CrowdStrike Falcon
CrowdStrike, part of CrowdStrike Falcon® Exposure Management, brings IT and Security teams together and improves visibility by combining CrowdStrike Expert Prediction Rating Artificial Intelligence (ExPRT) data with OneSite Patch deployment and management capabilities. Rather than exporting vulnerability data from CrowdStrike Falcon for patching, the integration includes ExPRT ratings from CrowdStrike directly in OneSite Patch, so you can prioritize patching preferences according to your organizations requirements and remediate vulnerabilities faster.
Using Falcon Spotlight in OneSite Patch
Adaptiva and CrowdStrike Falcon® Exposure Management have integrated CrowdStrike vulnerability metadata with Adaptiva Patch metadata to allow Patch Deployment Bots to deploy patches based on Spotlight vulnerability metadata.
To access CrowdStrike from OneSite Patch, you must have a license from CrowdStrike that allows you to access CrowdStrike Falcon.
Access Falcon Spotlight
Select Falcon Access Settings in the left navigation menu of the Admin Portal.
This opens the Falcon Access Settings dialog.
Enter the Falcon Access Settings. If you do not have these details, see Create a CrowdStrike API Client.
Enter the Falcon Access Setting Details
Enter the Client ID, Secret, and Base URL in the respective fields of the Falcon Access Settings dialog.
Select Save on the upper-left corner of the settings dialog. This populates Roles, Business Units, and vulnerability information in OneSite Patch related to the CrowdStrike Client ID.
Select Business Units in the left navigation pane of the Admin Portal to verify that your client Business Units and templates exist.
Create a CrowdStrike API Client
Create a CrowdStrike API Client to generate the client settings needed to access CrowdStrike.
Log in to your CrowdStrike Falcon Spotlight dashboard.
Select the Stack icon on the upper-left of Dashboards and reports.
Select Support and resources in the left navigation pane, and then select API clients and keys.
Select Create API Client at the upper right.
This opens the Create API Client dialog.
Set Client Details
In the CrowdStrike Falcon Spotlight Create API Client dialog, complete the following steps:
Enter a Client name, and then enter a Description of the client.
Select Read access in the Scope column for each of the following items:
Host Groups: A collection of devices that Adaptiva retrieves from CrowdStrike and uses to create business units.
Vulnerabilities: A list of defined vulnerabilities (trigger properties) that Adaptiva retrieves from CrowdStrike. Adaptiva utilizes these properties to set automation, such as scheduling based on ExPRT.AI ratings.
User Management: The OneSite Platform retrieves and adds CrowdStrike users and roles to the platform. The system automatically adds all users to the read-only, All Admins role.
There is a built-in Approval Chain for the All Admins role, and users with this role will receive approval requests if this chain is assigned to a strategy.
Select Create. This opens the API client created response, which contains the details you must enter in the Falcon Spotlight Access Settings.
Important
The details for the API client created screen show these details only once. Be sure to save this information in a safe location so you can access it later, if needed.
Copy and paste the API client created details directly into the fields of the Falcon Spotlight Access Settings dialog in the Adaptiva OneSite Admin Portal.
Select Save on the upper-left of the settings dialog. This populates Roles, Business Units, and vulnerability information in OneSite Patch related to the CrowdStrike Client ID.
Explore CrowdStrike Integration
In the CrowdStrike settings page, click More.
You can managed the Host and User Sync here, either refreshing, disabling, or deleting the data as needed.
Synchronization settings Select Asset Management > Business Units in the left navigation pane. You can see your CrowdStrike Host Groups under the Root Falcon Host Group Business Unit.
Host group sync Click the gear icon > Settings > Security > Administrators.
In the details pane, click CrowdStrike Users.
You can see the synchronized CrowdStrike Users here.
Click a user and scroll down to Direct Roles.
Users are automatically assigned the All Admin Role and Falcon Administrator role when imported.
On the top level navigation bar, click Roles.
In the details pane, click CrowdStrike Roles.
You can view the imported roles and leverage them to customize permissions for your users.
Users and Roles In the left navigation pane, select Advanced Settings > Intent Schema > Bots > Patch Deployment Bots.
In the details pane, select the Falcon folder.
When you integrate CrowdStrike Falcon Exposure Management, OneSite Patch will generate patch deployment bots using Falcon metadata.
Patch Deployment Bots In the results pane, click Patch Enterprise - Patch Deployment Bot - Falcon - Critical.
Leveraging the Falcon ExPRT Score, the Patch Deployment Bot will identify Products with Critical vulnerabilities using the
Falcon.ExPRT == "Critical"filter.
ExPRT Integration Click Home.
Metadata properties
These metadata properties can be used to filter patches when creating patch strategies.
Falcon.ExPRT
Represents the maximum ExPRT severity assigned to any CVE referenced by Risk.CveIds, including superseded CVEs. Filtered by Low, Medium, High, Critical.
Falcon.ExploitStatus
Represents the maximum exploit status for any CVE listed in Risk.CveIds, including superseded CVEs.
Falcon.KnownExploitExists
CrowdStrike's indication of whether or not a known exploit exists for the vulnerability that this Object fixes.
Last updated
Was this helpful?