CrowdStrike Connector with Spotlight
The CrowdStrike connector using Spotlight supports vulnerability scanners in Cisco Vulnerability Management. Like standard VM connectors, it imports CVEs and then associates them with assets.
For information about locator order and mapping fields, see the following information:
- CrowdStrike Connector-Level Locator Order
- Vulnerability Data Mapping Fields
- Asset Data Mapping Fields
- Fix Data Mapping Fields
Prerequisites
- The Falcon Administrator must create an API client.
- As a minimum, ensure you have at least read access to the Hosts and Spotlight vulnerabilities.
Configure the CrowdStrike with Spotlight Connector
1. From the Cisco Vulnerability Management dashboard, choose Connectors > Add Connector.
Figure 1: The Vulnerability Management page displays.
2. On the Vulnerability Management page, click CROWDSTRIKE.
Figure 2: The API Connector for CrowdStrike page displays.
3. On the CrowdStrike page, type the following information:
a. In the Username/Client ID field, type your Username or Client ID.
b. In the Host field, type the correct Host.
c. In the API Key field, type the correct key.
4. Click Save And Verify.
Figure 3: After you fill in the fields, click Save and Verify.
CrowdStrike Connector-Level Locator Order
Note: The CrowdStrike connector has its own default locator order, so it does not use the Cisco Vulnerability Management default locator order. For more information, see Understanding Locator Order. Although the default order may change, and when it changes, the CrowdStrike connector still uses its own default locator order.
The CrowdStrike connector has the following asset locator order data:
-
external_id_locator
-
ec2_locator
-
netbios_locator
-
external_ip_address_locator
-
hostname_locator
-
url_locator
-
file_locator
-
fqdn_locator
-
ip_address_locator
-
database_locator
-
application_locator
-
mac_address_locator
For information about data mapping, see Vulnerability Data Mapping Fields, Asset Data Mapping Fields and Fix Data Mapping Fields.
Vulnerability Date Information
When you import connector data from the Vulnerabilities tab, the following criteria populate the date fields:
- Found: The first date the connector detected the vulnerability.
- Last Seen: The last date the connector detected the vulnerability.
- Created: The date the vulnerability was put into Cisco Vulnerability Management.
Connector API Calls
The following API calls run when the connector gets the information that is imported into Cisco Vulnerability Management.
- Hosts: Assets
- Detections: CVEs
'oauth2/token'
'spotlight/queries/vulnerabilities/v1'
'spotlight/entities/vulnerabilities/v2'
'devices/queries/devices-scroll/v1'
'devices/entities/devices/v2'
Vulnerability Data Mapping Fields
|
CrowdStrike Field |
Cisco Vulnerability Management Field |
Notes |
|
<none> |
Solution (AKA: Fix) |
|
|
<none> |
Fix Published |
|
|
/spotlight/entities/vulnerabilities/v2 cve.base_score |
Scanner Score |
|
|
/spotlight/entities/vulnerabilities/v2 status |
Vulnerability Status |
It auto-closes only during a full run and doesn’t auto-close during an incremental run. |
|
/spotlight/entities/vulnerabilities/v2 cve.description |
Description |
|
|
/spotlight/entities/vulnerabilities/v2 cve.id |
CVE |
|
|
<none> |
Ports |
|
|
/spotlight/entities/vulnerabilities/v2 host_info.host_last_seen_timestamp |
Last Seen |
|
|
/spotlight/entities/vulnerabilities/v2 created_timestamp |
Found |
|
|
N/A |
Created |
The date the vulnerability was first imported into Cisco Vulnerability Management. It is not mapped from the scanner. |
|
/spotlight/entities/vulnerabilities/v2 closed_timestamp |
Closed | The CrowdStrike fix date. |
Asset Data Mapping Fields
Note: The field in bold highlighting is new.
|
CrowdStrike Field |
Cisco Vulnerability Management Field |
Notes |
|
/devices/entities/devices/v1 device_id |
External ID | |
|
/devices/entities/devices/v1 kernel_version |
Operating System | |
|
/devices/entities/devices/v1 last_seen |
Last Seen | The date the asset was last detected by CrowdStrike. |
| N/A | Created | The date when the asset was first imported into Cisco Vulnerability Management. It is not mapped from the scanner. |
|
/devices/entities/devices/v1 status |
Status | |
|
/devices/entities/devices/v1 hostname |
Hostname | |
|
/devices/entities/devices/v1 local_ip |
IP Address | |
|
/devices/entities/devices/v1 mac_address |
MAC Address | |
|
/devices/entities/devices/v1 hostname |
NetBIOS | The uppercase value from Hostname is used. |
|
/devices/entities/devices/v1 hostname + machine_domain |
FQDN |
If the Hostname and machine are present, they are joined with a period ('.') and converted to lowercase. |
|
/devices/entities/devices/v1 instance_id |
EC2 Locator |
The service_provide field must include the AWS_EC2. |
|
/devices/entities/devices/v1 tags |
Tags |
Fix Data Mapping Fields
Note: This is new section.
|
CrowdStrike Field |
Cisco Vulnerability Management Field |
Notes |
| vuln.remediation.entities.id | external_id | |
| source | Since all the data comes from CrowdStrike, this is a CrowdStrike field by default. | |
| vuln.remediation.entities.title | title | |
| evaluation_logic.logic[0].title…. evalutation_logic.logic[n].title |
diagnosis | If vuln.apps.evaluation_logic.id != ““, then use the evaluation logic. If vuln.apps.evaluation_logic.id == ““ and vuln.apps.sub_status != “closed”, then use vuln.cve.description. Otherwise, leave it as blank. It can be retrieved by the endpoint: GET /spotlight/entities/evaluation-logic/v1 by filtering vuln.apps.evaluation_logic.id associated with each vulnerability (multiple IDs can be used at the same time, e.g., ids=1111111&ids=2222222&...) |
| vuln.remediation.entities.action | solution | |
| vuln.remediation.entities.reference | vendor | If the reference starts with ”cpe”: the vendor value starts after the second colon (“:”) and ends before the third colon (“:”). If reference starts with “KB”: the vendor value should be “Microsoft”; Otherwise: unmap it or get the vendor value from vuln.cve.references or vuln.cve.vendor_advisory, when required. |
| vuln.apps.product_name_version | product | |
| published_by_ source_datetime |
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases. | |
| last_modified_by_ source_datetime |
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases. | |
| vuln.remediation.entities.venor_url | reference_link | It is null, so no extra steps are required to complete the remediation. |
| vuln.remediation.entities.link | url | It can be null in some cases. |
| vuln.remediation.entities.link | urls | It can be null in some cases. |
| client_id | It’s the Cisco Vulnerability Management client ID. | |
| category | Only Qualys uses it. | |
| 0 | kind |
0: infrastructure 1: AppSec |
Note: Fix data is created only for newly created fixes. Currently, it does not update existing fixes, after they are created.
Comments
Please sign in to leave a comment.