CrowdStrike Falcon Spotlight Integration Setup
This guide walks you through integrating CrowdStrike Falcon Spotlight with RAD Security for real-time vulnerability detection and assessment, allowing you to correlate vulnerability data with runtime security events. CrowdStrike Falcon Spotlight provides agent-based vulnerability detection with runtime context, helping you prioritize vulnerabilities based on actual exposure and exploitation risk.Prerequisites
Before you begin, ensure you have:- Admin access to CrowdStrike Falcon console
- Falcon Administrator role assigned to your account
- Access to RAD Security workspace with integration permissions
If you need to create a separate user for managing this integration, navigate to Host setup and management > Falcon users > User management in CrowdStrike Falcon.
Step 1: Log in to CrowdStrike Falcon
1
Access Falcon Console
Log in to the CrowdStrike Falcon UI as an administrator
2
Verify Permissions
Ensure your account has the Falcon Administrator role assigned. This role is required to create API clients.
Step 2: Create API Client and Keys
1
Navigate to API Clients
In the CrowdStrike Falcon console, go to:Support and resource > Resources and tools > API clients and keys
2
Create New API Client
Click Create API client to open the configuration dialog
3
Configure Client Details
In the API client creation dialog:
- Enter a Client name (e.g., “RAD Security Integration”)
- Add a Description (e.g., “API client for RAD Security vulnerability integration”)
4
Set API Scopes
In the scopes section, grant the following read permissions:
- Hosts - Check the Read checkbox
- Vulnerabilities - Check the Read checkbox
These scopes allow RAD Security to read vulnerability findings and host information from CrowdStrike Falcon Spotlight.
5
Create and Save Credentials
- Click Create to generate the API client
- A new dialog will appear with your credentials
- Copy and save the following values securely:
- Client ID
- Secret
- Base URL
Save your credentials immediately! The Client Secret will only be displayed once. Store it in a secure location, as you won’t be able to retrieve it later.
Step 3: Configure in RAD Security
Navigate to your RAD Security workspace and configure the CrowdStrike Falcon Spotlight integration with the following parameters:Required Parameters
| Parameter | Description | Example |
|---|---|---|
| Base URL | The Base URL from Step 2 | https://api.crowdstrike.com |
| Client ID | The Client ID from Step 2 | a1b2c3d4e5f6... |
| Client Secret | The Secret from Step 2 | X1Y2Z3A4B5C6... |
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources > Integrations > Vulnerabilities in RAD Security
- Locate your CrowdStrike Falcon Spotlight integration
- Check the connection status shows as Connected
- Verify vulnerability data is being synced
Your CrowdStrike Falcon Spotlight integration is now configured! RAD Security can now import vulnerability findings and correlate them with runtime security events.
What Data is Synced
Once configured, RAD Security will sync the following data from CrowdStrike Falcon Spotlight:Vulnerability Findings
Vulnerability Findings
- CVE identifiers
- Vulnerability severity scores
- CVSS scores and vectors
- Affected software and versions
- Exploit availability information
Host Information
Host Information
- Host identifiers
- Operating system details
- Installed software inventory
- Asset metadata
Risk Context
Risk Context
- Exploit risk scores
- Active exploitation indicators
- Remediation recommendations
- Patch availability status
Use Cases
Runtime Exploit Detection
Detect when vulnerabilities identified by Falcon Spotlight are actively being exploited in your environment.
Risk-Based Prioritization
Prioritize vulnerabilities based on runtime exposure, active exploitation, and criticality.
Automated Response
Trigger automated responses when high-risk vulnerabilities are detected on critical assets.
Compliance Validation
Verify vulnerability remediation efforts with runtime validation.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- Client ID or Secret is incorrect
- Token URL is malformed
- API client was deleted or disabled in CrowdStrike
- Verify all credentials are copied correctly
- Ensure Token URL format is correct:
{Base URL}/oauth2/token - Check that the API client still exists in CrowdStrike Falcon
Insufficient Permissions
Insufficient Permissions
Possible causes:
- Missing Hosts or Vulnerabilities read scopes
- API client doesn’t have required permissions
- Navigate to API clients in CrowdStrike Falcon
- Edit the API client and verify Hosts and Vulnerabilities have Read access checked
No Data Syncing
No Data Syncing
Possible causes:
- No vulnerability data available in Falcon Spotlight
- Hosts are not reporting to CrowdStrike
- Initial sync is still in progress
- Verify hosts are checking in to CrowdStrike Falcon
- Ensure Falcon Spotlight is enabled on your hosts
- Allow up to 15 minutes for initial data sync
- Check integration logs in RAD Security for specific errors
Base URL Issues
Base URL Issues
Possible causes:
- Using wrong cloud region URL
- Missing or incorrect URL format
- CrowdStrike uses different URLs by region:
- US-1:
https://api.crowdstrike.com - US-2:
https://api.us-2.crowdstrike.com - EU-1:
https://api.eu-1.crowdstrike.com - US-GOV-1:
https://api.laggar.gcw.crowdstrike.com
- US-1:
- Verify you’re using the correct URL for your CrowdStrike instance
Security Best Practices
Least Privilege Access
Only grant Read access to Hosts and Vulnerabilities. Avoid granting Write or Admin permissions.
Dedicated API Client
Create a dedicated API client specifically for RAD Security integration rather than reusing existing clients.
Secure Credential Storage
Store API credentials securely. Never commit them to version control or share them via unsecured channels.
Regular Audits
Periodically review API client access and permissions in CrowdStrike Falcon.