CrowdStrike Connector

Learn all about integrating CrowdStrike into the Vulcan Platform

Updated over a week ago


About CrowdStrike

CrowdStrike is cloud-delivered endpoint protection. CrowdStrike Falcon unifies next-generation antivirus, endpoint detection and response (EDR), and a 24/7 threat-hunting service — all delivered via a single lightweight agent

Why integrating CrowdStrike into the Vulcan platform?

The CrowdStrike Connector by Vulcan integrates with the CrowdStrike Falcon platform to pull and ingest host-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority based on your business context. The integration also allows you to:

  • Use Crowdstrike Falcon asset inventory in the Vulcan Platform

  • Manage vulnerability remediation from CrowdStrike Spotlight using the Vulcan Platform

  • Take remediation actions through the Vulcan Platform using real-time response

CrowdStrike Connector details

The Vulcan Platform ingests CrowdStrike hosts and vulnerabilities through API.

Supported products

CrowdStrike Falcon


Endpoint Security

Ingested asset type(s)


Integration type

UNI directional (data is transferred from CrowdStrike Falcon to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the connector, make sure to perform the following:

Generate CrowdStrike Client API and Secret Key

Some CrowdStrike accounts are divided into multiple customers, with multiple CIDs, each customer has its own CID. The CIDs are arranged in a parent/child (member) hierarchy.
A parent CID has access to all of the account’s hosts, including those associated with its child CIDs. Only the child CID has access to its own host groups and vulnerabilities.

Make sure to create the API Client using the appropriate user.

  1. Go to CrowdStrike console > Menu > Support and resources

  2. In the Support and resources menu, select API clients and keys

  3. Click on Add new API client, on the upper right part of the screen

  4. Insert the desired CLIENT NAME and description

  5. For API SCOPES, check the following permissions:

    Mandatory (both or one of the below):

    • Hosts - Read

    • Hosts Groups - Read


    • Spotlight vulnerabilities: Read

  6. Click Add to generate the API client.

  7. Copy-paste the CLIENT ID, SECRET and BASE URL into a safe place.

Configuring the CrowdStrike Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the CrowdStrike icon.

  4. Set up the connector as follows:

    • Select the API URL option that is relevant to your Base URL:

      "US_1": "",
      "US_GOV_1": "",
      "EU_1": "",
      "US_2": ""
    • Insert the Client ID and Slient Secret key you generated earlier.

  5. Check the "Fetch Spotlight vulnerability information" option if relevant.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your CrowdStrike instance, then click Create (or Save Changes).

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log.

  9. To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the CrowdStrike icon shows Connected, the connection is complete.

CrowdStrike in the Vulcan Platform

Locating CrowdStrike vulnerabilities in the Vulcan Platform

As CrowdStrike discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.

  2. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  3. Locate CrowdStrike on the vulnerability source/Connector list and click to filter results.

  4. Click on any vulnerability to view further information.

Locating CrowdStrike Host assets in the Vulcan Platform

To locate all retrieved host assets from CrowdStrike Insight VM:

  1. Open the Vulcan Cyber dashboard and navigate to Assets.

  2. Click on the Hosts tab.

  3. Click on the Search or filter websites input box and select Connector from the drop-down selection.

  4. Locate the CrowdStrike option to view all synced assets.

Automating actions on vulnerabilities detected by CrowdStrike

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the CrowdStrike Connector.

Click here to learn how to create automation in the Vulcan Cyber Platform.

From CrowdStrike to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with CrowdStrike Falcon through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform.

Hosts mapping

CrowdStrike field

Vulcan field

crowdstrike server + device id

Uniqueness criteria


Asset Name

server = models.ForeignKey(CrowdstrikeServer, on_delete=models.CASCADE) device_id = models.TextField() hostname = models.TextField() external_ip = models.TextField() local_ip = models.TextField() mac_address = models.TextField() os = models.TextField() os_version = models.TextField() containment_status = models.TextField() raw_data = models.JSONField() host_groups = models.ManyToManyField("CrowdstrikeHostGroup", related_name="hosts")

tracking_method = models.CharField(max_length=200, null=True) # Deprecated, to delete last_seen = models.DateTimeField(null=True) first_seen = models.DateTimeField(null=True) state = models.CharField(max_length=200, default="")

scanned = models.BooleanField(null=True) native_raw_json = models.JSONField(default=dict, null=True) vulcan_created_date = models.DateTimeField(null=True, default=now, editable=False)
server = models.IntegerField() vulcan_update_timestamp = models.DateTimeField(null=True)


Asset details


Asset type

local_ip, external_ip





OS Version

by IP

External facing

first scan date (in vulcan)

Created date


Last seen date


Multiple mac addresses

tags, host groups
tags from assignment rules aren’t supported

Asset Tags - Vendor’s tags

product_type_desc, CID

Asset Tags - Additional

native_host, report_item, external_id, server

Vulnerability instance uniqueness criteria


Vulnerability instance first seen


Vulnerability instance Last seen

cvss score - random between instances

Vulnerability instance score

None - has no meaning for Hosts

Vulnerability instance location path

if not status:     return VulnerabilityStatusEnum.VULNERABLE.value if status in [CsVulnStatus.OPEN.value, CsVulnStatus.REOPENED.value, CsVulnStatus.REOPEN.value]:     return VulnerabilityStatusEnum.VULNERABLE.value elif status == CsVulnStatus.CLOSED.value:     return VulnerabilityStatusEnum.FIXED.value else:     return VulnerabilityStatusEnum.RISK_ACKNOWLEDGED.value

Vulnerability instance status changes (including resurface)

server, cve

Unique Vulnerability uniqueness criteria

cve (

Vulnerability title


Vulnerability score


Vulnerability details

if not status:     return VulnerabilityStatusEnum.VULNERABLE.value if status in [CsVulnStatus.OPEN.value, CsVulnStatus.REOPENED.value, CsVulnStatus.REOPEN.value]:     return VulnerabilityStatusEnum.VULNERABLE.value elif status == CsVulnStatus.CLOSED.value:     return VulnerabilityStatusEnum.FIXED.value else:     return VulnerabilityStatusEnum.RISK_ACKNOWLEDGED.value

Vulnerability status





technical score - fields and fallback: cve.base_score


Tags impact - specify:

Risk calculation

remediation title

Fix title

remediation action

Fix description

remediation references

Fix references


Asset - Vulnerability instance connection (info tool tip)

Vulnerability status mapping

CrowdStrike status

Vulcan status






Ignored - risk acknowledged

Vulnerability score mapping

CrowdStrike score

Vulcan score











Update Mechanisms

Status update mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the CrowdStrike connector for the CrowdStrike vulnerabilities and assets ingested into the Vulcan Platform.

Update type


Archiving Assets

Asset that appears on Vulcan and isn't returned on the next connector’s sync.

Change of vulnerability instances status from "Vulnerable" to "Fixed"

Vulnerability status changes to "fixed" upon the status change to fix/closed on the vendor's side ("CLOSED").

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only when the next scheduled connector sync time is complete.

API Endpoints in use


Use in Vulcan

Permissions required


Generate access tokens for running other APIs



Collect host IDs for running other APIs

Hosts (read)


Assets (hosts)

Hosts (read)


Asset enrichment (host groups)

Hosts groups (read)


Asset enrichment (host groups)

Hosts groups (read)


Vulnerabilities and solutions

Spotlight vulnerabilities (read)

Data Validation

How do I validate and compare the data between CrowdStrike and the Vulcan Platform?

Assets data validation

Crowdstrike’s managed assets count should match the CrowStrike assets count on the Vulcan Platform.

Vulnerabilities data validation

Crowdstike’s CVEs list counts all CVE instances, while Vulcan counts unique CVEs.

Vulcan’s unique criteria of crowdstrike's vulnerabilities is the CVE ID. Therefore, the vulnerabilities number on the Vulcan Platform is usually lower than the number in crowdstrike, or the same in case there are no CVE duplications.

For example (see screenshot below):
On the CrowdStrike platform, the highlighted CVE applies to 2 products and is presented as 2 vulnerabilities. However, on the Vulcan Platform, the same CVE is presented as one finding and applies to 2 assets.

Did this answer your question?