# CrowdStrike Falcon

CrowdStrike, part of CrowdStrike Falcon® Exposure Management, brings IT and Security teams together and improves visibility by combining CrowdStrike Expert Prediction Rating Artificial Intelligence (ExPRT) data with OneSite Patch deployment and management capabilities. Rather than exporting vulnerability data from CrowdStrike Falcon for patching, the integration includes ExPRT ratings from CrowdStrike directly in OneSite Patch, so you can prioritize patching preferences according to your organizations requirements and remediate vulnerabilities faster.

## Using Falcon Spotlight in OneSite Patch

Adaptiva and CrowdStrike Falcon® Exposure Management have integrated CrowdStrike vulnerability metadata with Adaptiva Patch metadata to allow Patch Deployment Bots to deploy patches based on Spotlight vulnerability metadata.

To access CrowdStrike from OneSite Patch, you must have a license from [CrowdStrike](https://www.crowdstrike.com/) that allows you to access CrowdStrike Falcon.

## Access Falcon Spotlight

1. Select **Falcon Access Settings** in the left navigation menu of the Admin Portal.

   ![](/files/M07SU2ZPCY7ahVFYTN1w)

This opens the **Falcon Access Settings** dialog.

![](/files/gvR5m37vZgzSr3xCV3Dx)

1. Enter the **Falcon Access Settings**. If you do not have these details, see [Create a CrowdStrike API Client](#create-a-crowdstrike-api-client).

## Enter the Falcon Access Setting Details

1. Enter the **Client ID**, **Secret**, and **Base URL** in the respective fields of the **Falcon Access Settings** dialog.

   ![](/files/BLCZiUgxB48iuE66wgvH)
2. Select **Save** on the upper-left corner of the settings dialog. This populates Roles, Business Units, and vulnerability information in OneSite Patch related to the CrowdStrike Client ID.
3. Select **Business Units** in the left navigation pane of the Admin Portal to verify that your client Business Units and templates exist.

## Create a CrowdStrike API Client

Create a CrowdStrike API Client to generate the client settings needed to access CrowdStrike.

1. Log in to your **CrowdStrike Falcon Spotlight dashboard**.
2. Select the Stack icon on the upper-left of **Dashboards and reports**.

   ![](/files/mrwOMtmu9qwNEM848kU4)
3. Select **Support and resources** in the left navigation pane, and then select **API clients and keys**.

   ![](/files/ZPtlZ5ogBNvMWsyz0eiX)
4. Select **Create API Client** at the upper right.

   ![](/files/5d0wxvQ6ApOXB1iEXdEM)

This opens the **Create API Client** dialog.

![](/files/LkcqFCeyBoGYtP7tfdN7)

## Set Client Details

In the **CrowdStrike Falcon Spotlight Create API Client** dialog, complete the following steps:

1. Enter a **Client name**, and then enter a **Description** of the client.
2. Select **Read access** in the **Scope** column for each of the following items:
   * **Host Groups:** A collection of devices that Adaptiva retrieves from CrowdStrike and uses to create business units.
   * **Vulnerabilities:** A list of defined vulnerabilities (trigger properties) that Adaptiva retrieves from CrowdStrike. Adaptiva utilizes these properties to set automation, such as scheduling based on ExPRT.AI ratings.
   * **User Management:** The OneSite Platform retrieves and adds CrowdStrike users and roles to the platform. The system automatically adds all users to the read-only, **All Admins** role.

{% hint style="info" %}
There is a built-in Approval Chain for the **All Admins** role, and users with this role will receive approval requests if this chain is assigned to a strategy.
{% endhint %}

1. Select **Create**. This opens the **API client created** response, which contains the details you must enter in the **Falcon Spotlight Access Settings**.

   ![](/files/xUv9SUpm4jsZff0nGh45)

   > **Important**
   >
   > The details for the API client created screen show these details only once. Be sure to save this information in a safe location so you can access it later, if needed.
2. Copy and paste the **API client created** details directly into the fields of the **Falcon Spotlight Access Settings** dialog in the Adaptiva OneSite Admin Portal.

   ![](/files/BLCZiUgxB48iuE66wgvH)
3. Select **Save** on the upper-left of the settings dialog. This populates Roles, Business Units, and vulnerability information in OneSite Patch related to the CrowdStrike Client ID.

## Explore CrowdStrike Integration

1. In the CrowdStrike settings page, click **More**.

   You can managed the Host and User Sync here, either refreshing, disabling, or deleting the data as needed.

   ![Synchronization settings](/files/NYLep4MCp3s8kB5c45sE)
2. Select **Asset Management > Business Units** in the left navigation pane. You can see your CrowdStrike Host Groups under the **Root Falcon Host Group Business Unit**.

   ![Host group sync](/files/kdOdEXgyCVz8y6nNuAsV)
3. Click the **gear icon > Settings > Security > Administrators**.
4. In the details pane, click **CrowdStrike Users**.

   You can see the synchronized CrowdStrike Users here.
5. Click a user and scroll down to **Direct Roles**.

   Users are automatically assigned the All Admin Role and Falcon Administrator role when imported.
6. On the top level navigation bar, click **Roles**.
7. In the details pane, click **CrowdStrike Roles**.

   You can view the imported roles and leverage them to customize permissions for your users.

   ![Users and Roles](/files/iw1rHcgaxBHru5qKjYJI)
8. In the left navigation pane, select **Advanced Settings > Intent Schema > Bots > Patch Deployment Bots**.
9. In the details pane, select the **Falcon** folder.

   When you integrate CrowdStrike Falcon Exposure Management, OneSite Patch will generate patch deployment bots using Falcon metadata.

   ![Patch Deployment Bots](/files/FrALgkcESGrXOwrE8jwO)
10. In the results pane, click **Patch Enterprise - Patch Deployment Bot - Falcon - Critical**.

    Leveraging the Falcon ExPRT Score, the Patch Deployment Bot will identify Products with Critical vulnerabilities using the `Falcon.ExPRT == "Critical"` filter.

    ![ExPRT Integration](/files/OFXFG0fydhpzW9j7HpC4)
11. Click **Home**.

## Metadata properties

These metadata properties can be used to filter patches when creating patch strategies.

| Property                  | Description                                                                                                                                              |
| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Falcon.ExPRT              | Represents the maximum ExPRT severity assigned to any CVE referenced by Risk.CveIds, including superseded CVEs. Filtered by Low, Medium, High, Critical. |
| Falcon.ExploitStatus      | Represents the maximum exploit status for any CVE listed in Risk.CveIds, including superseded CVEs.                                                      |
| Falcon.KnownExploitExists | CrowdStrike's indication of whether or not a known exploit exists for the vulnerability that this Object fixes.                                          |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.adaptiva.com/patch/integrations/integrate-crowdstrike.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.