# Vulnerability Findings Retrieves vulnerability data and associated metadata for assets from Crowdstrike Falcon Spotlight, including details like CVE identifiers, CVSS scores, descriptions, solution information, and affected systems. **Sync Type: Incremental** ## Requirements - Before you connect Monad to CrowdStrike, you need a Client ID and Client Secret. Log in to your CrowdStrike portal, and under Support & Resources, click on 'API Client and Keys' to create your credentials. - Enter a Client Name, Description and API Scopes to define the API client. Ensure read roles for User Management are enabled. - Click **Done**. - Copy the ClientID and ClientSecret key. You'll need them when you set up the Monad connector. ## Details Monad uses the `created_timestamp` within the `filter` on the CrowdStrike API to determine what vulnerabilities to display. This field is updated every time a request to get vulnerabilities is successful with the last time a request to get vulnerabilities was initiated. If this was the first time requesting for vulnerabilities, a full sync of the data is performed. ## Configuration The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below. #### Settings | Setting | Type | Required | Description | |---------|------|----------|-------------| | Cloud Type | string | No | Your cloud type for CrowdStrike. Ex: 'autodiscover', 'us-1', 'us-2', 'eu-1', 'us-gov-1'. | | Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. | #### Secrets | Secret | Type | Required | Description | |---------|------|----------|-------------| | Client ID | string | Yes | Client ID for the CrowdStrike API. This is required to authenticate requests. | | Client Secret | string | Yes | Client Secret for the CrowdStrike API. This is required to authenticate requests. | # OCSF Conversion The following JQ transformation converts Crowdstrike Vulnerability data to OCSF Version 1.1 compliant format. ## JQ Transformation ```jq # Helper function to safely convert timestamp def safe_timestamp: if . and (. | type) == "string" then (. | fromdateiso8601) else null end; # Helper function to convert Crowdstrike severity to OCSF severity_id def severity_to_id: if . == "CRITICAL" then 5 elif . == "HIGH" then 4 elif . == "MEDIUM" then 3 elif . == "LOW" then 2 else 99 # Unknown end; # Helper function to convert status to OCSF status_id def status_to_id: if . == "open" then 1 elif . == "closed" then 2 elif . == "in_progress" then 3 else 99 # Unknown end; # Main transformation { # Required OCSF Fields "activity_id": 1, # Detection "category_uid": 2, # Findings "class_uid": 2002, # Vulnerability Finding class "type_uid": 200201, # Vulnerability Finding type # Timestamps "time": (.created_timestamp | safe_timestamp), # Severity mapping "severity_id": ((.cve.severity // "UNKNOWN") | severity_to_id), "severity": (.cve.severity // "UNKNOWN"), # Finding Info "finding_info": { "title": (.vulnerability_id // "UNKNOWN"), "uid": (.id // "UNKNOWN"), "desc": (.cve.description // "No description available"), "created_time": (.created_timestamp | safe_timestamp), "modified_time": (.updated_timestamp | safe_timestamp) }, # Vulnerabilities array "vulnerabilities": [ { "title": (.vulnerability_id // "UNKNOWN"), "desc": (.cve.description // "No description available"), "severity": (.cve.severity // "UNKNOWN"), "cve": { "uid": (.vulnerability_id // "UNKNOWN"), "desc": (.cve.description // "No description available"), "cvss": [ { "version": "3.1", "base_score": (.cve.base_score // 0), "vector_string": (.cve.vector // "UNKNOWN") } ], "references": (.cve.references // []), "modified_time": (.updated_timestamp | safe_timestamp) }, "remediation": { "desc": ( if .remediation and .remediation.entities then (.remediation.entities | map(.action) | join("; ")) else "" end ), "references": ( if .remediation and .remediation.entities then (.remediation.entities | map(.link) | map(select(length > 0))) else [] end ), "kb_articles": ( if .remediation and .remediation.entities then (.remediation.entities | map(.reference) | map(select(length > 0))) else [] end ) }, "first_seen_time": (.created_timestamp | safe_timestamp), "last_seen_time": (.updated_timestamp | safe_timestamp), "is_exploit_available": false } ], # Instead of using tostring, lets include a simplified version of raw data "raw_data": { "id": .id, "vulnerability_id": .vulnerability_id, "status": .status, "timestamp": .created_timestamp }, # Metadata "metadata": { "version": "1.1.0", "product": { "name": "Crowdstrike Spotlight", "vendor_name": "Crowdstrike", "version": "1.0" }, "profiles": ["vulnerability"], "uid": (.id // "UNKNOWN") }, # Optional Fields "confidence": (.confidence // "UNKNOWN"), "confidence_id": ( if .confidence == "confirmed" then 2 elif .confidence == "high" then 2 elif .confidence == "medium" then 1 elif .confidence == "low" then 0 else 99 # Unknown end ), "status": (.status // "unknown"), "status_id": ((.status // "unknown") | status_to_id), # Resource Details "resource": { "type": "host", "name": (.host_info.hostname // "unknown"), "uid": (.aid // "unknown"), "criticality": (.host_info.asset_criticality // "Unassigned"), "group": { "name": ( if .host_info.groups and (.host_info.groups | type) == "array" then (.host_info.groups | join(", ")) else "" end ) }, "labels": [ (.host_info.os_version // "unknown"), (.host_info.platform // "unknown"), (.host_info.product_type_desc // "unknown") ] }, # Cloud context if available "cloud": ( if .host_info and .host_info.service_provider then { "provider": (.host_info.service_provider // "unknown"), "account_uid": (.host_info.service_provider_account_id // "unknown"), "instance_uid": (.host_info.instance_id // "unknown") } else null end ) } ``` ## OCSF Mapping Details ### Helper Functions 1. **safe_timestamp** - Safely converts ISO8601 timestamps to Unix epoch - Returns null for any invalid or missing timestamps - Used consistently across all timestamp fields 2. **severity_to_id** - Maps Crowdstrike severity levels to OCSF enumerated values: - CRITICAL → 5 - HIGH → 4 - MEDIUM → 3 - LOW → 2 - Others → 99 (Unknown) 3. **status_to_id** - Maps vulnerability status to OCSF enumerated values: - open → 1 - closed → 2 - in_progress → 3 - Others → 99 (Unknown) ### Core Fields - **Category UID**: 2 (Findings) - **Class UID**: 2002 (Vulnerability Finding) - **Activity ID**: 1 (Detection) - **Type UID**: 200201 (Vulnerability Finding type) - **Time**: Maps from created_timestamp using safe_timestamp function - **Severity**: Maps from cve.severity with "UNKNOWN" fallback - **Severity_id**: Maps from cve.severity using severity_to_id function ### Finding Information - **Title**: Maps from vulnerability_id with "UNKNOWN" fallback - **UID**: Maps from record id with "UNKNOWN" fallback - **Description**: Maps from cve.description with "No description available" fallback - **Timestamps**: - created_time: Maps from created_timestamp using safe_timestamp - modified_time: Maps from updated_timestamp using safe_timestamp ### Vulnerabilities Array Each vulnerability entry contains: - Title and description from CVE data - Severity information with fallbacks - CVE details including: - UID: Maps from vulnerability_id with "UNKNOWN" fallback - Description: Maps from cve.description with "No description available" fallback - Base score from cve.base_score (defaults to 0) - Vector string from cve.vector with "UNKNOWN" fallback - References from cve.references (defaults to empty array) - Modified time from updated_timestamp - Remediation information: - Description: Combines actions from remediation.entities - References: Maps from links in remediation.entities - KB articles: Maps from reference field in remediation.entities - Each with empty string/array fallbacks if data is missing - Timestamp fields using safe conversion ### Raw Data Simplified version of raw data containing: - id - vulnerability_id - status - timestamp from created_timestamp ### Status and Confidence - **Status**: Maps from status field with "unknown" fallback - **Confidence**: Maps from confidence field with "UNKNOWN" fallback - Both use enumerated ID mappings with unknown (99) fallback ### Resource Details - **Type**: Fixed as "host" - **Name**: Maps from hostname with "unknown" fallback - **UID**: Maps from aid with "unknown" fallback - **Criticality**: Maps from asset_criticality with "Unassigned" fallback - **Groups**: Combines all group names, filtering empty values - **Labels**: Array including: - OS version - Platform - Product type All with "unknown" fallbacks ### Cloud Context Only included when service_provider exists, containing: All fields have "unknown" fallbacks - Provider: Maps from host_info.service_provider with "unknown" fallback - Account_uid: Maps from host_info.service_provider_account_id with "unknown" fallback - Instance_uid: Maps from host_info.instance_id with "unknown" fallback ### Metadata - **Version**: Fixed at "1.1.0" - **Product Information**: - Name: "Crowdstrike Spotlight" - Vendor: "Crowdstrike" - Version: "1.0" - **UID**: Maps from id with "UNKNOWN" fallback ### Error Handling The transformation implements comprehensive error handling: 1. **Timestamp Handling** - No artificial timestamps created - Explicit null for invalid/missing dates - Consistent handling across all date fields 2. **Missing Data** - String fields: "UNKNOWN" or "unknown" fallbacks - Numeric fields: 0 fallback - Arrays: Empty array fallback - Objects: Null fallback with conditional inclusion 3. **Array Processing** - Safe mapping with null element handling - Filtering of empty/null values - Join operations with empty string fallbacks 4. **Object Safety** - Null checks before accessing nested fields - Default values for all required fields - Conditional object inclusion ## Sample Record ```json { "aid": "6defa27b-d63e-4187-e65c-c2c3b99117c0", "apps": [ { "evaluation_logic": { "aid": "7990ed66-c052-2680-6917-b22738a16ee4", "cid": "a8fcb81c-009e-337c-7a67-e9cbf9e6785f", "created_timestamp": "2025-08-11T23:46:31Z", "data_provider": "Falcon sensor", "host_info": { "entities_matched": [ { "asset_id": "723f1805-7045-b0d8-ff68-3f9068b2d2e4" } ] }, "id": "c0550454-9a3c-2d02-0fb8-0a5d8557d9d1", "logic": [ { "comparison_check": "at least one", "comparisons": { "state_comparisons": [ { "entity_comparisons": [ { "actual_value_field": "value", "expected_value": "^Microsoft \\.NET Runtime - 6\\.0[\\d.]+ \\(x64\\)$", "operation": "pattern match", "value_datatype": "string" } ], "entity_operator": "AND" } ], "state_operator": "AND" }, "determined_by_comparison": true, "existence_check": "at_least_one_exists", "id": "8808f7a8-db13-01ab-4c9d-f11306b5d5cc", "items": [ { "comparison_result": "FAILURE", "hive": "HKEY_LOCAL_MACHINE", "item_type": "registry_item", "key": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4BCC5DFD-5D10-4ACC-AAA9-8A1578A9F0C6}", "name": "DisplayName", "type": "reg_sz", "value": [ "Microsoft .NET Runtime - 6.0.28 (x64)" ], "windows_view": "64_bit" } ], "title": "Check if 64 bit .NET core 6.0 is installed", "type": "inventory" }, { "comparison_check": "all", "comparisons": { "state_comparisons": [ { "entity_comparisons": [ { "actual_value_field": "value", "expected_value": "^Microsoft \\.NET Runtime - 6\\.0\\.(\\d|1[0-9]|2[0-8]) .*$", "operation": "pattern match", "value_datatype": "string" } ], "entity_operator": "AND" } ], "state_operator": "AND" }, "determined_by_comparison": true, "existence_check": "at_least_one_exists", "id": "8b07bf96-3a9c-a079-027a-d4759c9892d0", "items": [ { "comparison_result": "SUCCESS", "hive": "HKEY_LOCAL_MACHINE", "item_type": "registry_item", "key": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4BCC5DFD-5D10-4ACC-AAA9-8A1578A9F0C6}", "name": "DisplayName", "type": "reg_sz", "value": [ "Microsoft .NET Runtime - 6.0.28 (x64)" ], "windows_view": "64_bit" } ], "title": "Check if the version of .NET core runtime 6.0 is less than 6.0.29", "type": "vulnerability" } ], "updated_timestamp": "2025-08-11T23:46:31Z" }, "product_name_normalized": ".NET Core", "product_name_version": ".NET Core 6.0", "remediation": { "ids": [ "aaf750cd-3381-d1c5-803c-d75d73f977bc" ] }, "sub_status": "open" } ], "cid": "681e7823-7517-1b38-835f-368e1e8be1b8", "confidence": "confirmed", "created_timestamp": "2025-08-11T23:46:31Z", "cve": { "actors": null, "base_score": 7.3, "cisa_info": { "is_cisa_kev": false }, "cwes": [ "" ], "description": ".NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability\n", "exploitability_score": 1.3, "exprt_rating": "MEDIUM", "id": "CVE-2024-21409", "impact_score": 5.9, "published_date": "2024-04-09T07:00:00Z", "references": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21409" ], "remediation_level": "O", "severity": "INFO", "spotlight_published_date": "2024-04-11T07:43:00Z", "types": [ "Vulnerability" ], "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "vendor_advisory": [ "https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2024-21409" ] }, "data_providers": [ { "ports": null, "provider": "Falcon sensor" } ], "host_info": { "asset_criticality": "Unassigned", "asset_roles": null, "groups": null, "hostname": "DESKTOP-4AN8HUC", "internet_exposure": "No", "local_ip": "192.203.104.40", "machine_domain": "", "managed_by": "Falcon sensor", "os_build": "19045", "os_version": "Windows 10", "ou": "", "platform": "Windows", "product_type_desc": "Workstation", "site_name": "", "subsidiaries": null, "system_manufacturer": "Dell Inc.", "tags": [], "third_party_asset_ids": null }, "id": "32c9c936-30e5-258b-72f9-b4ec1292ca7c", "remediation": { "entities": [ { "action": "Update Microsoft .Net Core to the latest available version", "id": "c63b7267-3be7-b14e-3350-0e67ade8dffb", "link": "", "reference": "cpe:/a:microsoft:.net_core::::", "title": "Update Microsoft .Net Core", "vendor_url": "" } ], "ids": null }, "services": null, "status": "open", "suppression_info": { "is_suppressed": false }, "updated_timestamp": "2025-08-11T23:46:31Z", "vulnerability_id": "CVE-2024-21409" } ```