The Vulcan integration with CrowdStrike has multiple capabilities that can be configured in the connector.
Use Crowdstrike Falcon asset inventory in Vulcan.
Manage vulnerability remediation from CrowdStrike Spotlight using Vulcan.
Take remediation actions from Vulcan using real-time response.
Preconditions:
CrowdStrike Spotlight needs to be enabled in CrowdStrike to view vulnerabilities. If starting a trial from the CrowdStrike store, the spotlight will be automatically enabled.
To use remediation actions, you must enable the integration from the CrowdStrike store and scripting policy.
This guide covers:
Configure the connector
In the CrowdStrike Falcon platform create API client:
Note: Only Falcon Administrator role can view, create, or modify API clients or keys.
Sign in to the Falcon console
Click Add new API client
Enter a descriptive Client name that identifies your API client in Falcon and in API action logs.
(Optional) Enter a Description, such as your API client's intended purpose
Check the following permissions:
Mandatory:Hosts - Read
Hosts Groups - Read
Optional:
Spotlight vulnerabilities: Read
Real-time response (admin): Write
Real-time response: Read, Write
Click Add to create the API Key
Copy the API Client ID and Secret into a safe please to use in the next step.
In Vulcan:
Go to Connectors < Add a new connector > CrowdStrike.
Set the API URL / Region, Client ID and Client Secret as retrieved above.
Check the "Spotlight" option if relevant.
Check the "Real Time Response" option if relevant.
Click "Test Connectivity". If successful, click Create.
Wait until the Connector finishes processing. Once completed, you can start reviewing the data in the Vulcan Platform.
CrowdStrike as an Asset Inventory
Vulcan's CrowdStrike connector will pull all the assets that are managed by CrowdStrike and display them as hosts. The asset will automatically correlate with asset inventory tools such as Service Now or cloud providers.
Additional Asset information can be found on each asset in the Asset Details tab.
CrowdStrike as a VM tool
See all vulnerabilities under the vulnerabilities tab. You can filter by vulnerability source = CrowdStrike
Each vulnerability has CVE, Score, Solution from CrowdStrike. The Vulcan platform adds a risk score calculated by the Vulcan platform.
Each vulnerability can be fetched with "Vulnerable", "Fixed" or "Ignored" (Risk_Acknowledged) status from the connector. Vulnerabilities with the Ignored status will appear under the Ignored tab on the vulnerabilities page.
Each vulnerability is enriched with threat intelligence provided by Vulcan.
Note that CrowdStrike threat intelligence is not available at this time.
Vulnerability description from NVD
CrowdStrike - Real-Time Response (RTR)
• Take action -> CrowdStrike
Each workaround can be modified with different actions and values.
Once the workaround is selected - we automatically trigger a CrowdStrike script that applies the chosen workaround (PowerShell based).
• After the action will be taken, you will see the open campaign under the campaigns tab.
By orchestrating the entire remediation process from start to finish and providing advanced analytics Vulcan helps your team drive remediation outcomes, ensuring vulnerabilities aren’t just found, they’re fixed.
Notes
For fetching hosts data, we use in the query_url:
f'/devices/queries/devices-scroll/v1?filter=last_seen:>\'{self.DAYS-AGO}\'&'
For fetching vulnerabilities data, we use in the query_url:
f'/spotlight/queries/vulnerabilities/v1?filter=updated_timestamp:>\'{self.DAYS-AGO}\'&'
Re-generate Access Token
CrowdStrike requires its users to regenerate the access token every 3 months. It can be done easily from the CS interface using the following steps:
Log in to your CrowdStrike Falcon account.
Click on the CS icon in the upper left corner.
Go to Support >> API Clients and Keys
Choose the Account ID configured in Vulcan.
Click on the account ID >> Reset secret.
After a new secret is generated, copy it and paste it to the "Client Secret" field in Vulcan.
Click OK and you're ready to go.