CrowdStrike Vulnerability Scanners

The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

CrowdStrike Falcon is a cloud-native endpoint protection platform that provides threat detection, prevention, and response capabilities, and offers vulnerability management through the Falcon Spotlight module. Graylog Security integrates with Falcon Spotlight to ingest vulnerability data and associate it with assets in the Graylog asset inventory.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • Obtain CrowdStrike Falcon subscription with access to:

    • Falcon Host Management (for asset imports)

    • Falcon Spotlight (for vulnerability scanning)

  • Create CrowdStrike API credentials with the required permissions.

  • Ensure Graylog can access the CrowdStrike API endpoints for your region.

Choose the Right Integration

The Graylog Security asset inventory integrates with CrowdStrike in three ways, allowing you to import asset data, ingest vulnerability data, or combine both depending on your environment and use case. Choose one of the following integration methods based on your data and configuration requirements:

  • Asset Source: Imports device/machine assets from your CrowdStrike Falcon environment into Graylog's asset inventory. Vulnerability data can be optionally included. This option is recommended for most users because it provides both host and vulnerability data in a single configuration.

  • Vulnerability Scanner: Ingests vulnerability data from CrowdStrike Spotlight, linking it to existing Graylog assets and automatically creating new assets when necessary.

    • Use when assets already exist in Graylog (for example, from Active Directory, LDAP, or Microsoft 365).

    • Use when you need vulnerability data without importing host assets.

    • Use when you need granular filtering (for example, only Critical severity or only open CVEs).

  • Asset Source + Vulnerability Scanner: Use both the Asset Source and Vulnerability Scanner if you need advanced capabilities like different sync schedules for assets vs. vulnerabilities or separate filtering criteria for each.

Set Up CrowdStrike

For Graylog to retrieve vulnerability data, you must configure API access in CrowdStrike Falcon.

Create API Credentials

Create an API client in the CrowdStrike Falcon console with the following scopes assigned with READ permissions:

For Asset Source:

  • hosts:Read: Required to query and retrieve host/device information.

  • devices:read: Required to retrieve device details.

  • spotlight-vulnerabilities:read: Required only if the Include Vulnerabilities configuration setting is enabled on the mapping.

For Vulnerability Scanner:

  • hosts:Read: Required to retrieve host information for vulnerability correlation.

  • devices:read: Required to retrieve device details.

  • spotlight vulnerabilities:Read: Required to fetch vulnerability data from Spotlight.

Add a CrowdStrike Asset Source

The CrowdStrike asset source imports machine assets (endpoints) from your CrowdStrike environment into Graylog Security's asset database.

To add a CrowdStrike asset source:

  1. Navigate to Security > Assets, then select the Sources tab.

  2. Select New Source, then select CrowdStrike from the dropdown.

  3. Enter the required connection configuration options:

Configuration is split into two steps: Connection Configuration (Source setup) and Mappings Configuration.

Connection Configuration

Field Description

  • Title

  • Provide a unique, descriptive name for this asset source. Example: "CrowdStrike Production Endpoints".

    		•

    Region

    Select the cloud region where your CrowdStrike tenant is hosted. This setting must match your Falcon console region.

    Client ID

    Enter the API client ID from your CrowdStrike API client.

    Client Secret

    Enter the API client secret from your CrowdStrike API client.

    Description (optional)

    Provide details about the purpose of this scanner. Although this field is optional, consider adding information here, particularly if you create multiple CrowdStrike scanners.

    Mappings Configuration

    A mapping defines what to import from the connected source and on what schedule. You can create multiple mappings per source. (E.g. one for Windows servers, one for Linux workstations).

    Field Description

    Mapping Title

    Provide a name for this mapping. Example: "All Hosts", "Windows Servers".

    Categories (optional)

    Assign category tags to imported assets.

    Priority (optional)

    Set the risk priority level for assets imported by this mapping. This configuration value is used in risk score calculations.

    Description (optional)

    Add details about this mapping. Example: "All production hosts."

    Enable Sync (optional)

    Toggle scheduled, recurring imports. This option is disabled by default.

    Sync Interval in Hours (optional)

    How often Graylog polls CrowdStrike for updates when sync is enabled. The default is 24 hours.

    Machine Asset Mapping

    Field Description

    Device Filter (optional)

    Falcon Query Language (FQL) filter to select specific devices.

    • Leave empty to import all devices.

    • Use FQL syntax to target specific subsets of your environment. Examples:

      • platform_name:'Windows': Imports only Windows devices.

      • hostname:*'server': Imports devices with "server" in hostname.

      • platform_name:'Windows'+status:'normal': Combines multiple conditions.

    See CrowdStrike FQL documentation for complete syntax.

    Include Vulnerabilities:

    Enable/disable importing vulnerability data alongside asset information. This configuration setting is disabled by default.

    • When enabled: Assets imported from this mapping include their CrowdStrike Spotlight vulnerability data.

    • When disabled: Only core asset data (hostname, IPs, MACs, etc.) is imported.

    • Requires the spotlight-vulnerabilities:read API scope when enabled.

    When you complete the required configuration settings, select Test Server Connection to verify if the configured connection is successful.

    Imported Asset Data

    When a CrowdStrike mapping runs, Graylog imports device data and stores it in the asset inventory. You can view imported assets and their details by navigating to Security > Assets.

    For each CrowdStrike device, the following fields are imported.

    Identity & Matching Fields

    These set of fields are used by Graylog to correlate assets with log events and other data sources:

    • Device ID (AID): CrowdStrike's unique device identifier. Graylog stores this internally to track the device across syncs. You do not need to interact with it directly, but it ensures that a device is recognized as the same asset even if its hostname or IP changes.

    • Hostname: The device's network hostname. Displayed on the asset detail page and used to correlate the asset with log messages and alerts.

    • IP Addresses (local and external interfaces): Displayed on the asset detail page and used for event correlation and network-level matching.

    • MAC Addresses: Displayed on the asset detail page and used for network-level asset correlation when IP addresses are dynamic.

    Metadata & Display Fields

    These fields provide additional context about each asset and is visible on the asset detail page in the asset's description.

    • Platform Name (e.g. Windows, Mac, Linux): Helps you filter and group assets by operating system.

    • OS Version: Useful for identifying assets running outdated or vulnerable OS versions.

    • Machine Domain: The Active Directory or network domain the device belongs to. Stored as the asset's "owner" field, which you can use to filter assets by domain.

    • Tags (CrowdStrike sensor tags): Any tags applied to the device in CrowdStrike, useful for identifying asset groups or environments (e.g. "Production", "PCI-scope").

    • Organizational Units (OU assignments): Active Directory OU assignments for the device, helping you understand where the device sits in your directory structure.

    How Device ID (AID) Works

    During a CrowdStrike asset source sync, the first import creates new assets and stores the device ID as sourceAssetId. On subsequent imports, incoming devices are matched to existing assets using this identifier. If a match is found, the existing asset is updated with the latest data from CrowdStrike. If no match is found, a new asset is created. If a device's hostname or IP address changes in CrowdStrike, the system still recognizes it as the same device and updates the existing asset record rather than creating a duplicate.

    Add a CrowdStrike Scanner

    The CrowdStrike Vulnerability Scanner fetches vulnerability data from FalconSpotlight and associates it with assets in Graylog Security's asset database.

    To add a CrowdStrike scanner:

    1. Navigate to Security > Assets, then select the Vulnerability Scanners tab.

    2. Select Add Scanner, then choose CrowdStrike from the dropdown.

    3. Enter the required configuration options:

      Field Description

      Title

      Assign a unique title to the scanner. Example: "CrowdStrike Vulnerabilities"

      Description

      Provide details about the purpose of this scanner. Although this field is optional, consider adding information here, particularly if you create multiple CrowdStrike scanners.

      Enabled/Disabled Sync (optional)

      Toggle this setting to enable or disable automatic import of scan data on a specified interval.

      Sync Interval in Hours (optional)

      If you enable sync, set how frequently to run a new import of scan data to update vulnerability information on your Graylog assets. The default setting is 24 hours (once per day).

      CrowdStrike Region

      Select the cloud region where your CrowdStrike tenant is hosted. This setting must match your Falcon console region. The default is US-1.

      Client ID

      Enter the OAuth2 API client ID from CrowdStrike Falcon.

      Client Secret

      Enter the OAuth2 API client secret from CrowdStrike Falcon.

      Vulnerability Filter (Optional)

      Filter vulnerabilities using Falcon Query Language (FQL). Leave empty to import all devices. The default value status:'open' imports all open vulnerabilities. Use FQL syntax to target specific subsets of your environment.

    4. Save the scanner configuration.

    When the scanner is successfully configured, the scanner appears in the Vulnerability Scanners list with these actions:

    • Sync Vulnerabilities: Run an on-demand vulnerability sync.

    • Edit Connection: Modify the scanner configuration.

    • Delete: Remove the scanner.

    • Bulk Actions: Import Vulnerability Scan Results or apply actions across multiple scanners.

    • Enable/Disable Sync: Toggle scheduled sync from the list row.

    Imported Vulnerability Data

    For each vulnerability detected by Falcon Spotlight, the following data is imported:

    When the scanner runs, vulnerability data from Falcon Spotlight is imported and associated with assets in Graylog. You can view vulnerability details on the asset detail page under Security > Assets.

    The following data is imported:

    • CVE Identifier (e.g. CVE-2023-12345): The industry-standard identifier for the specific vulnerability. You can use this to cross-reference with external databases like NIST NVD or vendor advisories.

    • CVSS Score: A numeric score from 0.0 to 10.0 representing the severity of the vulnerability, based on the Common Vulnerability Scoring System (CVSS). Higher scores indicate greater risk. Graylog uses this score in risk calculations and prioritization.

    • Severity (Critical, High, Medium, Low): Use this to filter and prioritize remediation efforts. For example, filtering the vulnerability list to show only Critical and High items.

    Further Reading

    Explore the following additional resources and recommended readings to expand your knowledge on related topics: