The Vulcan integration with CrowdStrike has multiple capabilities that can be configured in the connector.
Use Crowdstrike Falcon asset inventory in Vulcan.
Manage vulnerability remediation from CrowdStrike Spotlight using Vulcan.
Take remediation actions from Vulcan using real-time response.
CrowdStrike Spotlight needs to be enabled in CrowdStrike to view vulnerabilities. If starting a trial from the CrowdStrike store, spotlight will be automatically enabled.
To use remediation actions, you must enable the integration from the CrowdStrike store and scripting policy.
This guide will cover:
Configure the connector
In the CrowdStrike falcon platform create API client
* only Falcon Administrator role can view, create, or modify API clients or keys
a. Sign in to the Falcon console
b. Go to Support > API Clients and Keys
c. Click Add new API client
d. Enter a descriptive Client name that identifies your API client in Falcon and in API action logs
e. (Optional) Enter a Description, such as your API client's intended purpose
f. Select Detections, Hosts, Hosts groups, REAL-TIME RESPONSE (ADMIN) API scopes g. Click on "Save"
The required API permissions can be defined under API client > Scopes and are as follows:
Device control policies - PERMISSIONS: None
AWS accounts - PERMISSIONS: Read, Write
Custom IOA rules - PERMISSIONS: None
Detections - PERMISSIONS: Read, Write
Hosts - PERMISSIONS: Read, Write
Actors (Falcon X) - PERMISSIONS: None
Reports (Falcon X) - PERMISSIONS: None
Host groups - PERMISSIONS: Read, Write
Incidents - PERMISSIONS: None
Installation Tokens - PERMISSIONS: None
IOCs (Indicators of Compromise) - PERMISSIONS: Read, Write
Machine Learning Exclusions - PERMISSIONS: None
Prevention policies - PERMISSIONS: Read, Write
Real-time response (admin) - PERMISSIONS: Write
Real-time response - PERMISSIONS: Read, Write
IOA Exclusions - PERMISSIONS: None
Sensor Download - PERMISSIONS: None
Sensor update policies - PERMISSIONS: Read, Write
Sensor Visibility Exclusions - PERMISSIONS: None
Spotlight vulnerabilities - PERMISSIONS: Read
Event streams - PERMISSIONS: Read
User management - PERMISSIONS: Read, Write
Zero Trust Assessment - PERMISSIONS: None
In Vulcan: go to connectors and choose CrowdStrike. Ensure all fields are configured as pictured below.
CrowdStrike as an Asset Inventory
Vulcan's CrowdStrike connector will pull all the assets that are managed by CrowdStrike and display them as hosts. The asset will automatically correlate with asset inventory tools such as Service Now or cloud providers.
Additional Asset information can be found on each asset in the Asset Details tab.
CrowdStrike as a VM tool
See all vulnerabilities under the vulnerabilities tab. You can filter by vulnerability source = CrowdStrike
Each vulnerability has CVE, Score, Solution from CrowdStrike. The Vulcan platform adds a risk score calculated by the Vulcan platform.
Each vulnerability is enriched with threat intelligence provided by Vulcan.
Note that CrowdStrike threat intelligence is not available at this time.
Vulnerability description from NVD
CrowdStrike - Real-Time Response (RTR)
• Take action -> CrowdStrike
Each workaround can be modified with different actions and values.
Once the workaround is selected - we automatically trigger a CrowdStrike script that applies the chosen workaround (PowerShell based).
• After the action will be taken, you will see the open campaign under the campaigns tab.
By orchestrating the entire remediation process from start to finish and providing advanced analytics Vulcan helps your team drive remediation outcomes, ensuring vulnerabilities aren’t just found, they’re fixed.
For fetching hosts data, we use in the query_url:
For fetching vulnerabilities data, we use in the query_url:
Re-generate Access Token
CrowdStrike requires its users to regenerate the access token every 3 months. It can be done easily from the CS interface using the following steps:
Log in to your CrowdStrike Falcon account.
Click on the CS icon in the upper left corner.
Go to Support >> API Clients and Keys
Choose the Account ID configured in Vulcan.
Click on the account ID >> Reset secret.
After a new secret is generated, copy it and paste it to the "Client Secret" field in Vulcan.
Click OK and you're ready to go.