Skip to main content

CrowdStrike Falcon Exposure Management Connection

This article walks through the details of configuring CrowdStrike Falcon Exposure Management to connect to Drata.

Updated over a week ago

Connecting CrowdStrike Falcon Exposure Management to Drata allows for the automated, continuous monitoring of SLA due dates and evidence collection of vulnerabilities issues required for compliance.

This integration automates evidence collection for the Vulnerability Scanning test, which is mapped to DCF-18 by default.

Prerequisite

  • Create a CrowdStrike Falcon API Client ID and Secret. Ensure to save the values; you will need to enter those values when connecting to Drata.

    1. In the CrowdStrike Falcon console, navigate to the API Clients and Keys page and select on Create API client.

    2. Enter the details for the API.

    3. When prompted, enable the following API scopes:

      • Vulnerabilities: Read

      • Hosts: Read

      • Host Groups: Read

      • User Management: Read

      • Prevention Policies: Read

      • Device Control Policies: Read

      • Response policies: Read

      • Sensor Update Policies: Read

Note: Drata will pull up to 1,000 new or updated vulnerabilities for each connection daily, ordered by severity from critical to low. You can select what kind of vulnerabilities will be synced based on the severity when connecting.

Connect CrowdStrike Falcon Exposure Management to Drata

  1. Go to the Connections page.

  2. Search for and select Arnica from the available integrations.

  3. Configure which vulnerabilities Drata will sync. These selections are also included in the test result report for visibility.

    • Severity: Select the vulnerability levels to include, such as Critical, High, or Medium.

      • Critical and High are auto-selected.

    • First seen on: Drata will sync vulnerabilities detected on or after the selected date.

  4. Select the connect button to proceed.

  5. Enter the Client ID and Secret and the Base URL. The base URL that corresponds to the cloud where your CrowdStrike integration is hosted. It has the format of https://api[<deployment>].crowdstrike.com. Use one of the following URLs based on your region:

Drata automatically begins syncing vulnerabilities based on your configurations.

You can view the findings by selecting the View Findings after connecting Arnica or navigating directly to the Vulnerabilities page through the left-side navigation menu.

Did this answer your question?