CrowdStrike Cloud Security
CrowdStrike Cloud Security is a cloud security tool that scans your container images for policy violations and vulnerabilities. You can bring image and security data from CrowdStrike Cloud Security into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with CrowdStrike Cloud Security and how to obtain that information from CrowdStrike. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select CrowdStrike Cloud Security from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate CrowdStrike Cloud Security with Brinqa:
-
API URL: The CrowdStrike API URL. The default API URL is
https://api<region>.crowdstrike.com.For additional information on the CrowdStrike API URL, see CrowdStrike documentation.
-
Client ID and Client secret: The client ID and client secret associated with the CrowdStrike account, which must have permissions to log in to the API server and return data.
Generate a CrowdStrike client secret
For the CrowdStrike Cloud Security connector to use the CrowdStrike API, you must provide a client secret. CrowdStrike does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:
-
Log in to your organization's CrowdStrike Falcon portal as an administrator.
-
From the navigation menu, click Support and resources, and then click API clients and keys.
-
Click Create API client.
The Create API client window displays.
-
Fill out the Client name, Description, and select the appropriate API scopes for the user.
-
Click Create.
Your new client ID, client secret, and recommended Base URL display. You cannot view the client secret again after this. Copy and save it to a secure location.
If you do not have permissions to create a client secret, contact your CrowdStrike administrator. For additional information, see CrowdStrike documentation.
Additional settings
The CrowdStrike Cloud Security connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 5000. It is not recommended to go over 5000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the CrowdStrike API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The CrowdStrike Cloud Security connector can retrieve the following types of data from the CrowdStrike API:
Table 1: Data retrieved from CrowdStrike
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Detection | Yes | Violation |
| Violation Definition | ||
| Image | Yes | Container Image |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition |
For detailed steps on how to view the data retrieved from CrowdStrike Cloud Security in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Detection
Table 2: Detection attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ai_related | Local variable |
| cid | Local variable |
| detection_name | uid |
| detection_name | type, name, uid |
| detection_severity | severity, sourceSeverity, severityScore |
| detection_type | categories |
| first_seen | firstFound |
| image_id | targets |
| last_seen | lastFound |
| source | Local variable |
Image
Table 3: Image attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ai_related | Local variable |
| architecture | Local variable |
| base_os | Local variable |
| Categories | categories |
| cid | Local variable |
| detections | Local variable |
| first_seen | firstSeen |
| highest_detection_severity | Local variable |
| highest_vulnerability_severity | Local variable |
| image_digest | digest |
| image_id | uid |
| last_seen | lastSeen |
| layers_with_vulnerabilities | Local variable |
| packages | Local variable |
| registry | registry |
| repository | repository |
| Source status | sourceStatus |
| Status | status |
| tag | Local variable |
| vulnerabilities | Local variable |
Vulnerability
Table 4: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ai_related | Local variable |
| cid | Local variable |
| cve_id | uid |
| cve_id | cveRecords, cveIds, name, uid, type |
| cvss_score | cvssV3BaseScore |
| first_seen | firstFound |
| image_id | targets |
| last_seen | lastFound |
| source | Local variable |
| vulnerability_cps_rating | Local variable |
| vulnerability_description | description |
| vulnerability_severity | severity, sourceSeverity, severityScore |
| vulnerability_status | status, sourceStatus, providerStatus, statusCategory |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
CrowdStrike Vulnerability Definitions
CrowdStrike provides comprehensive visibility into vulnerabilities across your network. However, CrowdStrike does not provide a dedicated API for directly retrieving vulnerability definitions. To bridge this gap, Brinqa has developed a distinct method for generating vulnerability definitions using data from CrowdStrike.
Take the following Vulnerability Definition ID for example:
ae83df32fef2184aaf5075b7e75e8edf_2a49280e6eaa5ebe5fdecdd337fcae14
The Vulnerability Definition ID is composed of two parts: [CrowdStrike Customer ID]_[CrowdStrike Definition ID]
-
CrowdStrike Customer ID (CID): The first part of the Vulnerability Definition ID serves as a unique identifier for your organization, ensuring that the vulnerability data is specific to your CrowdStrike environment.
-
CrowdStrike Definition ID: The second part of the Vulnerability Definition ID directly corresponds to the unique identifier of the vulnerability in your CrowdStrike environment.
In the above example, ae83df32fef2184aaf5075b7e75e8edf represents the CrowdStrike Customer ID, and 2a49280e6eaa5ebe5fdecdd337fcae14 is the CrowdStrike Definition ID. This format ensures that each vulnerability definition is accurately tied to the vulnerability identified within your organization's specific context.
Operation options
The CrowdStrike Cloud Security connector supports the following operation options. See connector operation options for information about how to apply them.
Table 5: CrowdStrike Cloud Security connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Detection | image_id | Any valid image ID | Return only detections associated with the specified image ID(s). | Key: image_id Value: abc12345xyz. This key and value combination only retrieves detections for the specified image. |
| Image | repository | Any valid repository name | A comma-separated list of repository names. Return only images from the specified repositories. | Key: repository Value: my-org/app-backend, security-scanner/nginx. This key and value combination retrieves images from the specified repositories. |
| registry | Any valid registry URL and path | A comma-separated list of registry URLs. Return only images from the specified registries. | Key: registry Value: https://registry.example.com, https://dockerhub.io/library. This key and value combination retrieves images from the specified registries. | |
| Vulnerability | image_id | Any valid image ID | Return only vulnerabilities associated with the specified image ID(s). | Key: image_id Value: abc12345xyz. This key and value combination only retrieves vulnerabilities for the specified image. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The CrowdStrike Cloud Security connector uses the CrowdStrike API. Specifically, it uses the following endpoints:
Table 6: CrowdStrike Cloud Security API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Detection | GET /container-security/combines/images/export/v1 |
| Image | GET /container-security/combined/image-assessment/images/v1 |
| Vulnerability | GET /container-security/combined/images/export/v1 |
Changelog
The CrowdStrike Cloud Security connector has undergone the following changes:
Table 7: CrowdStrike Cloud Security connector changelog
| Version | Description |
|---|---|
| 3.2.0 | Initial Integration+ release. |