Skip to main content

Integrating Vanta & CrowdStrike

✅ Feature availability: This integration is now available for Vanta Government customers.

CrowdStrike is a cloud security tool with products including endpoint protection and cloud monitoring. You can connect CrowdStrike to Vanta to ensure user access to CrowdStrike is managed following your company's policies. You can also connect to CrowdStrike Spotlight to ingest and display vulnerabilities on the vulnerabilities page.

Please note: If you have already integrated with CrowdStrike and you need to update the permissions, you may skip many of the steps in the instructions below and edit the existing Vanta Client in CrowdStrike.

About this Integration

This integration automates the collection of evidence for vulnerability scan results and proof of subsequent vulnerability remediation within your committed SLAs.

  • Vanta requires read-only access to user, hosts, and policies information through OAuth.

  • Estimated setup time: Less than 10 minutes

Use Cases

Connecting CrowdStrike will allow Vanta to perform the following tests:

  • Ensure CrowdStrike accounts are linked in Vanta

  • Ensure CrowdStrike accounts are deprovisioned when personnel leaves

  • Critical vulnerabilities identified in packages are addressed

  • CrowdStrike hosts have a non empty prevention policy

  • CrowdStrike is installed on all cloud instances

  • CrowdStrike is installed on all workstations

  • High vulnerabilities identified in packages are addressed

  • Low vulnerabilities identified in packages are addressed

  • Medium vulnerabilities identified in packages are addressed

Requirements

  • You'll need access Falcon Spotlight vulnerability management solution (additional add-on)

  • Administrator permissions to set up an API Client

  • You'll need CrowdStrike Falcon Cloud Security (required if using CSPM security alerts)

1. Set up an API Client in CrowdStrike

  • You'll need Falcon Administrator permissions to set up an API Client.

  • Using the top-left menu, navigate to Support and Resources and select API Clients and keys.

Screen
  • Create a new API Client by clicking Add new API client

  • Wait to exit the Add new API client window until you finish setting up the CrowdStrike integration in Vanta.

  • Name the client a recognizable name, e.g., "Vanta Client." You can leave the description blank.

Screen_Shot_2022-08-23_at_11.15.47_AM.png
  • In the API Scopes section, check the boxes User Management, Hosts, and Prevention Policies in the Read column. This will grant Vanta read-only access to user information in CrowdStrike.

    • If you have CrowdStrike Falcon Spotlight enabled for vulnerability management, also grant Read access to Vulnerabilities.

    • If you have CrowdStrike Falcon Cloud Security enabled, also grant Read access to Cloud Security API Assets and Cloud Security API Detect.

CrowdStrike will show you the three pieces of data you need to connect CrowdStrike to Vanta. Don't exit the window where these data are shown -- you'll need them to connect to Vanta.

  • Client ID: The public API Client ID

  • Client Secret: A secret shared between CrowdStrike and Vanta. This secret is only shown once.

  • Base URL: The URL Vanta will use for API requests. This is usually https://api.crowdstrike.com, but it may be different for your instance.

2. Connect CrowdStrike to Vanta

  • In Vanta, go to the Integrations page, click Add integration, and search for CrowdStrike. For help, see our guide to the Integrations Page.

  • Click Connect.

  • Paste the Client ID, Client Secret, and Base URL from the previous steps into Vanta.

  • If you are using multi-tenancy, you will also see a Connection Name field. Enter a descriptive name to identify this connection (e.g., the name of the CrowdStrike tenant).

  • Click Done. Vanta will now fetch data from CrowdStrike regularly.

Monitoring Access

Monitoring Device Security

  • When using CrowdStrike as the antivirus solution on an MDM monitored computer, Vanta will test to ensure CrowdStrike is installed on your monitored devices.

  • To pass the test, all monitored devices must be scoped into Vanta from both the MDM and CrowdStrike integrations.

  • For more information about resource scoping in Vanta, see our documentation here

Monitoring Vulnerabilities

  • You can also use the CrowdStrike integration to monitor for vulnerabilities from CrowdStrike Spotlight. If you have not enabled the CrowdStrike integration already, ensure that you enable Spotlight during configuration.

  • If you have already enabled the CrowdStrike integration and want to ingest vulnerabilities, you will need to reconnect the integration and select Spotlight during configuration.

  • For more information on vulnerability management in Vanta, see our documentation here

Monitoring Cloud Security Alerts (CSPM)

If you have CrowdStrike Falcon Cloud Security enabled, Vanta will monitor two types of data:

  • Cloud Security Assets — cloud resources (such as servers, containers, and serverless functions) detected by CrowdStrike across your AWS, GCP, Azure, and other cloud environments.

  • Cloud Security IOMs (Indicators of Misconfiguration) — misconfigurations on those assets are surfaced as Security Alerts in Vanta. Vanta ingests IOMs with Critical, High, or Medium severity that have a non-compliant status. Informational findings are excluded.

If you have already connected CrowdStrike and want to enable Cloud Security, reconnect the integration and select Cloud Security during configuration. You will also need to update your API Client to include Read access for Cloud Security API Assets and Cloud Security API Detect. Read access for Cloud Security API Assets and Cloud Security API Detect.

Updating an Existing API Client

Follow the steps below if you have already integrated but need to add more permissions to the Vanta Client:

  • You'll need Falcon Administrator permissions to set up an API Client.

  • Using the top-left menu, navigate to Support and resources followed by API Clients and Keys.

  • Edit the Vanta API Client.

  • In the API Scopes section, check the boxes User Management, Hosts, and Prevention Policies in the Read column. If you are also enabling CrowdStrike Falcon Spotlight, add Vulnerabilities. If you are enabling CrowdStrike Falcon Cloud Security, add Cloud Security API Assets and Cloud Security API Detect.

  • Click Save.

Permissions

Vanta accesses the following data from your CrowdStrike account:

Vanta will be able to view:

  • Data about your users

  • Data about your user details

  • Data about your user groups

  • Crowdstrike Monitored Host

  • Crowdstrike Prevention Policy

  • Crowdstrike Vulnerability Management Vulnerability

  • CrowdStrike Cloud Security Assets (when CrowdStrike Falcon Cloud Security is enabled)

  • CrowdStrike Cloud Security IOMs (when CrowdStrike Falcon Cloud Security is enabled)

Vanta will be able to change:

  • N/A