A vulnerability scanner enables organizations to monitor their networks, systems, and applications for security vulnerabilities. Most security teams utilize vulnerability scanners to find weaknesses in their environment and make sure preventive actions are taken properly beforehand. The number of vulnerabilities in IT systems is growing fast every day. Over 8,000 vulnerabilities are reported in Q1 of 2022. Popular vulnerability scanners include CrowdStrike falcon spotlight, Rapid 7, Tenable, ShadowServer, Qualys, etc. To make sure vulnerabilities are timely patched, one important part is to make sure they are visible to the parties that are relevant. For example, your management team and your clients. Popular business intelligence tools such as Power BI is a great tool to achieve this. In this post, we outline the process to quickly build up an automation to create a Power BI report on the summary of vulnerabilities based on Crowd Strike Falcon Spotlight vulnerability information.
CrowdStrike Falcon Spotlight offers security teams a real-time assessment of vulnerability exposure on their endpoints. It collects endpoint vulnerability data based on a single agent provided by crowd strike.
Power BI is a popular business intelligence tool provided by Microsoft. Teams can use Power BI to create and share nice dashboard and report within a team or for clients.
Comparing other dashboard solutions e.g. SIEM, Power BI is
Before you create a nice report for your customers or share it between teams, you will need to stitch crowd-strike vulnerability information together in the desired format so that you can use it to build the report. The following shows an automated solution that you can reuse to stitch vulnerability data from CrowdStrike Falcon Spotlight to Power BI. It is an out-of-the-box solution and you can reuse it almost immediately.
GET /spotlight/queries/vulnerabilities/v1
This API returns a list of vulnerability IDs. However, it does not provide vulnerability details. In order to take CrowdStrike details, you will need to use another API to complete the requests.
2. Get vulnerability details
GET /spotlight/entities/vulnerabilities/v2
This API returns vulnerability details based on a vulnerability id or a list of vulnerability ids.
To post rows to Power BI, you will need to use Power BI API to post data row by row.
POST https://api.powerbi.com/v1.0/myorg/datasets/{datasetId}/tables/{tableName}/rows
The output of CrowdStrike is a JSON Object which contains a list of information. To transform it, you will need to map that to a table schema in Power BI. DTonomy’s end-to-end automation for pulling data from CrowdStrike Falcon Spotlight and stitching them together is here:
Fill in CrowdStrike Connection Information and then pull vulnerability Ids. The CrowdStrike API Connection Information can be found on CrowdStrike Instance.
Once you have a list of vulnerabilities, let’s retrieve vulnerability details.
The function node in between Vulnerability Details and the Power BI node is the transformation where you can transform data or enrich data or customize data to the format you would like to send
Select the post rows to function under datasets operation and also include your desired workspace id and Power BI credentials to upload transformed data to Power BI
This takes the transformed data and then uploads it to Power BI.
Fully automated workflow
An end-to-end automated data pipeline is like this.
Step 1: pull all vulnerabilities from CrowdStrike Falcon Spotlight
Step 2: based on vulnerability ids, pull vulnerability details
Step 3: transform and select vulnerability information to table format
Step 4: Upload data to Power BI
Once automated, you can schedule it to run every day or every week. Based on updated data, you can easily create a nice vulnerability summary report like this.
We provide different types of templates that can be reused for different reports purpose.
From Power BI, you can now easily share reports with your client or your other team members.
It is very common you may have multiple scanners besides CrowdStike Spotlight, for example, Tenable, Rapid7, etc. With the flexible integrations, now we can easily dedupe the vulnerabilities and provide a unified view on vulnerabilities.
Managing CrowdStrike in multi-tenant environments can be challenging and risky when it comes to retrieving vulnerability information. Instead of using a separate API key for each tenant, our solution allows you to easily authorize access using a parent API key and tenant customer id. By doing so, you can generate a token for each tenant and retrieve vulnerability information in a secure and efficient manner.
DTonomy’s platform has 100s integrations with various kinds of security tools. Check it out here. If it is not there, just reach out to us. We are continuously adding more integrations.
With more integrations, you can now aggregate different vulnerability information and security insights and present them in one nice report.
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!