CrowdStrike
Visualize Crowdstrike endpoint agents and protected devices, map agents to devices and their respective owners, and monitor changes through queries and alerts.
- Installation
- Data Model
- Types
Installation
You will need to create an API client ID and an API client secret on Crowdstrike. See their documentation for more information.
When creating the API client ID and API client secret, provide (at minimum) read access to the following API Scopes:
- Hosts
- Prevention Policies
Other scopes are required when enabling additional ingestion steps:
- "Fetch Vulnerabilities" step:
- Spotlight Vulnerabilities
- "Fetch Zero Trust Assessments" step:
- Zero Trust Assessments
The query used to ingest vulnerabilities limits to the date/time of the last successful integration or to the last 30 days for the initial run. Similarly, only crowdstrike_sensors seen by CrowdStrike in the last 30 days will be ingested.
To install the Crowdstrike integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Crowdstrike. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
The Account Name used to identify the Crowdstrike account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.Your Crowdstrike API client ID and API client secret to authenticate with the CrowdStrike Falcon and Spotlight APIs.
Enter the Availability Zone you'd like to use for API calls. Leave blank to use the main API endpoint. For example, entering
us-2as the availability zone will result in the use of a CrowdStrike API endpoint ofapi.us-2.crowdstrike.com.
Click Create once all values are provided to finalize the integration.
The CrowdStrike integration only ingests information on applications that have vulnerabilities. Applications without vulnerabilities will not be ingested into JupiterOne.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | crowdstrike_account | Account |
| Application | crowdstrike_detected_application | Application |
| Container Image | crowdstrike_container_image | Image |
| Device | crowdstrike_host | Host |
| Device Control Policy | crowdstrike_device_control_policy | ControlPolicy |
| Device Sensor Agent | crowdstrike_sensor | HostAgent |
| Discover Application | crowdstrike_discover_application | Application |
| Firewall Policy | crowdstrike_firewall_policy | ControlPolicy |
| Image Vulnerability | crowdstrike_image_vulnerability | Finding |
| Prevention Policy | crowdstrike_prevention_policy | ControlPolicy |
| Prevention Policy Setting | crowdstrike_prevention_policy_setting | Configuration |
| Service | crowdstrike_endpoint_protection | Service |
| User | crowdstrike_user | User |
| Vulnerability | crowdstrike_vulnerability | Finding |
| Zero Trust Assessment | crowdstrike_zero_trust_assessment | Assessment |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
crowdstrike_account | HAS | crowdstrike_endpoint_protection |
crowdstrike_account | HAS | crowdstrike_sensor |
crowdstrike_account | HAS | crowdstrike_container_image |
crowdstrike_account | HAS | crowdstrike_user |
crowdstrike_container_image | EXPLOITS | crowdstrike_vulnerability |
crowdstrike_detected_application | HAS | crowdstrike_vulnerability |
crowdstrike_prevention_policy | ENFORCES | crowdstrike_endpoint_protection |
crowdstrike_prevention_policy | HAS | crowdstrike_prevention_policy_setting |
crowdstrike_sensor | PROTECTS | crowdstrike_host |
crowdstrike_sensor | ASSIGNED | crowdstrike_prevention_policy |
crowdstrike_sensor | HAS | crowdstrike_zero_trust_assessment |
crowdstrike_sensor | ASSIGNED | crowdstrike_device_control_policy |
crowdstrike_sensor | ASSIGNED | crowdstrike_firewall_policy |
crowdstrike_sensor | INSTALLED | crowdstrike_discover_application |
crowdstrike_vulnerability | EXPLOITS | crowdstrike_sensor |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
crowdstrike_sensor | ASSIGNED | crowdstrike_device_control_policy | FORWARD |
crowdstrike_sensor | ASSIGNED | crowdstrike_firewall_policy | FORWARD |
crowdstrike_vulnerability | IS | cve | FORWARD |
Crowdstrike Account
crowdstrike_account inherits from Account
| Property | Type | Description | Specifications |
|---|---|---|---|
cid | string |
Crowdstrike Container Image
crowdstrike_container_image inherits from Image
| Property | Type | Description | Specifications |
|---|---|---|---|
cid | string | ||
imageId | string | ||
lastSeen | number | ||
registry | string | ||
repository | string | ||
tag | string |
Crowdstrike Detected Application
crowdstrike_detected_application inherits from Application
| Property | Type | Description | Specifications |
|---|---|---|---|
evaluationLogicId * | string | ||
open * | boolean | ||
remediationIds | array of strings |
Crowdstrike Device Control Policy
crowdstrike_device_control_policy inherits from ControlPolicy
| Property | Type | Description | Specifications |
|---|---|---|---|
cid * | string | ||
createdBy * | string | ||
description * | string | ||
enabled * | boolean | ||
id * | string | ||
modifiedBy * | string | ||
name * | string | ||
platformName * | string | ||
settingsClasses * | array of strings | ||
settingsEndUserNotification * | string | ||
settingsEnforcementMode * | string |
Crowdstrike Discover Application
crowdstrike_discover_application inherits from Application
| Property | Type | Description | Specifications |
|---|---|---|---|
architectures | array of strings | ||
isNormalized | boolean | ||
isSuspicious | boolean | ||
vendor | string | ||
versioningScheme | string |
Crowdstrike Endpoint Protection
crowdstrike_endpoint_protection inherits from Service
Crowdstrike Firewall Policy
crowdstrike_firewall_policy inherits from ControlPolicy
| Property | Type | Description | Specifications |
|---|---|---|---|
channelVersion * | number | ||
cid * | string | ||
createdBy * | string | ||
description * | string | ||
enabled * | boolean | ||
id * | string | ||
modifiedBy * | string | ||
name * | string | ||
platformName * | string | ||
ruleSetId * | string |
Crowdstrike Host
crowdstrike_host inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
agentVersion | string | ||
chassisTypeDescription | string | ||
cid * | string | ||
ec2InstanceArn | string | ||
emails * | array | null | Email addresses associated with the host. email and associated_email_addresses are referenced. | |
filesystemContainmentStatus | string | ||
firstSeenOn | number | ||
groupHash | string | ||
kernelVersion | string | ||
lastLoginUser | string | ||
lastLoginUserSid | string | ||
ou | array of strings | ||
provisionStatus | string |
Crowdstrike Image Vulnerability
crowdstrike_image_vulnerability inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
cpsCurrentRating | string | ||
cveId | string | ||
cvssScore | number | ||
exploitedStatus | number | ||
remediationAvailable | boolean |
Crowdstrike Prevention Policy
crowdstrike_prevention_policy inherits from ControlPolicy
| Property | Type | Description | Specifications |
|---|---|---|---|
cid * | string |
Crowdstrike Prevention Policy Setting
crowdstrike_prevention_policy_setting inherits from Configuration
| Property | Type | Description | Specifications |
|---|---|---|---|
categoryName * | string | ||
configured | boolean | ||
description * | string | ||
enabled | boolean | ||
type * | string |
Crowdstrike Sensor
crowdstrike_sensor inherits from HostAgent
| Property | Type | Description | Specifications |
|---|---|---|---|
ec2InstanceArn | string | ||
firstSeenOn | number | ||
ingestedOn * | number | ||
macAddress | string | A normalized MAC address for the device's network interface | |
originalMacAddress * | The original MAC address for the device's network interface |
Crowdstrike User
crowdstrike_user inherits from User
| Property | Type | Description | Specifications |
|---|---|---|---|
cid | string | ||
lastLoginOn | number | ||
uid | string |
Crowdstrike Vulnerability
crowdstrike_vulnerability inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
aid | string | ||
cid * | string | ||
closedOn | number | ||
cveId | string | ||
exploitStatus | number | ||
exprtRating | string | ||
id * | string | ||
productNameVersion | string | ||
publishedOn | number | ||
vendorAdvisory | array of strings |
Crowdstrike Zero Trust Assessment
crowdstrike_zero_trust_assessment inherits from Assessment
| Property | Type | Description | Specifications |
|---|---|---|---|
aid | string | ||
cid * | string | ||
eventPlatform * | string | ||
metOsSignals * | array of strings | ||
metSensorSignals * | array of strings | ||
osScore * | number | ||
overallScore * | number | ||
productTypeDescription * | string | ||
sensorConfigScore * | number | ||
sensorFileStatus * | string | ||
systemSerialNumber * | string | ||
unmetOsSignals * | array of strings | ||
unmetSensorSignals * | array of strings | ||
version * | string |