CrowdStrike Falcon Exposure Management
  • 4 Minutes to read
  • PDF

CrowdStrike Falcon Exposure Management

  • PDF

Article summary

About this document


This document gives you the step-by-step procedure to configure CrowdStrike Falcon Exposure Management in SAFE.

Pre-requisite


You need the following connection details for this integration:

  • CrowdStrike URL

  • Client ID

  • Client Secret

Note 

To create API clients and secrets, you must have a Falcon Administrator role in CrowdStrike. The API client secret value is only shown when a new API client is created or while resetting it. 

Generate Connection Details


Follow the below step-by-step procedure to get the connector details:

  1. Login to your CrowdStrike instance.

  2. Navigate to the Support and Resources > API Clients and Keys from the left navigation.

    CSS2
  3. Under OAuth2 API clients, click the Create API Client button.

  4. Enter the Client Name and Description. 

  5. Mark the below checkboxes:

    1. Read for Vulnerabilities

    2. Read for Hosts

  6. Click the Create button.

    CSS%201(1)
  7. The system displays the connection details (URL, Client ID, and Client Secret). 

  8. Copy and save the connection details to be used while configuring CrowdStrike Falcon Exposure Management in SAFE.

    CSS3

Configure Crowdstrike Falcon Exposure Management


To configure CrowdStrike in SAFE:

  1. Navigate to the Integrations.

  2. Click the Crowdstrike Falcon Exposure Management card. 

  3. Enter the CrowdStrike URL, Client ID, and Client Secret.

  4. (Optional) Enter the Tag Filters to pull selective data from CrowdStrike to SAFE.

    • Tag Filter: SAFE allows users to fetch filtered data from CrowdStrike to SAFE using Tags. If a user does not add any Tag Name in this field, the system fetches all the asset's data to which the user has access.

    • You can enter multiple Tag names separated by commas.

    • Example: admin, location, department.

  5. If needed, uncheck the "Update Existing Assets Metadata" checkbox.

    • Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from CrowdStrike. 

  6. If needed, mark the Onboard Asset checkbox.

    • Onboard Assets: By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.

  7. Enter the Auto Sync frequency in the number of days.

  8. Click the Test Connection button.

  9. Once the connection is validated, click the Save button.

  10. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync. The auto-sync time is 01:15 UTC.

FQDN Population


FQDN will be populated from the CrowdStrike Falcon Exposure Management using the hostname and the machine_domain (Active Directory Domain). This will only get populated when Active Directory Domain (machine_domain) is configured in CrowdStrike.

View Result


Scroll down to the Finding View and Asset View availabe on the integration page.

Findings View: This tab displays all the findings details pulled from CrowdStrike Falcon Exposure Management.

View Assets: This tab displays all the assets pulled from CrowdStrike Falcon Exposure Management.

History


Learn More about Integration History here.

8. SAFE's Outgoing IP Addresses


Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

FAQs


Q1. What assessment data does SAFE pull from Crowdstrike, and which type of assets?

SAFE does not perform any native assessment of the CrowdStrike assets. SAFE pulls the remediations from CrowdStrike and adds/updates them as VA findings in SAFE.

Q2. What are remediations in Crowdstrike and why does SAFE prefer to pull remediations?

In Crowdstrike remediations can be accessed by navigating from the left navigation menu: Exposure management > Vulnerability management > Vulnerabilities and on the list of vulnerabilities, select groups by Remediation.

Individual exposed CVEs are referred to as vulnerabilities in Crowdstrike. Vulnerabilities are grouped by remediation in Crowdstrike based on the real cause of multiple CVE IDs. SAFE pulls remediations from Crowdstrike and adds them as findings in assets. 

Q3. How can I check the Sync status for CrowdStrike Integration?

Sync status can be checked on the configuration page in the history section. Post completion of the sync, the stats can be viewed on this page.

Q4. What are the types of syncs SAFE supports for Crowdstrike integration?

SAFE assesses the Crowdstrike environment in two types of syncs:

  • Full Sync: This is a full sync of assets and vulnerability data from Crowdstrike to SAFE. This sync triggers once every 7 days.

  • Incremental Sync: This type of sync involves pulling only delta-change from Crowdstrike since the last incremental/full sync run. Incremental sync as per Auto Sync schedule provided scheduled interval is less than 7

Q5. Why SAFE does do two types of syncs?

SAFE follows best practices of pulling data from any tool, therefore, keeping Crowdstrike’s recommended best practices in mind, SAFE pulls data in two different syncs. This doesn’t affect the result or the data pulled into SAFE.

Q6. On some days, I see a sync that executed successfully, however, the asset’s last assessed date or findings are not updated. What can be the reason?

The reason can be Incremental sync as it only pulls delta-change in data and there might be no update to the Crowdstrike environment. These assets/vulnerability findings will get updated in full sync.

Q7. There’s a difference between the Assets Processed and the Assets seen in SAFE UI. Why?

Within the integration details card, you will find the "Assets Processed" field, which signifies the number of assets identified by SAFE in your Crowdstrike environment. Since SAFE utilizes asset names as criteria for matching, asset names must be unique. If a duplicate asset is detected, the new entry will replace the existing asset data. As a result, the total asset count may appear lower than expected.

Q8. Why are tags not getting pulled after creating the mentioned custom field (cs-exposure-mgmt-tags) and triggering the sync?

There is a cache of 15 mins or so between the creation of a new custom field and it being considered by signal ingestion to successfully populate the tags. Trigger the sync after an interval and validate it again.

 

Q9. Why are all tags not getting pulled from CrowdStrike Falcon Exposure Management?

Tags sync will happen to assets that are synced in incremental sync and for the rest of them it is done based on a full sync schedule.

Q10. Why is FQDN not getting populated from CrowdStrike?

A. FQDN is only populated when the Active Directory Domain (machine_domain) is configured in CrowdStrike.


Was this article helpful?

What's Next