CrowdStrike Connector

CrowdStrike with Spotlight

CrowdStrike Spotlight connector is a new addition to the supported vulnerability scanners on the Kenna Platform. This initial iteration focuses specifically on Spotlight. Similar to other standard VR connectors, the Spotlight Connector imports CVEs and associates them with assets. It also displays a label that states whether a CrowdStrike Agent is present on the asset when the customer has access to the Spotlight API.

Platform Support Information

Currently, Kenna supports CrowdStrike Spotlight vulnerabilities and asset tagging for Agent.

User Prerequisites/Connector Setup

  • A user designated with the role "Falcon Administrator" must create an API client.
  • Minimum scopes include Read access to Hosts and Spotlight vulnerabilities.

Configuring the CrowdStrike Spotlight Connector in Kenna

Choose the CrowdStrike Spotlight Connector.

CrowdStrike_Selection_page.png

Enter the Username, API key, and Host Name.

CrowdStrike_API_Connector_Page.png

Default Crowdstrike Connector-Level Locator Order

The Crowdstrike connector does not follow the Kenna default locator order, it has its own order which is configured by default. This default order can changed and when it is changed, the Crowdstrike connector will use the new custom order instead.

The Crowdstrike connector default locator order is:

  1. external_id_locator
  2. ec2_locator
  3. netbios_locator
  4. external_ip_address_locator
  5. hostname_locator
  6. url_locator
  7. file_locator
  8. fqdn_locator
  9. ip_address_locator
  10. database_locator
  11. application_locator
  12. mac_address_locator

What CrowdStrike Spotlight Items are Turned into Kenna Tags?

Tags – Asset if a CrowdStrike agent is present

Vulnerability Date Information

Within Kenna, there are several dates in the Vulnerabilities tab. When importing your connector data, these criteria are used to populate the date fields.

  • "Found" within Kenna is when the connector first detected the vulnerability
  • "Last Seen" within Kenna is the last date the connector detected the vulnerability
  • "Created" within Kenna is the date the vulnerability was entered into Kenna

Connector API Calls

The following API calls are performed during a connector run to retrieve the connector information to be imported into the Kenna Platform.

  • Tags: Presence of Falcon agent
  • Hosts: Assets
  • Detections: CVEs
'spotlight/queries/vulnerabilities/v1'
'spotlight/entities/vulnerabilities/v2'
'devices/queries/devices/v1'
'devices/entities/devices/v1'

CrowdStrike_API_Call_Result.png

CrowdStrike without Spotlight

In cases where you wish to only import asset information from the CrowdStrike connector, you must uncheck the Spotlight vulnerabilities box in the Edit API client page.

Screenshot_2020-07-23_at_10.57.24_PM.png

Important:  When Spotlight vulnerabilities box is unchecked, CrowdStrike imported asset information will not show in the Explore tab. You must select Include all assets under Additional Filters in the Explore tab.

 Asset_Filters.png

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.