CrowdStrike Spotlight

About this document

This document gives you the step-by-step procedure to configure CrowdStrike Spotlight in SAFE.

Pre-requisite

You need the following connection details for this integration:

• CrowdStrike URL
• Client ID
• Client Secret

Generate Connection Details

Follow the below step-by-step procedure to get the connector details:

1. Login to your CrowdStrike instance.
2. Navigate to the Support and Resources > API Clients and Keys from the left navigation.
   
3. Under OAuth2 API clients, click the Create API Client button.
4. Enter the Client Name and Description. 
5. Mark the below checkboxes:
   1. Read for Vulnerabilities
   2. Read for Hosts
6. Click the Create button.
   
7. The system displays the connection details (URL, Client ID, and Client Secret). 
8. Copy and save the connection details to be used while configuring CrowdStrike Spotlight in SAFE.
   

Configure Crowdstrike Spotlight

To configure CrowdStrike in SAFE:

1. Navigate to the Integrations.
2. Click the Crowdstrike Spotlight card. 
3. Enter the CrowdStrike URL, Client ID, and Client Secret.
4. (Optional) Enter the Tag Filters to pull selective data from CrowdStrike to SAFE.
   • Tag Filter: SAFE allows users to fetch filtered data from CrowdStrike to SAFE using Tags. If a user does not add any Tag Name in this field, the system fetches all the asset's data to which the user has access.
   • You can enter multiple Tag names separated by commas.
   • Example: admin, location, department.
5. If needed, uncheck the "Update Existing Assets Metadata" checkbox.
   • Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from CrowdStrike. 
6. If needed, mark the Onboard Asset checkbox.
   • Onboard Assets: By default, any assets in CrowdStrike that are not found in SAFE will be onboarded. This option can be unchecked to limit the integration to pull in findings of only the assets present in SAFE.
7. Enter the Auto Sync frequency in the number of days.
8. Click the Test Connection button.
9. Once the connection is validated, click the Save button.
10. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync. The auto-sync time is 01:15 UTC.

View Result

Scroll down to the Finding View and Asset View availabe on the integration page.

Findings View: This tab displays all the findings details pulled from CrowdStrike Spotlight.

View Assets: This tab displays all the assets pulled from CrowdStrike Spotlight.

History

Learn More about Integration History here.

8. SAFE's Outgoing IP Addresses

Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

FAQs

1. What assessment data does SAFE pull from Crowdstrike, and which type of assets?

SAFE does not perform any native assessment of the CrowdStrike assets. SAFE pulls the remediations from CrowdStrike and adds/updates them as VA findings in SAFE.

2. What are remediations in Crowdstrike and why does SAFE prefer to pull remediations?

In Crowdstrike remediations can be accessed by navigating from the left navigation menu: Exposure management > Vulnerability management > Vulnerabilities and on the list of vulnerabilities, select groups by Remediation.

Individual exposed CVEs are referred to as vulnerabilities in Crowdstrike. Vulnerabilities are grouped by remediation in Crowdstrike based on the real cause of multiple CVE IDs. SAFE pulls remediations from Crowdstrike and adds them as findings in assets. 

3. How can I check the Sync status for CrowdStrike Integration?

Sync status can be checked on the configuration page in the history section. Post completion of the sync, the stats can be viewed on this page.

4. What are the types of syncs SAFE supports for Crowdstrike integration?

SAFE assesses the Crowdstrike environment in two types of syncs:

• Full Sync: This is a full sync of assets and vulnerability data from Crowdstrike to SAFE. This sync triggers once every 7 days.
• Incremental Sync: This type of sync involves pulling only delta-change from Crowdstrike since the last incremental/full sync run. Incremental sync as per Auto Sync schedule provided scheduled interval is less than 7

5. Why SAFE does do two types of syncs?

SAFE follows best practices of pulling data from any tool, therefore, keeping Crowdstrike’s recommended best practices in mind, SAFE pulls data in two different syncs. This doesn’t affect the result or the data pulled into SAFE.

6. On some days, I see a sync that executed successfully, however, the asset’s last assessed date or findings are not updated. What can be the reason?

The reason can be Incremental sync as it only pulls delta-change in data and there might be no update to the Crowdstrike environment. These assets/vulnerability findings will get updated in full sync.

7. There’s a difference between the Assets Processed and the Assets seen in SAFE UI. Why?

Within the integration details card, you will find the "Assets Processed" field, which signifies the number of assets identified by SAFE in your Crowdstrike environment. Since SAFE utilizes asset names as criteria for matching, asset names must be unique. In the event that a duplicate asset is detected, the new entry will replace the existing asset data. As a result, the total asset count may appear lower than expected.