Windows - Security - Crowdstrike Automated Vulnerability Remediation

What the CrowdStrike vulnerability sync Worklet does

This Automox Worklet™ bridges CrowdStrike Falcon Spotlight and Automox Vulnerability Sync. The Worklet queries the CrowdStrike API for the latest execution of a scheduled vulnerability report, downloads the CSV of affected hosts and CVEs, and uploads it to the Automox Manual Remediations endpoint. The result is a vulnerability action set in your Automox console containing every CVE Falcon detected on your fleet, grouped by whether Automox can patch it natively.

The integration is driven by two PowerShell scripts. Evaluation authenticates to the CrowdStrike Spotlight API and retrieves the most recent execution ID for your falconReportId. After confirming the report status is DONE, it downloads the CSV to C:\Program Files (x86)\Automox\falcon_report.csv and checks for at least one vulnerability row. Remediation re-downloads the report, renames the Vulnerability ID column to CVE ID, then POSTs the file to /remediations/action-sets/upload with source=crowd-strike and a multipart form field of format=crowd-strike.

Two parameters change the Worklet's behavior. The automatedRemediation flag controls whether the resulting action set sits in your console for manual review or executes immediately against every endpoint with a patchable CVE. The displayVulnReport flag prints the full CrowdStrike CSV to the Automox activity log when you need a record of which CVEs and hosts were processed in that run.

Why connect CrowdStrike Falcon to Automox Vulnerability Sync

Without an automated bridge, Falcon Spotlight CVE data and Automox patching are two separate workflows. Security teams export a Falcon vulnerability report, hand it to IT Operations, and someone schedules patches by hand. Each handoff adds days to remediation. For zero-day or actively exploited CVEs, that gap is your attack surface.

This Worklet collapses the loop. The next time Falcon publishes a scheduled report, the matched CVEs appear in Automox as ready-to-run action sets with the affected endpoints already scoped. The Worklet runs on a single designated Windows host that calls both APIs, then Automox executes patches against every endpoint the Falcon report covers across Windows, macOS, and Linux. The handoff between Falcon detection and Automox remediation drops from a manual triage meeting to one scheduled Worklet run.

How CrowdStrike to Automox vulnerability sync works

1. Evaluation phase: The Worklet validates that crowdstrikeClientId, crowdstrikeClientSecret, falconReportId, axOrgID, axApiKey, and crowdstrikeRegion are all populated. It then requests an OAuth2 bearer token from the regional CrowdStrike endpoint. US-1, US-2, EU-1, and US-GOV-1 each map to a distinct API host. The script calls /reports/queries/report-executions/v1 filtered by your scheduled_report_id with limit=1. If the latest execution status is DONE, the CSV is downloaded to C:\Program Files (x86)\Automox\falcon_report.csv. Exit codes signal the outcome to Automox: code 20 triggers remediation when the CSV contains at least one vulnerability row, code 0 exits cleanly when the report is still building or contains no findings, and code 2 surfaces a CrowdStrike token failure.

2. Remediation phase: The Worklet re-downloads the latest CSV, normalizes the Vulnerability ID header to CVE ID, and POSTs the file as multipart/form-data to https://console.automox.com/api/orgs/{axOrgID}/remediations/action-sets/upload?source=crowd-strike. It polls /remediations/action-sets/{id} every 60 seconds for up to actionSetTimeout seconds (default 600) until status returns ready. Once ready, the Worklet pages through /remediations/action-sets/{id}/solutions, counts solutions of type automox-patch and unmatched, and writes a summary of total CVEs, patchable count, and unmatched count to the activity log. When automatedRemediation is true, the Worklet builds an actions array containing the remediation_type, solutionId, and device IDs for each patchable solution, then POSTs it to /remediations/action-sets/{id}/actions, expecting a 202 on success.

CrowdStrike Falcon integration requirements

• Windows Server 2016 or later, or Windows 10/11 workstation, acting as the single designated host that runs this Worklet

• CrowdStrike Falcon tenant with at least one scheduled vulnerability report under Dashboards and Reports including the columns Hostname, Vulnerability ID, and CVSS severity

• CrowdStrike API client created in the Falcon console with at minimum Sensor Download: Read and Spotlight Vulnerabilities: Read scopes

• Automox Shared Secrets configured with the exact names crowdstrikeClientId, crowdstrikeClientSecret, falconReportId, axApiKey, and axOrgID

• Valid crowdstrikeRegion value: US-1, US-2, EU-1, or US-GOV-1 (anything else falls through to https://api.{region}.crowdstrike.com, which the script accepts but will not resolve for custom clouds)

• Automox API key generated by a global or zone administrator, since lower-scoped keys cannot create action sets or call runActions

• Endpoint targeting scoped to one hostname or device tag so the Worklet only runs on a single designated host, never the whole fleet

• Outbound HTTPS reachability from the designated host to api.crowdstrike.com (or the regional variant) and console.automox.com on port 443

Expected vulnerability sync results in Automox

After a successful run, the Automox console shows a new action set under Manual Remediations sourced from CrowdStrike. The action set lists every CVE Falcon reported, grouped into two solution types. Solutions tagged automox-patch are CVEs Automox can deploy natively, including Windows OS updates and third-party software patches, and are the targets of automated or manual remediation. Solutions tagged unmatched are CVEs Automox has no native patch path for and require a custom Worklet or a manual fix outside Automox.

The activity log on the designated host prints a summary block after each run: total vulnerabilities, automox-patch count, unmatched count, and (when automatedRemediation is enabled) executed and failed action counts. When automatedRemediation is false, the action set waits in the console until an operator clicks Run. When true, the Worklet POSTs each patchable solution to /remediations/action-sets/{id}/actions and expects a 202 for each successful queue. Patches install on the scoped endpoints as soon as they check in. The Worklet does not force a reboot. Endpoints requiring one move into the Reboot Required state until a reboot Worklet or maintenance window completes the install.

To audit a run, open Manual Remediations in the Automox console and locate the most recent crowd-strike action set. For a verbose record, set displayVulnReport to true on the next execution to print the full CrowdStrike CSV into the activity log. The downloaded report on the host is removed by the cleanup function at the end of every run. If falcon_report.csv persists on disk between executions, the script exited before the cleanup call and the previous run failed mid-flight.