CrowdStrike Falcon Spotlight

STATIC CONNECTOR

📘
TL;DR
To integrate CrowdStrike Falcon Spotlight into the Query Security Data Mesh:

Create an API Client with the appropriate scopes for Spotlight Vulnerabilities.

Configure a CrowdStrike Falcon Connector with your Client ID, Client Secret, and (optionally) API endpoint base URL.

Use Query Federated Security to support Threat & Vulnerability Management tasks on normalized CrowdStrike Falcon Spotlight vulnerability data.

Overview

CrowdStrike Falcon Spotlight is a vulnerability management solution that provides real-time vulnerability assessment, management, and AI-powered prioritization without requiring traditional vulnerability scanners. Built natively within the CrowdStrike Falcon platform, Spotlight leverages the same lightweight agent to deliver comprehensive vulnerability insights across Windows, Linux, and Mac systems.

Falcon Spotlight stands out in the vulnerability management space through its scanless approach and integration with CrowdStrike's ExPRT.AI (Exploit Prediction Rating Technology), which uses machine learning trained on world-class threat intelligence and real-world attack data to prioritize vulnerabilities based on actual exploitation likelihood rather than just CVSS scores.

Query Federated Security integrates with the CrowdStrike Falcon Spotlight Vulnerabilities API using the official FalconPy SDK to securely access and normalize vulnerability data. This integration enables security teams to conduct comprehensive vulnerability assessments, threat hunting, and risk management activities without duplicating or retaining data in separate systems.

☝️
Key Spotlight Capabilities
CrowdStrike Falcon Spotlight provides several advanced vulnerability management features:

Scanless Discovery: Real-time vulnerability assessment using the existing Falcon agent

ExPRT.AI Prioritization: AI-powered vulnerability scoring based on actual threat intelligence

CVE Analysis: Comprehensive vulnerability details including CVSS scores, exploit status, and remediation guidance

Asset Context: Links vulnerabilities to specific hosts with detailed asset information

Export Capabilities: Easy sharing of vulnerability data with patch management teams

For additional vulnerability management capabilities beyond Spotlight, Query also supports the broader CrowdStrike Falcon platform including Alerts, Incidents, and Host data through our comprehensive Falcon connector.

All federated searches are expressed in terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Falcon Spotlight vulnerability data is normalized into the Vulnerability Finding Event Class to standardize the data for enhanced analysis, filtering, and cross-platform correlation.

API Name	QDM/OCSF Event Class	Supported Entities
Spotlight Vulnerabilities	Vulnerability Finding	Account ID CVE ID CWE ID Hostname IP Address Resource ID

Key Spotlight Features

AI-Powered Risk Prioritization Falcon Spotlight's ExPRT.AI model analyzes vulnerabilities using multiple data sources including:

CrowdStrike's proprietary threat intelligence
Real-world exploitation patterns
Malware family associations
Active threat campaign data

This enables security teams to focus on the vulnerabilities most likely to be exploited, rather than attempting to address every CVE based solely on CVSS scores.

Real-Time Vulnerability Detection Unlike traditional vulnerability scanners that require scheduled scans and can impact system performance, Spotlight continuously monitors systems through the lightweight Falcon agent. This approach provides:

Zero scanning overhead
Real-time vulnerability discovery
No network scanning requirements
Comprehensive coverage across all protected systems

Comprehensive Vulnerability Context For each vulnerability, Spotlight provides detailed information including:

CVE details and CVSS scores
ExPRT.AI exploitation probability ratings
Affected host information and asset criticality
Available patches and remediation guidance
Exploit availability and active threat intelligence

Executing federated searches with Query allows you to retrieve normalized vulnerability data alongside related security telemetry from other data sources, enabling comprehensive risk assessments and security investigations without data silos.

Prerequisites

To create an API Client for Falcon Spotlight integration with the Query Security Data Mesh, follow these steps:

Login to your CrowdStrike Falcon console with an account that has permissions to create API keys.
In the dropdown navigation menu in the upper-left, select Support and Resources --> API clients and keys as shown below (FIG. 1).

FIG. 1 - API Clients and Keys menu in the CrowdStrike Falcon console

Select Create API client in the upper right corner as shown below (FIG. 2).

FIG. 2 - Create a new CrowdStrike API Client
Enter a Client name and optional Description, then add the Spotlight Vulnerabilities (Read) scope as shown below (FIG. 3).

FIG. 3 - API Client configuration for Spotlight

🔒
Minimum Required Scope
For Falcon Spotlight integration, you only need the Spotlight Vulnerabilities (Read) scope. This provides access to vulnerability data while maintaining the principle of least privilege.
If you plan to use other CrowdStrike Falcon capabilities through Query (such as Alerts or Host data), you can add additional scopes as needed.

When complete, select Save and copy the Client ID and Secret for your Query Security Data Mesh Connector configuration (FIG. 4).

FIG. 4 - Copying the Client ID, Secret, and Base URL

Optionally, note the API base URL if you have a region-specific instance (e.g., us.gov or eu). The FalconPy SDK will auto-discover the correct endpoint in most cases.

👍
Security Best Practices
API credentials are stored securely in AWS Secrets Manager with encryption and minimum necessary access permissions. The Client Secret is never cached or persisted outside of the secure secret store, ensuring your CrowdStrike API credentials remain protected.

Configure the CrowdStrike Falcon Spotlight Connector

Use the following steps to create a new Query Federated Security Connector for CrowdStrike Falcon Spotlight:

Navigate to the Connectors page, select Add Connector, and select CrowdStrike Falcon from the Endpoint category as shown below (FIG. 5).

FIG. 5 - Adding the CrowdStrike Falcon Connector
In the Configure Connector section, provide the following details (FIG. 6):
1. Connector Alias Name: A descriptive name for this connector (e.g., "CrowdStrike Spotlight - Production")
2. Default Login: Leave as Default Login
3. Falcon API Client ID: Your Falcon API Client ID from the prerequisites
4. Falcon Secret Access Key: Your Falcon API Client Secret
5. Falcon API Base URL: (Optional) Region-specific base URL if required
FIG. 6 - Connector configuration for Spotlight
Select Save to create and activate the Connector.
Select Test Connection to verify your API credentials and ensure Query can successfully access the Spotlight Vulnerabilities API.

Your CrowdStrike Falcon Spotlight connector is now ready for federated searches within Query.

Querying CrowdStrike Falcon Spotlight Data

Within the Query Search UI, ensure your CrowdStrike Falcon Spotlight Connector is enabled by checking the Endpoint section of the Selected Connectors dropdown (FIG. 7).

FIG. 7 - Enabling the CrowdStrike Falcon Connector

Resources

Troubleshooting Tips

API Access: Ensure your API client has the Spotlight Vulnerabilities (Read) scope enabled
Licensing: Verify your CrowdStrike license includes Falcon Spotlight functionality
Data Availability: New vulnerabilities may take time to appear as systems are assessed
Connectivity: Check that Query can reach your specified API base URL
Rate Limits: The Spotlight API has rate limiting; Query handles this automatically with retry logic

If you encounter issues beyond these common solutions, contact your Query Sales Engineer, Customer Success Manager, or support team for assistance.