Overview
About CrowdStrike
CrowdStrike is cloud-delivered endpoint protection. CrowdStrike Falcon unifies next-generation antivirus, endpoint detection and response (EDR), and a 24/7 threat-hunting service — all delivered via a single lightweight agent
Why integrating CrowdStrike into the Vulcan platform?
The CrowdStrike Connector by Vulcan integrates with the CrowdStrike Falcon platform to pull and ingest host-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority based on your business context. The integration also allows you to:
Use Crowdstrike Falcon asset inventory in the Vulcan Platform
Manage vulnerability remediation from CrowdStrike Spotlight using the Vulcan Platform
Take remediation actions through the Vulcan Platform using real-time response
CrowdStrike Connector details
The Vulcan Platform ingests CrowdStrike hosts and vulnerabilities through API.
Supported products | CrowdStrike Falcon |
Category | Endpoint Security |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from CrowdStrike Falcon to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the connector, make sure to perform the following:
Enable CrowdStrike Spotlight on the CrowdStrike console.
Generate CrowdStrike Client API and Secret Key
Some CrowdStrike accounts are divided into multiple customers, with multiple CIDs, each customer has its own CID. The CIDs are arranged in a parent/child (member) hierarchy.
A parent CID has access to all of the account’s hosts, including those associated with its child CIDs. Only the child CID has access to its own host groups and vulnerabilities.
Make sure to create the API Client using the appropriate user.
Go to CrowdStrike console > Menu > Support and resources
In the Support and resources menu, select API clients and keys
Click on Add new API client, on the upper right part of the screen
Insert the desired CLIENT NAME and description
For API SCOPES, check the following permissions:
Mandatory (both or one of the below):
Hosts - Read
Hosts Groups - Read
Optional:
Spotlight vulnerabilities: Read
Click Add to generate the API client.
Copy-paste the CLIENT ID, SECRET and BASE URL into a safe place.
Configuring the CrowdStrike Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the CrowdStrike icon.
Set up the connector as follows:
Select the API URL option that is relevant to your Base URL:
"US_1": "api.crowdstrike.com",
"US_GOV_1": "api.laggar.gcw.crowdstrike.com",
"EU_1": "api.eu-1.crowdstrike.com",
"US_2": "api.us-2.crowdstrike.com"Insert the Client ID and Slient Secret key you generated earlier.
Check the "Fetch Spotlight vulnerability information" option if relevant.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your CrowdStrike instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the CrowdStrike icon shows Connected, the connection is complete.
CrowdStrike in the Vulcan Platform
Locating CrowdStrike vulnerabilities in the Vulcan Platform
As CrowdStrike discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate CrowdStrike on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.
Locating CrowdStrike Host assets in the Vulcan Platform
To locate all retrieved host assets from CrowdStrike Insight VM:
Open the Vulcan Cyber dashboard and navigate to Assets.
Click on the Hosts tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the CrowdStrike option to view all synced assets.
Automating actions on vulnerabilities detected by CrowdStrike
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the CrowdStrike Connector.
Click here to learn how to create automation in the Vulcan Cyber Platform.
From CrowdStrike to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with CrowdStrike Falcon through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform.
Hosts mapping
CrowdStrike field | Vulcan field |
crowdstrike server + device id | Uniqueness criteria |
hostname | Asset Name |
server = models.ForeignKey(CrowdstrikeServer, on_delete=models.CASCADE) device_id = models.TextField() hostname = models.TextField() external_ip = models.TextField() local_ip = models.TextField() mac_address = models.TextField() os = models.TextField() os_version = models.TextField() containment_status = models.TextField() raw_data = models.JSONField() host_groups = models.ManyToManyField("CrowdstrikeHostGroup", related_name="hosts")tracking_method = models.CharField(max_length=200, null=True) # Deprecated, to delete last_seen = models.DateTimeField(null=True) first_seen = models.DateTimeField(null=True) state = models.CharField(max_length=200, default="") scanned = models.BooleanField(null=True) native_raw_json = models.JSONField(default=dict, null=True) vulcan_created_date = models.DateTimeField(null=True, default=now, editable=False) server = models.IntegerField() vulcan_update_timestamp = models.DateTimeField(null=True) first_seen | Asset details |
Hosts | Asset type |
local_ip, external_ip | IP |
os_version | OS |
major_version.minor_version | OS Version |
by IP | External facing |
first scan date (in vulcan) | Created date |
last_seen | Last seen date |
mac_address | Multiple mac addresses |
tags, host groups | Asset Tags - Vendor’s tags |
product_type_desc, CID | Asset Tags - Additional |
native_host, report_item, external_id, server | Vulnerability instance uniqueness criteria |
created_timestamp | Vulnerability instance first seen |
updated_timestamp | Vulnerability instance Last seen |
cvss score - random between instances | Vulnerability instance score |
None - has no meaning for Hosts | Vulnerability instance location path |
if not status: return VulnerabilityStatusEnum.VULNERABLE.value if status in [CsVulnStatus.OPEN.value, CsVulnStatus.REOPENED.value, CsVulnStatus.REOPEN.value]: return VulnerabilityStatusEnum.VULNERABLE.value elif status == CsVulnStatus.CLOSED.value: return VulnerabilityStatusEnum.FIXED.value else: return VulnerabilityStatusEnum.RISK_ACKNOWLEDGED.value
| Vulnerability instance status changes (including resurface) |
server, cve | Unique Vulnerability uniqueness criteria |
cve (cve.id) | Vulnerability title |
cve.base_score | Vulnerability score |
CPEs | Vulnerability details |
if not status: return VulnerabilityStatusEnum.VULNERABLE.value if status in [CsVulnStatus.OPEN.value, CsVulnStatus.REOPENED.value, CsVulnStatus.REOPEN.value]: return VulnerabilityStatusEnum.VULNERABLE.value elif status == CsVulnStatus.CLOSED.value: return VulnerabilityStatusEnum.FIXED.value else: return VulnerabilityStatusEnum.RISK_ACKNOWLEDGED.value
| Vulnerability status |
CVEs | CVE/S |
CWE | CWE |
technical score - fields and fallback: cve.base_score Threats: Tags impact - specify: | Risk calculation |
remediation title | Fix title |
remediation action | Fix description |
remediation references | Fix references |
Packages | Asset - Vulnerability instance connection (info tool tip) |
Vulnerability status mapping
CrowdStrike status | Vulcan status |
Open | Vulnerable |
Closed | Fixed |
is_suppressed | Ignored - risk acknowledged |
Vulnerability score mapping
CrowdStrike score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
Information | 0 |
Update Mechanisms
Status update mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the CrowdStrike connector for the CrowdStrike vulnerabilities and assets ingested into the Vulcan Platform.
Update type | Mechanism |
Archiving Assets | Asset that appears on Vulcan and isn't returned on the next connector’s sync. |
Change of vulnerability instances status from "Vulnerable" to "Fixed" | Vulnerability status changes to "fixed" upon the status change to fix/closed on the vendor's side ("CLOSED"). |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only when the next scheduled connector sync time is complete.
API Endpoints in use
API | Use in Vulcan | Permissions required |
| Generate access tokens for running other APIs | None |
| Collect host IDs for running other APIs | Hosts (read) |
| Assets (hosts) | Hosts (read) |
| Asset enrichment (host groups) | Hosts groups (read) |
| Asset enrichment (host groups) | Hosts groups (read) |
| Vulnerabilities and solutions | Spotlight vulnerabilities (read) |
Data Validation
How do I validate and compare the data between CrowdStrike and the Vulcan Platform?
Assets data validation
Crowdstrike’s managed assets count should match the CrowStrike assets count on the Vulcan Platform.
Vulnerabilities data validation
Crowdstike’s CVEs list counts all CVE instances, while Vulcan counts unique CVEs.
Vulcan’s unique criteria of crowdstrike's vulnerabilities is the CVE ID. Therefore, the vulnerabilities number on the Vulcan Platform is usually lower than the number in crowdstrike, or the same in case there are no CVE duplications.
For example (see screenshot below):
On the CrowdStrike platform, the highlighted CVE applies to 2 products and is presented as 2 vulnerabilities. However, on the Vulcan Platform, the same CVE is presented as one finding and applies to 2 assets.
