API Scopes
API scopes control which CrowdStrike APIs your Foundry app can access. Scopes are declared in the app manifest and presented to users at installation time for approval.
Automatic scope detection
Section titled “Automatic scope detection”When writing Python functions with FalconPy, the Foundry UI Editor automatically detects required scopes based on your imports. For example, importing from falconpy import Hosts automatically adds the devices:read scope.
The detected scopes appear in the Runtime Config tab of the function editor. You can manually adjust them if the auto-detection doesn’t cover your use case.
Explicit scope configuration
Section titled “Explicit scope configuration”For functions written in the CLI (all languages) or when auto-detection is insufficient, configure scopes explicitly in manifest.yml:
auth: scopes: - devices:read - humio-auth-proxy:write - workflow:read - workflow:writeScope categories
Section titled “Scope categories”Scopes follow the CrowdStrike API’s service collection structure:
| Category | Example scopes |
|---|---|
| Endpoint | Hosts (Read/Write), Detections (Read), Incidents (Read/Write) |
| Intelligence | Intel (Read), IOC (Read/Write) |
| Cloud | CSPM Registration (Read), Cloud Security Assets (Read) |
| Platform | Foundry (Read/Write), Custom Storage (Read/Write), Installation Tokens (Read) |
| SIEM | NGSIEM (Read), Event Streams (Read), Foundry LogScale (Read/Write) |
Principle of least privilege
Section titled “Principle of least privilege”Request only the scopes your app actually needs. Users review requested scopes at installation time — excessive scopes may cause hesitation or rejection.
When configuring scopes:
- Use Read when your app only queries data
- Use Write only when your app creates, modifies, or deletes resources
- Include a description explaining why each scope is needed