> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# CrowdStrike Falcon Spotlight

> Configure CrowdStrike Falcon Spotlight for real-time vulnerability assessment with RAD Security.

# CrowdStrike Falcon Spotlight Integration Setup

This guide walks you through integrating CrowdStrike Falcon Spotlight with RAD Security for real-time vulnerability detection and assessment, allowing you to correlate vulnerability data with runtime security events.

CrowdStrike Falcon Spotlight provides agent-based vulnerability detection with runtime context, helping you prioritize vulnerabilities based on actual exposure and exploitation risk.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Admin access to CrowdStrike Falcon console
  * **Falcon Administrator** role assigned to your account
  * Access to RAD Security workspace with integration permissions
</Check>

<Note>
  If you need to create a separate user for managing this integration, navigate to **Host setup and management > Falcon users > User management** in CrowdStrike Falcon.
</Note>

***

## Step 1: Log in to CrowdStrike Falcon

<Steps>
  <Step title="Access Falcon Console">
    Log in to the CrowdStrike Falcon UI as an administrator
  </Step>

  <Step title="Verify Permissions">
    Ensure your account has the **Falcon Administrator** role assigned. This role is required to create API clients.
  </Step>
</Steps>

***

## Step 2: Create API Client and Keys

<Steps>
  <Step title="Navigate to API Clients">
    In the CrowdStrike Falcon console, go to:

    **Support and resource > Resources and tools > API clients and keys**
  </Step>

  <Step title="Create New API Client">
    Click **Create API client** to open the configuration dialog
  </Step>

  <Step title="Configure Client Details">
    In the API client creation dialog:

    1. Enter a **Client name** (e.g., "RAD Security Integration")
    2. Add a **Description** (e.g., "API client for RAD Security vulnerability integration")
  </Step>

  <Step title="Set API Scopes">
    In the scopes section, grant the following read permissions:

    * **Hosts** - Check the **Read** checkbox
    * **Vulnerabilities** - Check the **Read** checkbox

    <Info>
      These scopes allow RAD Security to read vulnerability findings and host information from CrowdStrike Falcon Spotlight.
    </Info>
  </Step>

  <Step title="Create and Save Credentials">
    1. Click **Create** to generate the API client
    2. A new dialog will appear with your credentials
    3. **Copy and save** the following values securely:
       * **Client ID**
       * **Secret**
       * **Base URL**
  </Step>
</Steps>

<Warning>
  **Save your credentials immediately!** The Client Secret will only be displayed once. Store it in a secure location, as you won't be able to retrieve it later.
</Warning>

***

## Step 3: Configure in RAD Security

Navigate to your RAD Security workspace and configure the CrowdStrike Falcon Spotlight integration with the following parameters:

### Required Parameters

| Parameter         | Description               | Example                       |
| ----------------- | ------------------------- | ----------------------------- |
| **Base URL**      | The Base URL from Step 2  | `https://api.crowdstrike.com` |
| **Client ID**     | The Client ID from Step 2 | `a1b2c3d4e5f6...`             |
| **Client Secret** | The Secret from Step 2    | `X1Y2Z3A4B5C6...`             |

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > Vulnerabilities** in RAD Security
2. Locate your CrowdStrike Falcon Spotlight integration
3. Check the connection status shows as **Connected**
4. Verify vulnerability data is being synced

<Check>
  Your CrowdStrike Falcon Spotlight integration is now configured! RAD Security can now import vulnerability findings and correlate them with runtime security events.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from CrowdStrike Falcon Spotlight:

<AccordionGroup>
  <Accordion title="Vulnerability Findings" icon="bug">
    * CVE identifiers
    * Vulnerability severity scores
    * CVSS scores and vectors
    * Affected software and versions
    * Exploit availability information
  </Accordion>

  <Accordion title="Host Information" icon="server">
    * Host identifiers
    * Operating system details
    * Installed software inventory
    * Asset metadata
  </Accordion>

  <Accordion title="Risk Context" icon="chart-line">
    * Exploit risk scores
    * Active exploitation indicators
    * Remediation recommendations
    * Patch availability status
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Runtime Exploit Detection" icon="crosshairs">
    Detect when vulnerabilities identified by Falcon Spotlight are actively being exploited in your environment.
  </Card>

  <Card title="Risk-Based Prioritization" icon="ranking-star">
    Prioritize vulnerabilities based on runtime exposure, active exploitation, and criticality.
  </Card>

  <Card title="Automated Response" icon="bolt">
    Trigger automated responses when high-risk vulnerabilities are detected on critical assets.
  </Card>

  <Card title="Compliance Validation" icon="clipboard-check">
    Verify vulnerability remediation efforts with runtime validation.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID or Secret is incorrect
    * Token URL is malformed
    * API client was deleted or disabled in CrowdStrike

    **Solution:**

    * Verify all credentials are copied correctly
    * Ensure Token URL format is correct: `{Base URL}/oauth2/token`
    * Check that the API client still exists in CrowdStrike Falcon
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * Missing Hosts or Vulnerabilities read scopes
    * API client doesn't have required permissions

    **Solution:**

    * Navigate to API clients in CrowdStrike Falcon
    * Edit the API client and verify **Hosts** and **Vulnerabilities** have Read access checked
  </Accordion>

  <Accordion title="No Data Syncing" icon="database-slash">
    **Possible causes:**

    * No vulnerability data available in Falcon Spotlight
    * Hosts are not reporting to CrowdStrike
    * Initial sync is still in progress

    **Solution:**

    * Verify hosts are checking in to CrowdStrike Falcon
    * Ensure Falcon Spotlight is enabled on your hosts
    * Allow up to 15 minutes for initial data sync
    * Check integration logs in RAD Security for specific errors
  </Accordion>

  <Accordion title="Base URL Issues" icon="link">
    **Possible causes:**

    * Using wrong cloud region URL
    * Missing or incorrect URL format

    **Solution:**

    * CrowdStrike uses different URLs by region:
      * US-1: `https://api.crowdstrike.com`
      * US-2: `https://api.us-2.crowdstrike.com`
      * EU-1: `https://api.eu-1.crowdstrike.com`
      * US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`
    * Verify you're using the correct URL for your CrowdStrike instance
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Least Privilege Access" icon="shield-halved">
    Only grant Read access to Hosts and Vulnerabilities. Avoid granting Write or Admin permissions.
  </Card>

  <Card title="Dedicated API Client" icon="key">
    Create a dedicated API client specifically for RAD Security integration rather than reusing existing clients.
  </Card>

  <Card title="Secure Credential Storage" icon="lock">
    Store API credentials securely. Never commit them to version control or share them via unsecured channels.
  </Card>

  <Card title="Regular Audits" icon="clipboard-list">
    Periodically review API client access and permissions in CrowdStrike Falcon.
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Vulnerabilities Overview" icon="shield-halved" href="/rad-security/integrations/vulnerabilities/overview">
    Explore other vulnerability integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn how RAD correlates vulnerabilities with runtime threats
  </Card>

  <Card title="CrowdStrike EDR Integration" icon="crow" href="/rad-security/integrations/edr/overview">
    Add CrowdStrike Falcon Insight for EDR integration
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure alerts for vulnerability-related events
  </Card>
</CardGroup>