CrowdStrike Connector

CrowdStrike Connector with Spotlight

The CrowdStrike connector using Spotlight supports vulnerability scanners in Cisco Vulnerability Management. Like standard VM connectors, it imports CVEs and then associates them with assets.

For information about locator order and mapping fields, see the following information:

Prerequisites

  • The Falcon Administrator must create an API client.
  • As a minimum, ensure you have at least read access to the Hosts and Spotlight vulnerabilities.

Configure the CrowdStrike with Spotlight Connector

1. From the Cisco Vulnerability Management dashboard, choose Connectors > Add Connector.

1-Click

Figure 1: The Vulnerability Management page displays.

2. On the Vulnerability Management page, click CROWDSTRIKE.

Figure_2-Click_CrowdStrike.png

Figure 2: The API Connector for CrowdStrike page displays.

3. On the CrowdStrike page, type the following information:

a. In the Username/Client ID field, type your Username or Client ID.
b. In the Host field, type the correct Host.
c. In the API Key field, type the correct key.

4. Click Save And Verify.

3-Save_abd_Verify.png

Figure 3: After you fill in the fields, click Save and Verify.

CrowdStrike Connector-Level Locator Order

Note: The CrowdStrike connector has its own default locator order, so it does not use the Cisco Vulnerability Management default locator order. For more information, see Understanding Locator Order. Although the default order may change, and when it changes, the CrowdStrike connector still uses its own default locator order.

The CrowdStrike connector has the following asset locator order data:

  1. external_id_locator

  2. ec2_locator

  3. netbios_locator

  4. external_ip_address_locator

  5. hostname_locator

  6. url_locator

  7. file_locator

  8. fqdn_locator

  9. ip_address_locator

  10. database_locator

  11. application_locator

  12. mac_address_locator

For information about data mapping, see Vulnerability Data Mapping Fields, Asset Data Mapping Fields and Fix Data Mapping Fields.

Vulnerability Date Information

When you import connector data from the Vulnerabilities tab, the following criteria populate the date fields:

  • Found: The first date the connector detected the vulnerability.
  • Last Seen: The last date the connector detected the vulnerability.
  • Created: The date the vulnerability was put into Cisco Vulnerability Management.

Connector API Calls

The following API calls run when the connector gets the information that is imported into Cisco Vulnerability Management.

  • Hosts: Assets
  • Detections: CVEs
'oauth2/token'
'spotlight/queries/vulnerabilities/v1'
'spotlight/entities/vulnerabilities/v2'
'devices/queries/devices-scroll/v1'
'devices/entities/devices/v2'

Vulnerability Data Mapping Fields

CrowdStrike Field

Cisco Vulnerability Management Field

Notes

<none>

Solution (AKA: Fix)

 

<none>

Fix Published

 

/spotlight/entities/vulnerabilities/v2

cve.base_score

Scanner Score

 

/spotlight/entities/vulnerabilities/v2

status

Vulnerability Status

It auto-closes only during a full run and doesn’t auto-close during an incremental run.

/spotlight/entities/vulnerabilities/v2

cve.description

Description

 

/spotlight/entities/vulnerabilities/v2

cve.id

CVE

 

<none>

Ports

 

/spotlight/entities/vulnerabilities/v2

host_info.host_last_seen_timestamp

Last Seen

 

/spotlight/entities/vulnerabilities/v2

created_timestamp

Found

 

N/A

Created

The date the vulnerability was first imported into Cisco Vulnerability Management. It is not mapped from the scanner.

/spotlight/entities/vulnerabilities/v2

closed_timestamp

Closed The CrowdStrike fix date.

 

Asset Data Mapping Fields

Note: The field in bold highlighting is new.

CrowdStrike Field

Cisco Vulnerability Management Field

Notes

/devices/entities/devices/v1

device_id
External ID  

/devices/entities/devices/v1

kernel_version

Operating System  

/devices/entities/devices/v1

last_seen

Last Seen The date the asset was last detected by CrowdStrike.
N/A Created The date when the asset was first imported into Cisco Vulnerability Management. It is not mapped from the scanner.

/devices/entities/devices/v1

status

Status  

/devices/entities/devices/v1

hostname

Hostname  

/devices/entities/devices/v1

local_ip

IP Address  

/devices/entities/devices/v1

mac_address

MAC Address  

/devices/entities/devices/v1

hostname  

NetBIOS The uppercase value from Hostname is used.

/devices/entities/devices/v1

hostname + machine_domain

FQDN

If the Hostname and machine are present, they are joined with a period ('.') and converted to lowercase.

/devices/entities/devices/v1

instance_id

EC2 Locator

The service_provide field must include the AWS_EC2. 

/devices/entities/devices/v1

tags

Tags

 

 

Fix Data Mapping Fields

Note: This is new section.

CrowdStrike Field

Cisco Vulnerability Management Field

Notes

vuln.remediation.entities.id external_id  
  source Since all the data comes from CrowdStrike, this is a CrowdStrike field by default.
vuln.remediation.entities.title title  
evaluation_logic.logic[0].title….
evalutation_logic.logic[n].title
diagnosis If vuln.apps.evaluation_logic.id != ““, then use the evaluation logic.
If vuln.apps.evaluation_logic.id == ““ and vuln.apps.sub_status != “closed”, then use vuln.cve.description.
Otherwise, leave it as blank.
It can be retrieved by the endpoint: GET /spotlight/entities/evaluation-logic/v1 by filtering vuln.apps.evaluation_logic.id associated with each vulnerability (multiple IDs can be used at the same time, e.g., ids=1111111&ids=2222222&...)
vuln.remediation.entities.action solution  
vuln.remediation.entities.reference vendor If the reference starts with ”cpe”: the vendor value starts after the second colon (“:”) and ends before the third colon (“:”).
If reference starts with “KB”: the vendor value should be “Microsoft”;
Otherwise: unmap it or get the vendor value from vuln.cve.references or vuln.cve.vendor_advisory, when required.
vuln.apps.product_name_version product  
  published_by_
source_datetime
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases.
  last_modified_by_
source_datetime
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases.
vuln.remediation.entities.venor_url reference_link It is null, so no extra steps are required to complete the remediation.
vuln.remediation.entities.link url It can be null in some cases.
vuln.remediation.entities.link urls It can be null in some cases.
  client_id It’s the Cisco Vulnerability Management client ID.
  category Only Qualys uses it.
0 kind

0: infrastructure

1: AppSec

Note: Fix data is created only for newly created fixes. Currently, it does not update existing fixes, after they are created.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.