The CrowdStrike connector using Spotlight supports vulnerability scanners in Cisco Vulnerability Management. Like standard Vulnerability Management connectors, it imports CVEs and then associates them with assets.
For information about locator order and mapping fields, see the following information:
- CrowdStrike Connector-Level Locator Order
- Vulnerability Data Mapping Fields
- Asset Data Mapping Fields
- Fix Data Mapping Fields
Prerequisites
- The Falcon Administrator must create an API client.
- As a minimum, ensure you have at least read access to the Hosts and Spotlight vulnerabilities.
Configure the CrowdStrike with Spotlight Connector
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click CrowdStrike.
4. On the CrowdStrike screen, enter the following information:
- Name: Enter a name for the connector, or leave it as CrowdStrike.
- Username/Client ID, Enter your Username or Client ID.
- Host: Enter the information for your Host.
- API Key: Enter the API Key for the account that you're using.
- Asset Inactivity Limit (days): Enter a time in days for the connector level asset inactivity limit.
4. Click Save And Verify.
CrowdStrike Connector-Level Locator Order
The CrowdStrike connector uses the Cisco Vulnerability Management default locator order. For more information, see Understanding Locator Order.
For information about data mapping, see Vulnerability Data Mapping Fields, Asset Data Mapping Fields and Fix Data Mapping Fields.
Vulnerability Date Information
When you import connector data from the Vulnerabilities tab, the following criteria populate the date fields:
- Found: The first date the connector detected the vulnerability.
- Last Seen: The last date the connector detected the vulnerability.
- Created: The date the vulnerability was put into Cisco Vulnerability Management.
Connector API Calls
The following API calls run when the connector gets the information that is imported into Cisco Vulnerability Management.
- Hosts: Assets
- Detections: CVEs
'oauth2/token'
'spotlight/queries/vulnerabilities/v1'
'spotlight/entities/vulnerabilities/v2'
'devices/queries/devices-scroll/v1'
'devices/entities/devices/v2'
Vulnerability Data Mapping Fields
CrowdStrike Field |
Cisco Vulnerability Management Field |
Notes |
<none> |
Solution (AKA: Fix) |
|
<none> |
Fix Published |
|
/spotlight/entities/vulnerabilities/v2 cve.base_score |
Scanner Score |
|
/spotlight/entities/vulnerabilities/v2 status |
Vulnerability Status |
It auto-closes only during a full run and doesn’t auto-close during an incremental run. |
/spotlight/entities/vulnerabilities/v2 cve.description |
Description |
|
/spotlight/entities/vulnerabilities/v2 cve.id |
CVE |
|
<none> |
Ports |
|
/spotlight/entities/vulnerabilities/v2 host_info.host_last_seen_timestamp |
Last Seen |
|
/spotlight/entities/vulnerabilities/v2 created_timestamp |
Found |
|
N/A |
Created |
The date the vulnerability was first imported into Cisco Vulnerability Management. It is not mapped from the scanner. |
/spotlight/entities/vulnerabilities/v2 closed_timestamp |
Closed | The CrowdStrike fix date. |
Asset Data Mapping Fields
Note: The field in bold highlighting is new.
CrowdStrike Field |
Cisco Vulnerability Management Field |
Notes |
/devices/entities/devices/v1 device_id |
External ID | |
/devices/entities/devices/v1 kernel_version |
Operating System | |
/devices/entities/devices/v1 last_seen |
Last Seen | The date the asset was last detected by CrowdStrike. |
N/A | Created | The date when the asset was first imported into Cisco Vulnerability Management. It is not mapped from the scanner. |
/devices/entities/devices/v1 status |
Status | |
/devices/entities/devices/v1 hostname |
Hostname | |
/devices/entities/devices/v1 local_ip |
IP Address | |
/devices/entities/devices/v1 mac_address |
MAC Address | |
/devices/entities/devices/v1 hostname |
NetBIOS | The uppercase value from Hostname is used. |
/devices/entities/devices/v1 hostname + machine_domain |
FQDN |
If the Hostname and machine are present, they are joined with a period ('.') and converted to lowercase. |
/devices/entities/devices/v1 instance_id |
EC2 Locator |
The service_provide field must include the AWS_EC2. |
/devices/entities/devices/v1 tags |
Tags |
Fix Data Mapping Fields
CrowdStrike Field |
Cisco Vulnerability Management Field |
Notes |
vuln.remediation.entities.id | external_id | |
source | Since all the data comes from CrowdStrike, this is a CrowdStrike field by default. | |
vuln.remediation.entities.title | title | |
evaluation_logic.logic[0].title…. evalutation_logic.logic[n].title |
diagnosis | If vuln.apps.evaluation_logic.id != ““, then use the evaluation logic. If vuln.apps.evaluation_logic.id == ““ and vuln.apps.sub_status != “closed”, then use vuln.cve.description. Otherwise, leave it as blank. It can be retrieved by the endpoint: GET /spotlight/entities/evaluation-logic/v1 by filtering vuln.apps.evaluation_logic.id associated with each vulnerability (multiple IDs can be used at the same time, e.g., ids=1111111&ids=2222222&...) |
vuln.remediation.entities.action | solution | |
vuln.remediation.entities.reference | vendor | If the reference starts with ”cpe”: the vendor value starts after the second colon (“:”) and ends before the third colon (“:”). If reference starts with “KB”: the vendor value should be “Microsoft”; Otherwise: unmap it or get the vendor value from vuln.cve.references or vuln.cve.vendor_advisory, when required. |
vuln.apps.product_name_version | product | |
published_by_ source_datetime |
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases. | |
last_modified_by_ source_datetime |
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases. | |
vuln.remediation.entities.venor_url | reference_link | It is null, so no extra steps are required to complete the remediation. |
vuln.remediation.entities.link | url | It can be null in some cases. |
vuln.remediation.entities.link | urls | It can be null in some cases. |
client_id | It’s the Cisco Vulnerability Management client ID. | |
category | Only Qualys uses it. | |
0 | kind |
0: infrastructure 1: AppSec |
Note: Fix data is created only for newly created fixes. Currently, it does not update existing fixes, after they are created.
Comments
Please sign in to leave a comment.