The Vulcan integration with CrowdStrike has multiple capabilities that can be configured in the connector.

  • Use Crowdstrike Falcon asset inventory in Vulcan.

  • Manage vulnerability remediation from CrowdStrike Spotlight using Vulcan.

  • Take remediation actions from Vulcan using real-time response.

Preconditions:

  • CrowdStrike Spotlight needs to be enabled in CrowdStrike to view vulnerabilities. If starting a trial from the CrowdStrike store, spotlight will be automatically enabled.

  • To use remediation actions, you must enable the integration from the CrowdStrike store and scripting policy.

This guide will cover:

  • Configuring the connector

  • Viewing Assets

  • Viewing Vulnerabilities

  • Take Action with remediation actions

Configure the connector

In the CrowdStrike falcon platform create API client
* only Falcon Administrator role can view, create, or modify API clients or keys
a. Sign in to the Falcon console
b. Go to Support > API Clients and Keys


c. Click Add new API client
d. Enter a descriptive Client name that identifies your API client in Falcon and in API action logs
e. (Optional) Enter a Description, such as your API client's intended purpose
f. Select Detections, Hosts, Hosts groups, REAL-TIME RESPONSE (ADMIN) API scopes g. Click on "Save"

The required API permissions can be defined under API client > Scopes and are as follows:

  • Device control policies - PERMISSIONS: None

  • AWS accounts - PERMISSIONS: Read, Write

  • Custom IOA rules - PERMISSIONS: None

  • Detections - PERMISSIONS: Read, Write

  • Hosts - PERMISSIONS: Read, Write

  • Actors (Falcon X) - PERMISSIONS: None

  • Reports (Falcon X) - PERMISSIONS: None

  • Host groups - PERMISSIONS: Read, Write

  • Incidents - PERMISSIONS: None

  • Installation Tokens - PERMISSIONS: None

  • IOCs (Indicators of Compromise) - PERMISSIONS: Read, Write

  • Machine Learning Exclusions - PERMISSIONS: None

  • Prevention policies - PERMISSIONS: Read, Write

  • Real-time response (admin) - PERMISSIONS: Write

  • Real-time response - PERMISSIONS: Read, Write

  • IOA Exclusions - PERMISSIONS: None

  • Sensor Download - PERMISSIONS: None

  • Sensor update policies - PERMISSIONS: Read, Write

  • Sensor Visibility Exclusions - PERMISSIONS: None

  • Spotlight vulnerabilities - PERMISSIONS: Read

  • Event streams - PERMISSIONS: Read

  • User management - PERMISSIONS: Read, Write

  • Zero Trust Assessment - PERMISSIONS: None

In Vulcan: go to connectors and choose CrowdStrike. Ensure all fields are configured as pictured below.



CrowdStrike as an Asset Inventory

Vulcan's CrowdStrike connector will pull all the assets that are managed by CrowdStrike and display them as hosts. The asset will automatically correlate with asset inventory tools such as Service Now or cloud providers.

Additional Asset information can be found on each asset in the Asset Details tab.



CrowdStrike as a VM tool

See all vulnerabilities under the vulnerabilities tab. You can filter by vulnerability source = CrowdStrike

Each vulnerability has CVE, Score, Solution from CrowdStrike. The Vulcan platform adds a risk score calculated by the Vulcan platform.

Each vulnerability is enriched with threat intelligence provided by Vulcan.

Note that CrowdStrike threat intelligence is not available at this time.

Vulnerability description from NVD


CrowdStrike - Real-Time Response (RTR)

• Take action -> CrowdStrike

Each workaround can be modified with different actions and values.
Once the workaround is selected - we automatically trigger a CrowdStrike script that applies the chosen workaround (PowerShell based).

• After the action will be taken, you will see the open campaign under the campaigns tab.

By orchestrating the entire remediation process from start to finish and providing advanced analytics Vulcan helps your team drive remediation outcomes, ensuring vulnerabilities aren’t just found, they’re fixed.

Notes

  • For fetching hosts data, we use in the query_url:

f'/devices/queries/devices-scroll/v1?filter=last_seen:>\'{self.DAYS-AGO}\'&'

  • For fetching vulnerabilities data, we use in the query_url:

f'/spotlight/queries/vulnerabilities/v1?filter=updated_timestamp:>\'{self.DAYS-AGO}\'&'

Did this answer your question?