Data Extraction Guide (for SIM Template)

This guide provides step-by-step instructions for extracting software inventory data from CrowdStrike Falcon to populate the Licenseware Software Inventory Management (SIM) Template.

CrowdStrike Falcon collects and stores device and application information across managed endpoints.
The relevant data is retrieved from the following data sources:

  • Hosts (Devices): Contains hostname, device ID, and platform information.

  • Installed Applications (Host Apps): Contains application name, version, and vendor metadata detected by the Falcon sensor.

These datasets can be accessed via the CrowdStrike Falcon Console or through the Falcon REST API.

 

Prerequisites

For Console (UI) Method

  • Access to the CrowdStrike Falcon Console with the Device Inventory or Application Inventory modules enabled.

  • Permission to generate and export inventory reports.

  • Confirm that endpoints are active and have recent sensor check-ins.

For API Method

  • Administrative access to CrowdStrike Falcon with permission to create API clients.

  • API Client ID and Client Secret with at least read-only access to:

    • Device Inventory

    • Hosts

    • Host Applications

  • A working environment with PowerShell 5.1 or later, or an equivalent REST API tool (e.g., curl, Postman).

  • Internet access to the Falcon API endpoint:

     https://api.crowdstrike.com

 

Option 1: Falcon Console Export (UI)

This method is recommended for smaller environments or ad-hoc exports.

  1. Log in to the CrowdStrike Falcon Console.

  2. Navigate to Hosts → Device Inventory.

  3. Apply filters to include all relevant devices.

  4. Select a host and open the Applications tab (requires Host Inventory visibility).

  5. From the top-right menu, click Export → CSV.

  6. Save the file as CrowdStrike_SIM_Export.csv.

Ensure the following columns are included in your export:

Field Name Description
Device Name Hostname or endpoint identifier
Software Name Application name
Software Version Application version number
Software Publisher Software vendor or publisher

 

Option 2: Falcon API Export (Recommended for Automation)

This method is best suited for large or automated environments.

Step 1: Authenticate and Retrieve Token

# Obtain OAuth2 access token
$BaseUrl = "https://api.crowdstrike.com"
$ClientId = "YOUR_CLIENT_ID"
$ClientSecret = "YOUR_CLIENT_SECRET"

$TokenResponse = Invoke-RestMethod -Method Post -Uri "$BaseUrl/oauth2/token" -Body @{
    client_id = $ClientId
    client_secret = $ClientSecret
}
$Token = $TokenResponse.access_token

 

Step 2: Retrieve Device IDs

# Retrieve device IDs
$Headers = @{ "Authorization" = "Bearer $Token" }
$DeviceIds = (Invoke-RestMethod -Uri "$BaseUrl/devices/queries/devices-scroll/v1" -Headers $Headers).resources

 

Step 3: Retrieve Installed Applications and Export to CSV

# Initialize export object
$ExportData = @()

foreach ($DeviceId in $DeviceIds) {
    $Apps = Invoke-RestMethod -Uri "$BaseUrl/devices/entities/installed-apps/v1?ids=$DeviceId" -Headers $Headers
    $Host = Invoke-RestMethod -Uri "$BaseUrl/devices/entities/devices/v1?ids=$DeviceId" -Headers $Headers
    $Hostname = $Host.resources[0].hostname

    foreach ($App in $Apps.resources) {
        $ExportData += [PSCustomObject]@{
            "Device Name"        = $Hostname
            "Software Name"      = $App.name
            "Software Version"   = $App.version
            "Software Publisher" = $App.vendor
        }
    }
}

# Export to CSV
$ExportPath = "C:\Exports\CrowdStrike_SIM_Export.csv"
$ExportData | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8

Write-Host "Export complete: $ExportPath"

 

 

Exporting to CSV

  • For UI method:
    Run the report in the Falcon Console, click Export → CSV, and save as CrowdStrike_SIM_Export.csv.

  • For API method:
    The PowerShell script automatically saves the file to your defined path (e.g., C:\Exports\CrowdStrike_SIM_Export.csv).

Ensure the resulting CSV contains the following columns:

 
Device Name,Software Name,Software Version,Software Publisher

 

Preparing for SIM Import

  1. Open the Licenseware SIM Template.

  2. Navigate to the Software Inventory tab.

  3. Paste or import the CSV data.

  4. Confirm that columns align as follows:

Column Expected Field
A Device Name
B Software Name
C Software Version
D Software Vendor or Publisher

Save the template once verified.

👉 Learn more here

Troubleshooting

Issue Cause Resolution
No data in export Host Inventory module not licensed or enabled Confirm that the Host Inventory feature is active in your Falcon tenant.
Missing vendor data Some apps lack publisher metadata Populate manually or supplement from another data source.
API 401 Unauthorized Invalid or expired access token Re-run authentication to generate a new token.
Partial export Pagination not handled Modify script to include scroll/pagination support for large datasets.
Encoding issues CSV not in UTF-8 format Ensure CSV is saved as UTF-8 before import.

 

Example Output

 
Device Name,Software Name,Software Version,Software Publisher
LAPTOP-001,Google Chrome,129.0.6668.90,Google LLC
SERVER-01,Microsoft SQL Server 2022,16.0.432,Microsoft Corporation
LAPTOP-002,Slack,4.39.95,Slack Technologies
LAPTOP-003,Adobe Acrobat DC,24.002.20933,Adobe Inc.