Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

CrowdStrike Falcon Spotlight

  • 2 minute(s) read
Prev Next

Overview

Nucleus enables you to sync your CrowdStrike Falcon Spotlight endpoint monitoring data directly from CrowdStrike into the Nucleus console using an automated connector. The connector uses the APIs provided by CrowdStrike to seamlessly sync data into your Nucleus project for use in analysis, triage, automation, and reporting.

Connector Setup

Connector Setup Checklist

Follow the steps in this checklist to successfully set up this connector:

  1. API Access

    Create a service account with appropriate permissions in CrowdStrike.

  2. Connector Configuration

    Create and configure the connector in your Nucleus project.

  3. Vulnerability Scan Data Ingestion

    Create one or more vulnerability scan ingest rules to ingest vulnerabilities from CrowdStrike.

1. API Access

  1. Navigate to your CrowdStrike Central Console.

  2. Under the Manage section, click Authentication.

  3. Click the Add User button and create a new user account with the Administrator role, access to All Projects, and read access to the hosts,  host-groups and vulnerabilities endpoints.

Required CrowdStrike Permissions

The Administrator role is required to view, create, or modify API clients or keys. Read access to the hosts, host-groups and vulnerabilities endpoints is required for the connector to pull data correctly. Learn more about CrowdStrike API access .  

2. Connector Configuration

  1. Open Nucleus and go to Integration Hub > Connector Setup.

  2. Under the Scanners section, click the CrowdStrike icon.

  3. In the Setup CrowdStrike Connector popup, enter the following information:

Field

Description

Name

(Optional) Enter a name for your connector. If left blank, this will default to CrowdStrike.

Description

(Optional) Enter a description for your connector.

CrowdStrike URL

Enter the URL to your CrowdStrike console.

Client ID

Enter the client id associated with your CrowdStrike API client. 

Client Secret

Enter the client secret associated with your CrowdStrike API client. 

Member CID

(Optional) Enter a member CID to restrict data ingestion to that member’s data. This setting will mostly only be used by MSSPs activating the connector on behalf of their customers.

  1. Click Connect to CrowdStrike.

  2. If you checked Enable CrowdStrike Projects, select the projects that you want to ingest scans from.

  3. Click Save & Finish.

3. Vulnerability Scan Data Ingestion

  1. Go to Integration Hub > Import via Connector.

  2. Select the CrowdStrike connector you just created.

  3. Select the method of import: All, or by Host Group

  4. If you are importing by Host Group, select the groups to import.

  5. Select a schedule to import scans into the project.

  6. Click Save & Finish.

What products are supported from CrowdStrike?

The Nucleus CrowdStrike connector currently supports ingestion from CrowdStrike's Spotlight service.  

Connector Behavior

Ingest methods

The Crowdstrike connector allows you to select from two options for choosing what data to ingest

  • All - The All method will ingest all hosts in all host groups from your Crowdstrike CID.

  • Host Group - The Host Group method will enable users to select the Host Groups they want to ingest into Nucleus

Asset-sync mode

Limited Availability Product

Asset-sync mode is a Limited Availability product. Contact your account representative or Nucleus support to enable.

When in asset-sync mode, the Crowdstrike connector will download and update asset information only. This mode is activated by Nucleus upon customer request — all configuration and ingest method options are the same for the customer.

Finding Evaluation Logic

Customers map opt-in to ingesting evaluation logic from Crowdstrike into the finding output field in Nucleus. Please contact support or your Nucleus customer success manager if you would like this enabled.

Performance Note

The evaluation logic provided by Crowdstrike is large relative to the other finding related information. The inclusion of this data may impact download and ingestion times depending on the size of your environment.

Finding Reference Links

Findings from Crowdstrike include CVE Reference URL’s and Vendor Advisory links. These are capped at 20 each per finding. If a finding contains more than 20, please refer to the threat intelligence tab for more information on the identified CVE.

Other questions

If you have any questions, please contact us through the support center.