CrowdStrike
CrowdStrike is an endpoint protection and threat intelligence tool. You can bring device and security data from CrowdStrike into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with CrowdStrike and how to obtain that information from CrowdStrike. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select CrowdStrike from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate CrowdStrike with Brinqa:
-
API URL: The CrowdStrike API URL. The default API URL is
https://api.crowdstrike.com.For additional information on the CrowdStrike API URL, see CrowdStrike documentation.
-
Client ID and Client secret: The client ID and client secret associated with the CrowdStrike account, which must have permissions to log in to the API server and return data.
Generate a CrowdStrike client secret
For the CrowdStrike connector to use the CrowdStrike API, you must provide a client secret. CrowdStrike does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:
-
Log in to your organization's CrowdStrike Falcon portal as an administrator.
-
From the navigation menu, click Support and resources, and then click API clients and keys.
-
Click Create API client.
The Create API client window displays.
-
Fill out the Client name, Description, and select the appropriate API scopes for the user.
-
Click Create.
Your new client ID, client secret, and recommended Base URL display. You cannot view the client secret again after this. Copy and save it to a secure location.
If you do not have permissions to create a client secret, contact your CrowdStrike administrator. For additional information, see CrowdStrike documentation.
Additional settings
The CrowdStrike connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 5000. It is not recommended to go over 5000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the CrowdStrike API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The CrowdStrike connector can retrieve the following types of data from the CrowdStrike API:
Table 1: Data retrieved from CrowdStrike
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Device | Yes | Host |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from CrowdStrike in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Device
Table 2: Device attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| agent_load_flags | Local variable |
| agent_local_time | Local variable |
| agent_version | Local variable |
| bios_manufacturer | Local variable |
| bios_version | Local variable |
| build_number | Local variable |
| chassis_type_desc | Local variable |
| cid | Local variable |
| connection_ip | name, ipAddresses, Local variable |
| connection_mac_address | Local variable |
| created_at | sourceCreatedDate |
| default_gateway_ip | ipAddresses, Local variable |
| device_id | uid |
| device_policies_device_control | Local variable |
| device_policies_global_config | Local variable |
| device_policies_prevention | Local variable |
| device_policies_sensor_update | Local variable |
| external_ip | name, ipAddresses, publicIpAddress, publicIpAddresses |
| first_login_timestamp | firstLogin |
| first_login_user | firstLoginUser |
| first_seen | firstSeen |
| groups | Local variable |
| hostname | name, hostnames, hostname(normalize), privateDnsName(calculate), privateDnsNames |
| instance_id | instanceId |
| kernel_version | Local variable |
| last_login_timestamp | lastLogin |
| last_login_user | lastLoginUser |
| last_reboot | lastStarted |
| last_seen | lastSeen |
| local_ip | ipAddresses, privateIpAddresses |
| mac_address | macAddresses(normalize) |
| machine_domain | Local variable |
| major_version | Local variable |
| minor_version | Local variable |
| modified_timestamp | sourceLastModified |
| notes | Local variable |
| os_build | Local variable |
| os_product_name | os, description |
| os_version | os, Local variable |
| ou | Local variable |
| platform_id | Local variable |
| platform_name | Local variable |
| product_type_desc | categories |
| provision_status | Local variable |
| reduced_functionality_mode | Local variable |
| release_group | Local variable |
| serial_number | name, serialNumber |
| service_pack_major | Local variable |
| service_pack_minor | Local variable |
| service_provider | Local variable |
| service_provider_account_id | Local variable |
| site_name | Local variable |
| status | status(normalize) |
| system_manufacturer | Local variable |
| system_product_name | description |
| tags | tags |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability
Table 3: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| aid | targets |
| cid | Local variable |
| closed_timestamp | lastFixed |
| created_timestamp | firstFound, sourceCreatedDate |
| cve_severity | severity(normalize), sourceSeverity |
| host_info_host_last_seen_timestamp | lastFound |
| host_info_hostname | hostname |
| host_info_local_ip | ipAddresses |
| id | uid |
| lastUpdated | lastFound |
| remediations | results, recommendation |
| status | status(normalize), statusCategory |
| updated_timestamp | sourceLastModified |
| vid | type, uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability Definition
Table 4: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app_product_name_version | name |
| app_product_name_version() | affected |
| cve_description | summary, description |
| cve_exploit_status | exploitability(calculate) |
| cve_exprt_rating | Local variable |
| cve_published_date | publishedDate |
| cve_references | references |
| cve_severity | severity(normalize), sourceSeverity |
| cve_spotlight_published_date | publishedDate |
| cve_vector | cvss (calculate) |
| remediation | patchAvailable |
| remediations | results, recommendation |
| vulnerabilityId | name |
| vulnerabilityId | cveIds, cveRecords |
| vid | type, uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
CrowdStrike Vulnerability Definitions
CrowdStrike provides comprehensive visibility into vulnerabilities across your network. However, CrowdStrike does not provide a dedicated API for directly retrieving vulnerability definitions. To bridge this gap, Brinqa has developed a distinct method for generating vulnerability definitions using data from CrowdStrike.
Take the following Vulnerability Definition ID for example:
ae83df32fef2184aaf5075b7e75e8edf_2a49280e6eaa5ebe5fdecdd337fcae14
The Vulnerability Definition ID is composed of two parts: [CrowdStrike Customer ID]_[CrowdStrike Definition ID]
-
CrowdStrike Customer ID (CID): The first part of the Vulnerability Definition ID serves as a unique identifier for your organization, ensuring that the vulnerability data is specific to your CrowdStrike environment.
-
CrowdStrike Definition ID: The second part of the Vulnerability Definition ID directly corresponds to the unique identifier of the vulnerability in your CrowdStrike environment.
In the above example, ae83df32fef2184aaf5075b7e75e8edf represents the CrowdStrike Customer ID, and 2a49280e6eaa5ebe5fdecdd337fcae14 is the CrowdStrike Definition ID. This format ensures that each vulnerability definition is accurately tied to the vulnerability identified within your organization's specific context.
Operation options
The CrowdStrike connector supports the following operation options. See connector operation options for information about how to apply them.
Table 5: CrowdStrike connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Device | product_type_desc | Mobile, Server, Workstation | A comma-separated list of device types. Return only devices of the specified types. | Key: product_type_desc Value: Workstation,Server. This key and value combination only retrieves Workstation and Server devices. |
| status | contained, containment_pending, lift_containment_pending, normal | A comma-separated list of device status values. Return only devices with the specified statuses. | Key: status Value: contained,normal. This key and value combination only retrieves devices with the contained and normal status. | |
| platform_name | Linux, Mac, Windows | A comma-separated list of platform names. Return only devices with the specified platform names. | Key: platform_name Value: Mac,Windows. This key and value combination only retrieves Mac and Windows devices. | |
| last_seen >= | Date in ISO 8601 format (e.g., 2024-07-17T00:00:00Z) | Return only devices that have been seen after the specified date. | Key: last_seen >= Value: 2024-07-01T00:00:00Z. This key and value combination only retrieves devices seen after July 1, 2024. | |
| Vulnerability, Vulnerability Definition | cve.id | Any CVE ID | Return only vulnerabilities associated with the specified CVE IDs. | Key: cve.id Value: CVE-2023-1234. This key and value combination only retrieves vulnerabilities with the CVE-2023-1234 ID. |
| cve.exprt_rating | UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL | A comma-separated list of CVE expert ratings. Return only vulnerabilities with the specified expert ratings. | Key: cve.exprt_rating Value: HIGH,CRITICAL. This key and value combination retrieves only vulnerabilities with high and critical ratings. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The CrowdStrike connector uses the CrowdStrike API. Specifically, it uses the following endpoints:
Table 6: CrowdStrike API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Device | GET /devices/queries/devices/v2 |
GET /devices/queries/devices-scroll/v1 | |
| Vulnerability | GET spotlight/combined/vulnerabilities/v1 |
| Vulnerability Definition | GET spotlight/combined/vulnerabilities/v1 |
Changelog
The CrowdStrike connector has undergone the following changes:
3.1.11
- Fixed an issue where the number of vulnerabilities synced was smaller than expected due to the connector only retrieving vulnerabilities with evaluation logic, according to CrowdStrike.
3.1.10
- Moved the EVALUATION_LOGIC attribute from the Vulnerability Definition object to the Vulnerability object to reflect changes specific to each vulnerability.
3.1.9
- Added the EVALUATION_LOGIC attribute to the Vulnerability Definition object to retrieve detailed evidence and contextual information from CrowdStrike findings.
3.1.8
- Added support for Data lifecycle management to the Device and Vulnerability objects.
3.1.7
- Added the AFFECTED attribute to the Vulnerability Definition object.
3.1.6
- Changed the DEVICE_CONTROL_POLICY_ID attribute type on the Device object from boolean to string.
3.1.5
- Fixed an issue where the Vulnerability and Vulnerability Definition syncs were failing.
3.1.4
- Updated the method for setting the LAST_FOUND attribute in the Vulnerability object.
3.1.0
- Changed the strategy of generating Vulnerability Definition records to use part of a CrowdStrike Vulnerability ID, which is unique per vulnerability type. See CrowdStrike Vulnerability Definitions for details.
3.0.24
- Enhanced to display remediation information in the Results field of vulnerabilities.
3.0.22
- Added an operation option,
definitionUidPrefix, to let users define their own prefix if using multiple CrowdStrike sources. The default prefix is CSID.
3.0.21
- Enhanced to update the Recommendation field when creating Vulnerability Definition objects.
3.0.19
- Fixed a parse error that would occur when syncing Device objects.
3.0.18
- Improved the performance of syncing Vulnerability Definition objects.
3.0.17
-
Added some optional attributes in the Device object, such as CHASSIS_TYPE, CONNECTION_IP, CONNECTION_MAC_ADDRESS, DEFAULT_GATEWAY_IP, and KERNEL_VERSION.
-
Updated dependencies.
3.0.16
- Fixed an issue where data integration syncs took much longer than the previous version.
3.0.14
-
Enhanced to list all vulnerable products in the Result field of vulnerabilities.
-
Updated dependencies.
3.0.13
- Implemented a solution to handle parallel data integration syncs.
3.0.12
-
Added a EX_PRT_RATING attribute in the Vulnerability object.
-
Prioritized EX_PRT_RATING from open vulnerabilities.
3.0.11
- Added a PATCH_AVAILABLE attribute in the Vulnerability Definition object.
3.0.10
-
Added a PRIVATE_DNS_NAME attribute in the Device object.
-
Normalized hostnames.
3.0.9
- Added a SERIAL_NUMBER attribute in the Device object.
3.0.0
- Initial Integration+ release.