Note: In case CrowdStrike Falcon Spotlight integration isn't available in your Endpoint Central server, kindly contact support.

Seamlessly deploy patches for the vulnerabilities detected by CrowdStrike Falcon Spotlight

By seamlessly integrating CrowdStrike Falcon Spotlight into the Endpoint Central console, IT administrators can now efficiently address identified vulnerabilities with the deployment of corresponding patches. Bid farewell to the hassle of navigating to multiple dashboards and manually mapping vulnerabilities with the appropriate patches. The CrowdStrike Falcon Spotlight integration handles it all for you, simplifying the entire process and saving all the valuable time and efforts.

Steps to integrate Spotlight with Endpoint Central

Generate API client in Spotlight

  • To generate Spotlight API client, you need to have Falcon Administrator role to view, create or modify API clients or keys.
  • If you have Administrator privileges, you can generate the required API clients by following this user-guide by Spotlight.
  • When generating the API client, ensure you select the following permissions under the API Scopes section:
    - Detections (Read)
    - Hosts (Read)
  • Once you click Save, Spotlight generates Client ID and Client Secret.
  • Store these clients in a secure location.

Configure API Settings in Endpoint Central

  • Navigate to Admin > Integration > Threat scanner settings. Only users with Administrator privileges can configure the API Settings.
  • Enter the Spotlight base URL, Client ID and Client Secret.
  • spotlight-integration

  • Configure the frequency at which you want the data sync to happen.
  • Click on Save to enable the Integration.

Workflow

 
  1. After enabling the Integration, Endpoint Central will import the vulnerability details and the affected machine details from Spotlight.
  2. Identify the corresponding patch/fix for the respective vulnerabilities and remediate those vulnerabilities by installing the appropriate patch.
  3. Threats detected by Spotlight, with the patch availability, will be listed under Threats & Patches > Spotlight Threats. Users can also deploy patches for vulnerabilities from this view.

FAQs

1) Will Spotlight automatically update the required patches, or do we need to configure Endpoint Central to extract the scan results?

The Spotlight API details must be configured in the Endpoint Central console (one-time setup). After integration, vulnerabilities scanned by Spotlight will be automatically imported into the Endpoint Central console and the required patches will be mapped.

2) Do we need to perform a scan after patching, or will the data automatically update to Spotlight once Endpoint Central patches the vulnerabilities?

After creating a Manual Deployment task in Endpoint Central and successfully deploying the patches, a scan must be performed in Spotlight to update the latest scan results. This scan can also be scheduled for convenience.

3) Is it necessary to install both the Spotlight and Endpoint Central agents on the systems for successful integration?

Yes, you need to install both the Spotlight and Endpoint Central agents on the systems. This setup ensures that the patches are automatically mapped to the vulnerabilities identified by Spotlight.

4) How are patches deployed to mitigate vulnerabilities after integration?

Following integration, vulnerabilities identified by Spotlight can be imported into the Endpoint Central console. Patches can then be deployed manually by creating a Manual Deployment task.

5) Why are certain vulnerabilities marked as Not Available in terms of Patch Availability?

Patches for vulnerabilities detected by Spotlight are mapped by comparing with the imported CVE information. Specifically, only patches supported by Endpoint Central will be associated with Spotlight-detected vulnerabilities. Check the list of supported applications for reference. Note: Endpoint Central currently does not support patching user installed applications. Threats detected by Spotlight with available patches will be listed under Threats & Patches > Spotlight Threats. Users can also deploy patches for these vulnerabilities directly from this view.

Kindly contact support for any queries.