CrowdStrike Falcon Spotlight Connector Guide

How to set up and use the CrowdStrike Falcon Spotlight connector in RiskSense.

Overview

CrowdStrike Falcon Spotlight offers security teams an assessment of vulnerability exposure on their endpoints that is always current. Falcon Spotlight's native integration into the CrowdStrike Falcon platform enables customers to operate vulnerability management within a complete endpoint protection framework.

The RiskSense platform provides an API-based connector that integrates with CrowdStrike Falcon Spotlight, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.

User Prerequisites/CrowdStrike Falcon Spotlight Setup

CrowdStrike Falcon Spotlight is a cloud-based solution.

  • Requires a subscription to CrowdStrike Falcon Spotlight.
  • Requires a user account with API access and can read asset data along with their associated vulnerabilities.

CrowdStrike Falcon Spotlight Connector API Calls

The following API calls are performed during a connector run to pull vulnerabilities from CrowdStrike Falcon Spotlight into RiskSense.

API Type

Endpoint

Authentication

https://api.crowdstrike.com/oauth2/token

Fetch List of AgentIds

https://api.crowdstrike.com/devices/queries/devices/v1

Fetch detailed information about each Host

https://api.crowdstrike.com/devices/entities/devices/v1?ids=

Fetch the list of Vulnerabilities

https://api.crowdstrike.com/spotlight/queries/vulnerabilities/v1

Fetch the list of Vulnerabilities in detail

https://api.crowdstrike.com/spotlight/entities/vulnerabilities/v2

Fetch the Remediation for each Vulnerability

https://api.crowdstrike.com/spotlight/entities/remediations/v2

Configuring CrowdStrike Falcon Spotlight Connector in RiskSense

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations

Using the search bar in the upper-right corner of the Integrations page, type Falcon to find the connector.

Crowdstrike Connector - Search for Connector

Locate the CrowdStrike Falcon Spotlight card on the page and click Configuration.

Crowdstrike Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.
  • URL: The URL to access CrowdStrike Falcon Spotlight API https://api.crowdstrike.com.
  • Client Id: One-half of an API client's authentication credentials. Similar to a username.
  • Client Secret: The other half of an API client's authentication credentials. Similar to a password.
  • SSL: Optional instance SSL certificate in base64 format.

Crowdstrike Connector - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make CrowdStrike Falcon Spotlight API calls.

Crowdstrike Connector - Test Credentials

Under Schedule, you can configure the desired schedule for the connector to retrieve results from the CrowdStrike Falcon Spotlight instance.

Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

On marking the Create Assets that do not have vulnerabilities options, RiskSense will create applications with zero findings. This option is selected by default, and the user can opt to turn it off.

Crowdstrike Connector - Schedule Section

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Crowdstrike Connector - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.

Mapping CrowdStrike Falcon Spotlight fields in RiskSense

This table showcases the high-level mapping of CrowdStrike Falcon Spotlight API fields in RiskSense.

RiskSense Fields

CrowdStrike Fields

AgentId

resources -> device_id

Scanner Severity

resources -> cve -> severity

Scanner Plugin

resources -> cve -> id

Possible Solution

resources -> remediation

Plugin Instance Id

resources -> id

Plugin Source Status

resources -> status

RiskSense Tags

The following fields from CrowdStrike Falcon Spotlight APIs are converted into RiskSense tags. Use these tags for searching, playbook automation, and better visualization in RiskSense Dashboards.

  • resources -> tags
  • resources -> ou

Common Fields in RiskSense

The following fields in RiskSense are defined for CrowdStrike Falcon Spotlight, along with their default values.

  • The Scanner Name will be FalconSpotlight.