CrowdStrike Host Scan Guide

End-to-end instructions for integrating host scan with CrowdStrike Falcon platform, including configuring the EDR ID, setting up host groups, and automating sensor package deployment using CrowdStrike Fusion workflows.

Prerequisites

The following prerequisites must be met.

CrowdStrike RTR

The CrowdStrike Real Time Response (RTR) service collection is required to perform AgileSec scanning. See https://developer.crowdstrike.com/api-reference/collections/real-time-response/ for additional details.

Optional: Host Group

While this step is optional, it is recommended to create host groups to organize your hosts. This allows you to selectively target only the hosts where you want to run scans when configuring workflows, rather than scanning all hosts in your environment.

  1. Add your Linux hosts in CrowdStrike

  2. Add your Window hosts in CrowdStrike

  3. Add your Mac hosts in CrowdStrike

  4. Add your hosts to a host group

Set up EDR ID

An EDR ID is used to obtain an access token for communicating with the AgileSec platform. This process is automatic: when a Scan runs, the configured EDR ID is presented to the Ingestion Service, which returns a Remote Sensor Token. The token is stored locally and used for subsequent authenticated communication with the Ingestion Service.

EDR IDs provide an implicit trust mechanism allowing approved endpoints to obtain a Remote Sensor Token without embedding long-lived credentials on the host. EDR IDs can be revoked at any time to immediately block token issuance for endpoints using that ID.

You can generate multiple EDR IDs and assign them to specific deployments (for example, by environment, business unit, or endpoint group) rather than using a single EDR ID across all endpoints. This segmented approach is recommended to limit blast radius and simplify revocation and rotation when access needs to be restricted.

  1. Log in to the AgileSec Platform UI, navigate to EDR Management, then click + Create EDR ID.

image-20260622-214128.png
  1. In the Create EDR ID dialog, select your organization and click Generate.

Generating EDR ID step 2
  1. Copy the newly generated EDR ID by clicking the copy icon before the EDR ID.

Generating EDR ID step 3

Step 1: Download Remote Sensor Package from Keyfactor

Download the latest Remote Sensor package from AgileSec.

  1. Open your browser and navigate to the Keyfactor AgileSec Platform Web URL

  2. Log in with your credentials

  3. Click on "Sensors" in the left navigation menu under Scan

    image-20260616-210209.png
  4. Click Remote Scan.

    image-20260616-220921.png
  5. Click + Download Remote Sensor.

    image-20260616-221015.png
  6. Download the sensor binary for your remote machine’s operating system

    image-20260616-221050.png


  1. Unzip the Remote Sensor package. The folder isg_agilescan_<platform>_sensor contains a crowdstrike directory with the scripts and configuration files required to create the CrowdStrike workflow.

Step 2: Upload Sensor Package to CrowdStrike

  1. Log in to CrowdStrike and navigate to Host setup and management → Response scripts and files.

Screenshot 2026-01-11 at 10.52.40 PM-20260112-065353.png
  1. Select the "put" files tab and click Upload file. In the dialog, choose agilesec_sensor_<platform>_<version>.zip|pkg, then click Upload

    1. For Linux: agilesec_sensor_linux_<version>.zip

    2. For Windows: agilesec_sensor_windows_<version>.zip

    3. For Mac: agilesec_sensor_osx_<version>.pkg

Screenshot 2026-04-13 at 4.08.37 PM.png

Step 3: Create Scripts

Create scripts to perform the following tasks:

  1. Check Sensor Zip: Check whether the Sensor Zip Exists

  2. Run the Sensor: Deploy the Sensor and execute scans

  3. Un-deploy the Sensor: Remove the Sensor

Check Sensor Zip Script

  1. On the Response scripts and files screen, select the Custom scripts tab, then click Create script.

  2. In the Create script dialog, complete the following fields:

Field

Linux

Windows

Mac

Name

kf-agilesec-check-sensor-zip-linux

kf-agilesec-check-sensor-zip-windows

kf-agilesec-check-sensor-zip-osx

Shell type

bash

PowerShell

bash

Script access

Users with the role of RTR Administrator

Users with the role of RTR Administrator

Users with the role of RTR Administrator

Share scripts with workflows

Enabled

Enabled

Enabled

Script

Copy the contents of following Remote Sensor package file.

crowdstrike\scripts\kf-agilesec-check-sensor-zip-linux.sh

crowdstrike\scripts\kf-agilesec-check-sensor-zip-windows.ps1

crowdstrike\scripts\kf-agilesec-check-sensor-macos.sh

Input schema

Copy the contents of the following Remote Sensor Package file.

crowdstrike\scripts\kf-agilesec-check-sensor-input-linux.json

crowdstrike\scripts\kf-agilesec-check-sensor-input-windows.json

crowdstrike\scripts\kf-agilesec-check-sensor-input-osx.json

Output schema

Copy the contents of the following Remote Sensor Package file.

crowdstrike\scripts\kf-agilesec-check-sensor-output.json

crowdstrike\scripts\kf-agilesec-check-sensor-output.json

crowdstrike\scripts\kf-agilesec-check-sensor-output-macos.json

  1. Click Create.

Screenshot 2026-01-11 at 11.03.24 PM-20260112-070330.png

Run Sensor Script

  1. On the Response scripts and files screen, select the Custom scripts tab, then click Create script.

  2. In the Create script dialog, complete the following fields:

Field

Linux

Windows

Mac

Name

kf-agilesec-run-sensor-linux

kf-agilesec-run-sensor-windows

kf-agilesec-run-sensor-osx

Shell type

bash

PowerShell

bash

Script access

Users with the role of RTR Administrator

Users with the role of RTR Administrator

Users with the role of RTR Administrator

Share scripts with workflows

Enabled

Enabled

Enabled

Script

Copy the contents of following Remote Sensor package file.

crowdstrike\scripts\kf-agilesec-run-sensor-linux.sh

crowdstrike\scripts\kf-agilesec-run-sensor-windows.ps1

crowdstrike\scripts\kf-agilesec-run-sensor-macos.sh

Input schema

Copy the contents of the following Remote Sensor Package file.

crowdstrike\scripts\kf-agilesec-run-sensor-input-linux.json

crowdstrike\scripts\kf-agilesec-run-sensor-input-windows.json

crowdstrike\scripts\kf-agilesec-run-sensor-input-macos.json

  1. Click Create

Screenshot 2026-01-11 at 11.10.32 PM-20260112-071038.png

Undeploy Sensor Script

  1. On the Response scripts and files screen, select the Custom scripts tab, then click Create script.

  2. In the Create script dialog, complete the following fields:

Field

Linux

Windows

Mac

Name

kf-agilesec-undeploy-sensor-linux

kf-agilesec-undeploy-sensor-windows

kf-agilesec-undeploy-sensor-mac

Shell type

bash

PowerShell

bash

Script access

Users with the role of RTR Administrator

Users with the role of RTR Administrator

Users with the role of RTR Administrator

Share scripts with workflows

Enabled

Enabled

Enabled

Script

Copy the contents of following Remote Sensor package file.

crowdstrike\scripts\kf-agilesec-undeploy-sensor-linux.sh

crowdstrike\scripts\kf-agilesec-undeploy-sensor-windows.ps1

crowdstrike\scripts\kf-agilesec-undeploy-sensor-macos.sh

Input schema

Copy the contents of the following Remote Sensor Package file.

crowdstrike\scripts\kf-agilesec-undeploy-sensor-input-linux.json

crowdstrike\scripts\kf-agilesec-undeploy-sensor-input-windows.json

crowdstrike\scripts\kf-agilesec-undeploy-sensor-input-osx.json

  1. Click Create.

Screenshot 2026-01-11 at 11.18.00 PM-20260112-071805.png

Step 4: Create Workflow To Run Host Scan Sensor

Use this workflow to scan an endpoint host using Keyfactor Agilesec Host sensor.

  1. Navigate to Fusion SOAR -> Workflows, then click Create workflow to open the CrowdStrike workflow builder interface. 

Screenshot 2026-01-11 at 11.33.21 PM-20260112-073356.png
  1. In the Create workflow dialog, select Create workflow from scratch.

Screenshot 2026-01-11 at 11.34.35 PM-20260112-073500.png
  1. In the Add trigger dialog, select Scheduled workflow and configure the execution schedule.

    1. On-demand: The workflow is triggered manually by the user.

    2. Scheduled: The workflow is triggered automatically at the selected time.

image-20251231-101243.png
  1.  On the workflow builder, click Action.

Screenshot 2026-01-11 at 11.38.16 PM-20260112-073842.png
  1. In the Add action dialog, search for and select Device Query.

Screenshot 2026-01-11 at 11.39.35 PM-20260112-073959.png

In the Device Query dialog, configure fields specific to your environment to select the devices where the host scan sensor should run. At a minimum, set Device status and either Host group or Host names:

  • Device status: all

  • Host group: The workflow will be triggered to run on all target hosts within this group. Select the host group created in prerequisites.

  • Host names: The workflow will be triggered to run on specified host names.

Screenshot 2026-01-11 at 11.41.36 PM-20260112-074142.png
  1. On the workflow builder, add a Loop after Device query.

Screenshot 2026-01-11 at 11.44.21 PM-20260112-074443.png
  1. In the Start loop dialog, enter the following and click Next:

    • Loop type: For each

    • Loop source: Sensor IDs

    • Processing order: At the same time/concurrently

    • Continue workflow on loop iteration failure: Enabled

Screenshot 2026-01-11 at 11.45.48 PM-20260112-074554.png
  1. On the workflow builder, add an action inside the loop.

Screenshot 2026-01-11 at 11.46.48 PM-20260112-074724.png
  1. In the Add action dialog, search for and select Get device details.

Screenshot 2026-01-11 at 11.48.35 PM-20260112-074856.png
  1. In the Device details dialog, set Device ID to Sensor IDs instance, then click Next.

Screenshot 2026-01-11 at 11.49.53 PM-20260112-074958.png
  1. On the workflow builder, add a Condition after Get device details.

Screenshot 2026-01-11 at 11.52.57 PM-20260112-075319.png
  1. In the Condition dialog, enter the following and click Next:

  • Parameter: Platform

  • Operator: is equal to

  • Value<platform> (Windows, Linux, or macOS)

Screenshot 2026-01-11 at 11.54.17 PM-20260112-075423.png
  1. On the workflow builder, add an action under the TRUE branch.

Screenshot 2026-01-12 at 4.08.38 PM-20260113-000919.png
  1. In the Add action dialog, search for and select the script kf-agilesec-check-sensor-zip-<platform>.

  2. In the action configuration for kf-agilesec-check-sensor-zip-<platform>, enter the following recommended values and click Next:

    • Device ID: Sensor IDs instance

    • sensorDirectory

      • Linux: /opt/Keyfactor

      • Windows: C:\Program Files\Keyfactor

      • Mac: /opt/Keyfactor

    • sensorZipFilename

      • Linux: agilesec_sensor_linux_<version>.zip

      • Windows: agilesec_sensor_windows_<version>.zip

      • Mac: agilesec_sensor_osx_<version>.pkg

image-20260415-190218.png
  1. On the workflow builder, add a Condition after action kf-agilesec-check-sensor-zip-<platform>.

Screenshot 2026-01-12 at 4.18.55 PM-20260113-001933.png


  1. In the Condition dialog, enter the following and click Next:

  • Parameter: SensorZipExists

  • Operator: is equal to

  • Value: True

Screenshot 2026-01-12 at 4.21.03 PM-20260113-002108.png
  1. On the workflow builder, add an action under the TRUE branch.

Screenshot 2026-01-12 at 4.23.23 PM-20260113-002344.png
  1. In the Add action dialog, search for and select the script kf-agilesec-run-sensor-<platform>.

Screenshot 2026-01-12 at 4.26.17 PM-20260113-002637.png
  1. In the action configuration for kf-agilesec-run-sensor-<platform>, enter the following recommended values for your environment:

Screenshot 2026-01-12 at 4.28.26 PM-20260113-002832.png

Field

Value

Description

Device ID

Sensor IDs instance

Device ID provided by CrowdStrike

edrId

 

Used to obtain an access token from AgileSec Platform. This access token is used for authenticating with the ingestion service. See Prerequisites.

exportURL

https://<analytics server fqdn>:<port>

External facing AgileSec platform URL.
For Keyfactor AgileSec SaaS use: https://ingestion.agilesec.net

Queue offline

true

Queues the action when the device is offline.

scanType

Full

Type of scan to perform:

  • Process: find directories of running processes and scan content

  • Full: Scan entire drive

  • Network: probe running processes for TLS ports

  • Store: List certificate from Microsoft cert store (Windows)

  • Custom: Scan directories specified by user. Directories are comma-separated

  • Incremental: Same as similar scan except the current scan date is stored for the next scan

sensorDirectory

 ${data['KfAgilesecCheckSensorZipLinux.sensorDirectory']}

Sensor install directory. Use the default value to use the output from check sensor zip action.

sensorZipPath

 ${data['KfAgilesecCheckSensorZipWindows.sensorZipPath']}

Path to the sensor ZIP. Use the default value to use the output from check sensor zip action

updateSensor

false

Set to true to reinstall/upgrade the sensor

  1. On the workflow builder, add an action under the ELSE branch for sensorZipExists.

Screenshot 2026-01-12 at 4.36.18 PM-20260113-003703.png
  1. In the Add action dialog, search for and select Put file.

Screenshot 2026-01-12 at 4.38.16 PM-20260113-003838.png
  1. In the Put file dialog, enter the following values and click Next:

  • Device IdSensor IDs instance

  • File name

    • For Linux: agilesec_sensor_linux_<version>.zip

    • For Windows: agilesec_sensor_windows_<version>.zip

    • For macOS: agilesec_sensor_osx_<version>.pkg

  • Destination directory path

    • For Linux: ${data['KfAgilesecCheckSensorZipLinux.sensorDirectory']}

    • For Windows: ${data['KfAgilesecCheckSensorZipWindows.sensorDirectory']}

    • For macOS: ${data['KfAgilesecCheckSensorZipOSX.sensorDirectory']}

  • Queue offline: true

image-20260415-190413.png
  1. On the workflow builder, add action kf-agilesec-run-sensor-<platform> (same as Step 18) under the Put file.

  2. Configure the action kf-agilesec-run-sensor-<platform> using parameters in Step 19.

  3. The workflow is now complete and should resemble the following:

Screenshot 2026-01-12 at 4.44.07 PM-20260113-004412.png
  1. Click Publish, then in the Publish workflow dialog click Publish workflow. Toggle Status to On now to activate the workflow. Workflow activation may also be postponed until later.

Screenshot 2026-01-12 at 4.45.37 PM-20260113-004543.png

Step 5: Execute Workflow to Run Host Scan Sensor

  1. If your workflow trigger is on-demand, execute the workflow to test the sensor.

Screenshot 2026-01-12 at 10.53.28 PM-20260113-065429.png
  1. If your workflow trigger is scheduled, wait for the configured interval for the sensor to run.

  2. Check the scan output data on AgileSec Platform UI

    • A host sensor scan is initiated on all machines included in “Device Query” action.

    • Findings found by the scan are exported to the ingestion service.

    • View scan history and results on the Keyfactor AgileSec Platform UI

Step 6: Workflow To Undeploy Sensor

You may need to un-deploy the sensor to upgrade to a newer version or remove the sensor from an endpoint. The un-deployment workflow cleanly removes the deployed sensor components and associated execution artifacts so the sensor can be reinstalled or upgraded as needed.

Follow the same instruction used to create the "Run host sensor" workflow, with the following changes:

  1. In the Add trigger dialog, select On-demand instead of Scheduled.  

  2. On the true branch of the sensorZipExists condition:

    1. Linux: add action kf-agilesec-undeploy-sensor-linux

    2. Windows: add action kf-agilesec-undeploy-sensor-windows

    3. Mac: add action kf-agilesec-undeploy-sensor-osx

  3. In the action configuration, enter the following recommended values for your environment:

    1. Device Id: Sensor IDs instance

    2. Queue Offline: true

    3. sensorDirectory:

      • Linux: ${data['KfAgilesecCheckSensorZipLinux.sensorDirectory']}

      • Windows: ${data['KfAgilesecCheckSensorZipWindows.sensorDirectory']}

      • Mac: ${data['KfAgilesecCheckSensorZipOSX.sensorDirectory']}

    4. sensorZipPath:

      1. Linux: ${data['KfAgilesecCheckSensorZipLinux.sensorZipPath']}

      2. Windows: ${data['KfAgilesecCheckSensorZipWindows.sensorZipPath']}

      3. Mac: ${data['KfAgilesecCheckSensorZipOSX.sensorZipPath']}

Screenshot 2026-01-12 at 9.38.01 PM-20260113-053807.png

The undeploy sensor workflow should resemble the following:

Screenshot 2026-01-12 at 9.44.56 PM-20260113-054501.png

Step 7: Deploy New Sensor Package

When a new version of the sensor package is released, follow these steps to deploy the update:

  1. Execute the "Un-deploy Sensor" workflow to remove the old version.

  2. Execute the "Run Host Sensor" workflow to install the new version.