CrowdStrike Connector with Spotlight

The CrowdStrike connector using Spotlight supports vulnerability scanners in Cisco Vulnerability Management. Like standard Vulnerability Management connectors, it imports CVEs and then associates them with assets.

For information about locator order and mapping fields, see the following information:

Prerequisites

  • The Falcon Administrator must create an API client.
  • As a minimum, ensure you have at least read access to the Hosts and Spotlight vulnerabilities.

Configure the CrowdStrike with Spotlight Connector

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click CrowdStrike.

Crowdstrike.png

4. On the CrowdStrike screen, enter the following information:
Crowdstrike-2.png

  • Name: Enter a name for the connector, or leave it as CrowdStrike.
  • Username/Client ID, Enter your Username or Client ID.
  • Host: Enter the information for your Host.
  • API Key: Enter the API Key for the account that you're using.
  • Asset Inactivity Limit (days): Enter a time in days for the connector level asset inactivity limit.

4. Click Save And Verify.

CrowdStrike Connector-Level Locator Order

The CrowdStrike connector uses the Cisco Vulnerability Management default locator order. For more information, see Understanding Locator Order

For information about data mapping, see Vulnerability Data Mapping Fields, Asset Data Mapping Fields and Fix Data Mapping Fields.

Vulnerability Date Information

When you import connector data from the Vulnerabilities tab, the following criteria populate the date fields:

  • Found: The first date the connector detected the vulnerability.
  • Last Seen: The last date the connector detected the vulnerability.
  • Created: The date the vulnerability was put into Cisco Vulnerability Management.

Connector API Calls

The following API calls run when the connector gets the information that is imported into Cisco Vulnerability Management.

  • Hosts: Assets
  • Detections: CVEs
'oauth2/token'
'spotlight/queries/vulnerabilities/v1'
'spotlight/entities/vulnerabilities/v2'
'devices/queries/devices-scroll/v1'
'devices/entities/devices/v2'

Vulnerability Data Mapping Fields

CrowdStrike Field

Cisco Vulnerability Management Field

Notes

<none>

Solution (AKA: Fix)

 

<none>

Fix Published

 

/spotlight/entities/vulnerabilities/v2

cve.base_score

Scanner Score

 

/spotlight/entities/vulnerabilities/v2

status

Vulnerability Status

It auto-closes only during a full run and doesn’t auto-close during an incremental run.

/spotlight/entities/vulnerabilities/v2

cve.description

Description

 

/spotlight/entities/vulnerabilities/v2

cve.id

CVE

 

<none>

Ports

 

/spotlight/entities/vulnerabilities/v2

host_info.host_last_seen_timestamp

Last Seen

 

/spotlight/entities/vulnerabilities/v2

created_timestamp

Found

 

N/A

Created

The date the vulnerability was first imported into Cisco Vulnerability Management. It is not mapped from the scanner.

/spotlight/entities/vulnerabilities/v2

closed_timestamp

Closed The CrowdStrike fix date.

 

Asset Data Mapping Fields

Note: The field in bold highlighting is new.

CrowdStrike Field

Cisco Vulnerability Management Field

Notes

/devices/entities/devices/v1

device_id
External ID  

/devices/entities/devices/v1

kernel_version

Operating System  

/devices/entities/devices/v1

last_seen

Last Seen The date the asset was last detected by CrowdStrike.
N/A Created The date when the asset was first imported into Cisco Vulnerability Management. It is not mapped from the scanner.

/devices/entities/devices/v1

status

Status  

/devices/entities/devices/v1

hostname

Hostname  

/devices/entities/devices/v1

local_ip

IP Address  

/devices/entities/devices/v1

mac_address

MAC Address  

/devices/entities/devices/v1

hostname  

NetBIOS The uppercase value from Hostname is used.

/devices/entities/devices/v1

hostname + machine_domain

FQDN

If the Hostname and machine are present, they are joined with a period ('.') and converted to lowercase.

/devices/entities/devices/v1

instance_id

EC2 Locator

The service_provide field must include the AWS_EC2.

/devices/entities/devices/v1

tags

Tags

 

 

Fix Data Mapping Fields

CrowdStrike Field

Cisco Vulnerability Management Field

Notes

vuln.remediation.entities.id external_id  
  source Since all the data comes from CrowdStrike, this is a CrowdStrike field by default.
vuln.remediation.entities.title title  
evaluation_logic.logic[0].title….
evalutation_logic.logic[n].title
diagnosis If vuln.apps.evaluation_logic.id != ““, then use the evaluation logic.
If vuln.apps.evaluation_logic.id == ““ and vuln.apps.sub_status != “closed”, then use vuln.cve.description.
Otherwise, leave it as blank.
It can be retrieved by the endpoint: GET /spotlight/entities/evaluation-logic/v1 by filtering vuln.apps.evaluation_logic.id associated with each vulnerability (multiple IDs can be used at the same time, e.g., ids=1111111&ids=2222222&...)
vuln.remediation.entities.action solution  
vuln.remediation.entities.reference vendor If the reference starts with ”cpe”: the vendor value starts after the second colon (“:”) and ends before the third colon (“:”).
If reference starts with “KB”: the vendor value should be “Microsoft”;
Otherwise: unmap it or get the vendor value from vuln.cve.references or vuln.cve.vendor_advisory, when required.
vuln.apps.product_name_version product  
  published_by_
source_datetime
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases.
  last_modified_by_
source_datetime
No CrowdStrike field can be directly mapped to it. So, it get the dates from the vuln.remediation.entities.link, but the link can be null in some cases.
vuln.remediation.entities.venor_url reference_link It is null, so no extra steps are required to complete the remediation.
vuln.remediation.entities.link url It can be null in some cases.
vuln.remediation.entities.link urls It can be null in some cases.
  client_id It’s the Cisco Vulnerability Management client ID.
  category Only Qualys uses it.
0 kind

0: infrastructure

1: AppSec

Note: Fix data is created only for newly created fixes. Currently, it does not update existing fixes, after they are created.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.