Skip to main content

CrowdStrike

CrowdStrike is an endpoint protection and threat intelligence tool. You can bring device and security findings into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with CrowdStrike and how to obtain that information from CrowdStrike. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select CrowdStrike from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate CrowdStrike with Brinqa:

  • API URL: The CrowdStrike API URL. The default URL is https://api.crowdstrike.com.

  • Client ID and client secret: The client ID and client secret associated with the CrowdStrike account, which must have permissions to log in to the API server and return data.

Generate a CrowdStrike client secret

For the CrowdStrike connector to use the CrowdStrike API, you must provide a client secret. CrowdStrike does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:

  1. Log in to the CrowdStrike Falcon UI as an administrator.

  2. Navigate to Support > API Clients and Keys.

  3. Click Add new API Client.

  4. Fill out the client name, description, and select the appropriate API scopes for the user.

  5. Click Add.

The client ID and client secret display. You cannot view the client secret again. Copy the client secret and save it in a secure location.

note

Only Falcon administrators can view, create, or modify client secrets. For additional information, see CrowdStrike documentation.

Additional settings

The CrowdStrike connector contains additional options for specific configuration:

  • Set page size: The maximum number of records to get per API request. The default setting is 100. The max for most API calls is 400. It is not recommended to go over 400.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 4. Parallel requests effect API rate limits. It is not recommended to increase this number any further.

Types of data to retrieve

The CrowdStrike connector can retrieve the following types of data from the Crowdstrike API:

Connector ObjectRequiredMaps to Data Model
DeviceYesHost
VulnerabilityYesVulnerability
Vulnerability DefinitionYesVulnerability Definition
info

The CrowdStrike connector does not currently support operation options for the types of data it retrieves.

For detailed steps on how to view the data retrieved from CrowdStrike in the Brinqa Platform, see How to view your data.

CrowdStrike Vulnerability Definitions

CrowdStrike provides comprehensive visibility into vulnerabilities across your network. However, CrowdStrike does not provide a dedicated API for directly retrieving vulnerability definitions. To bridge this gap, Brinqa has developed a distinct method for generating vulnerability definitions using data from CrowdStrike.

Take the following Vulnerability Definition ID for example:

ae83df32fef2184aaf5075b7e75e8edf_2a49280e6eaa5ebe5fdecdd337fcae14

The Vulnerability Definition ID is composed of two parts: [CrowdStrike Customer ID]_[CrowdStrike Definition ID]

  • CrowdStrike Customer ID (CID): The first part of the Vulnerability Definition ID serves as a unique identifier for your organization, ensuring that the vulnerability data is specific to your CrowdStrike environment.

  • CrowdStrike Definition ID: The second part of the Vulnerability Definition ID directly corresponds to the unique identifier of the vulnerability in your CrowdStrike environment.

In the above example, ae83df32fef2184aaf5075b7e75e8edf represents the CrowdStrike Customer ID, and 2a49280e6eaa5ebe5fdecdd337fcae14 is the CrowdStrike Definition ID. This format ensures that each vulnerability definition is accurately tied to the vulnerability identified within your organization's specific context.

APIs

The CrowdStrike connector uses the following endpoints:

  • detects/queries/detects/v1

  • detects/entities/summaries/GET/v1

  • /devices/entities/devices/v1

  • /devices/queries/devices/v2

  • /devices/queries/devices-scroll/v1

  • /incidents/entities/behaviors/GET/v1

  • /incidents/queries/behaviors/v1

  • /incidents/entities/incidents/GET/v1

  • /incidents/queries/incidents/v1

  • spotlight/entities/vulnerabilities/v2

  • spotlight/queries/vulnerabilities/v1

Changelog

The CrowdStrike connector has undergone the following changes:

3.1.6

  • Changed the DEVICE_CONTROL_POLICY_ID attribute type from boolean to string.

3.1.5

  • Fixed an issue where the Vulnerability and Vulnerability Definition syncs were failing.

3.1.4

  • Updated the method for setting the LAST_FOUND attribute in the Vulnerability object.

3.1.0

  • Changed the strategy of generating Vulnerability Definition records to use part of a CrowdStrike Vulnerability ID, which is unique per vulnerability type. See CrowdStrike Vulnerability Definitions for details.

3.0.24

  • Enhanced to display remediation information in the Results field of vulnerabilities.

3.0.22

  • Added an operation option, definitionUidPrefix, to let users define their own prefix if using multiple CrowdStrike sources. The default prefix is CSID.

3.0.21

  • Enhanced to update the Recommendation field when creating Vulnerability Definition objects.

3.0.19

  • Fixed a parse error occured when syncing Device objects.

3.0.18

  • Improved the performance of syncing Vulnerability Definition objects.

3.0.17

  • Added some optional attributes in the Device object, such as CHASSIS_TYPE, CONNECTION_IP, CONNECTION_MAC_ADDRESS, DEFAULT_GATEWAY_IP, and KERNEL_VERSION.

  • Updated dependencies.

3.0.16

  • Fixed an issue where data integration syncs took much longer than the previous version.

3.0.14

  • Enhanced to list all vulnerable products in the Result field of vulnerabilities.

  • Updated dependencies.

3.0.13

  • Implemented a solution to handle parallel data integration syncs.

3.0.12

  • Added a EX_PRT_RATING attribute in the Vulnerability object.

  • Prioritized EX_PRT_RATING from open vulnerabilities.

3.0.11

  • Added a PATCH_AVAILABLE attribute in the Vulnerability Definition object.

3.0.10

  • Added a PRIVATE_DNS_NAME attribute in the Device object.

  • Normalized hostnames.

3.0.9

  • Added a SERIAL_NUMBER attribute in the Device object.

3.0.0