CrowdStrike Falcon Spotlight Connector Guide
Summary: How to set up and use the CrowdStrike Falcon Spotlight connector in Ivanti Neurons RBVM/ASPM/VULN KB.
Overview
CrowdStrike Falcon Spotlight offers security teams an assessment of vulnerability exposure on their endpoints that is always current. Falcon Spotlight's native integration into the CrowdStrike Falcon platform enables customers to operate vulnerability management within a complete endpoint protection framework.
The Ivanti Neurons RBVM/ASPM/VULN KB platform provides an API-based connector that integrates with CrowdStrike Falcon Spotlight, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.
User Prerequisites/CrowdStrike Falcon Spotlight Setup
CrowdStrike Falcon Spotlight is a cloud-based solution.
-
Requires a subscription to CrowdStrike Falcon Spotlight.
-
Requires a user account with API access and can read asset data along with their associated vulnerabilities.
CrowdStrike Falcon Spotlight Connector API Calls
The following API calls are performed during a connector run to pull vulnerabilities from CrowdStrike Falcon Spotlight into Neurons RBVM/ASPM/VULN KB.
API Type |
Endpoint |
---|---|
Authentication |
https://api.crowdstrike.com/oauth2/token |
Fetch List of AgentIds |
https://api.crowdstrike.com/devices/queries/devices/v1 |
Fetch detailed information about each Host |
https://api.crowdstrike.com/devices/entities/devices/v1?ids= |
Fetch the list of Vulnerabilities |
https://api.crowdstrike.com/spotlight/queries/vulnerabilities/v1 |
Fetch the list of Vulnerabilities in detail |
https://api.crowdstrike.com/spotlight/entities/vulnerabilities/v2 |
Fetch the Remediation for each Vulnerability |
https://api.crowdstrike.com/spotlight/entities/remediations/v2 |
Configuring CrowdStrike Falcon Spotlight Connector in Neurons RBVM/ASPM/VULN KB
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Falcon to find the connector.
Locate the CrowdStrike Falcon Spotlight card on the page and click Configuration.
In the new window under Connection, complete the required fields, as described below.
-
Name: The connector’s name.
-
URL: The URL to access CrowdStrike Falcon Spotlight API https://api.crowdstrike.com.
-
Client Id: One-half of an API client's authentication credentials. Similar to a username.
-
Client Secret: The other half of an API client's authentication credentials. Similar to a password.
-
SSL: Optional instance SSL certificate in base64 format.
Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make CrowdStrike Falcon Spotlight API calls.
Under Schedule, you can configure the desired schedule for the connector to retrieve results from the CrowdStrike Falcon Spotlight instance.
Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).
On marking the Create Assets that do not have vulnerabilities options, RiskSense will create applications with zero findings. This option is selected by default, and the user can opt to turn it off.
Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.
Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.
Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.
Mapping CrowdStrike Falcon Spotlight fields in Neurons RBVM/ASPM/VULN KB
This table showcases the high-level mapping of CrowdStrike Falcon Spotlight API fields in Neurons RBVM/ASPM/VULN KB.
Neurons RBVM/ASPM/VULN KB Fields |
CrowdStrike Fields |
---|---|
AgentId |
resources -> device_id |
Scanner Severity |
resources -> cve -> severity |
Scanner Plugin |
resources -> cve -> id |
Possible Solution |
resources -> remediation |
Plugin Instance Id |
resources -> id |
Plugin Source Status |
resources -> status |
Remediation ID |
resources → remediation → ids |
Remediation URL |
resources → remediation → entities → link |
Remediation Title |
resources → remediation → entities → title |
Remediation Reference |
resources → remediation → entities → reference |
Remediation Action |
resources → remediation → entities → action |
Neurons RBVM/ASPM/VULN KB Tags
The following fields from CrowdStrike Falcon Spotlight APIs are converted into Neurons RBVM/ASPM/VULN KB tags. Use these tags for searching, playbook automation, and better visualization in Neurons RBVM/ASPM/VULN KB Dashboards.
-
resources -> tags
-
resources -> ou
Common Fields in Neurons RBVM/ASPM/VULN KB
The following fields in Neurons RBVM/ASPM/VULN KB are defined for CrowdStrike Falcon Spotlight, along with their default values.
-
The Scanner Name will be FalconSpotlight.