CrowdStrike Connector

CrowdStrike with Spotlight

CrowdStrike Spotlight connector is one of the supported vulnerability scanners on the Kenna Platform. The current iteration focuses specifically on Spotlight. As with other standard VR connectors, the Spotlight Connector imports CVEs and associates them with assets. 

User Prerequisites/Connector Setup

  • A user designated with the role "Falcon Administrator" must create an API client.
  • Minimum scopes include Read access to Hosts and Spotlight vulnerabilities.

Configuring the CrowdStrike Spotlight Connector in Kenna

Navigate to the connectors tab and click on "Add Connector." Under "Vulnerability Management", find and click on the CrowdStrike Spotlight Connector.

 

CrowdStrike_Selection_page.png

 

Enter the Username, API key, and Host Name.

CrowdStrike_API_Connector_Page.png

Default CrowdStrike Connector-Level Locator Order

The CrowdStrike connector does not follow the Kenna default locator order, it has its own order which is configured by default. This default order may be changed and when it is changed, the CrowdStrike connector will use the new custom order instead.

The CrowdStrike connector default locator order is:

  1. external_id_locator
  2. ec2_locator
  3. netbios_locator
  4. external_ip_address_locator
  5. hostname_locator
  6. url_locator
  7. file_locator
  8. fqdn_locator
  9. ip_address_locator
  10. database_locator
  11. application_locator
  12. mac_address_locator

Vulnerability Date Information

Within Kenna, there are several dates in the Vulnerabilities tab. When importing your connector data, these criteria are used to populate the date fields.

  • "Found" within Kenna is when the connector first detected the vulnerability
  • "Last Seen" within Kenna is the last date the connector detected the vulnerability
  • "Created" within Kenna is the date the vulnerability was entered into Kenna

Connector API Calls

The following API calls are performed during a connector run to retrieve the connector information to be imported into the Kenna Platform.

  • Hosts: Assets
  • Detections: CVEs
'oauth2/token'
'spotlight/queries/vulnerabilities/v1'
'spotlight/entities/vulnerabilities/v2'
'devices/queries/devices-scroll/v1'
'devices/entities/devices/v2'

Data Mapping 

CrowdStrike Field

Kenna Field

Notes

Vulnerability Data

<none>

Solution (AKA: Fix)

 

<none>

Fix Published

 

/spotlight/entities/vulnerabilities/v2

cve.base_score

Scanner Score

 

/spotlight/entities/vulnerabilities/v2

status

Vulnerability Status

Will auto-close only during a full run. Will not auto-close during an incremental run.

/spotlight/entities/vulnerabilities/v2

cve.description

Description

 

/spotlight/entities/vulnerabilities/v2

cve.id

CVE

 

<none>

Ports

 

/spotlight/entities/vulnerabilities/v2

host_info.host_last_seen_timestamp

Last Seen

 

/spotlight/entities/vulnerabilities/v2

created_timestamp

Found

 

N/A

Created

This is the date the vulnerability was first imported to Kenna. It is not mapped from the scanner.

/spotlight/entities/vulnerabilities/v2

closed_timestamp

Closed

This is the fix date according to CrowdStrike.

CrowdStrike Field

Kenna Field

Notes

Asset Fields

/devices/entities/devices/v1

device_id

External ID

 

/devices/entities/devices/v1

kernel_version

Operating System

 

/devices/entities/devices/v1

last_seen

Last Seen

When the asset was last seen by CrowdStrike.

N/A

Created

This is the date the asset was first imported to Kenna. It is not mapped from the scanner.

/devices/entities/devices/v1

status

Status

 

/devices/entities/devices/v1

hostname

Hostname

 

/devices/entities/devices/v1

local_ip

IP Address

 

/devices/entities/devices/v1

mac_address

MAC Address

 

/devices/entities/devices/v1

hostname

NetBIOS

The uppercase value from hostname is used.

/devices/entities/devices/v1

hostname + machine_domain

 

FQDN

If both hostname and machine are present they are joined with a '.' and forced to lowercase

<none>

EC2 Locator

 

/devices/entities/devices/v1

tags

Tags

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.