Windows - Security - Crowdstrike Automated Vulnerability Remediation

What the CrowdStrike vulnerability sync does

This Automox Worklet™ synchronizes vulnerability data between CrowdStrike Falcon and Automox by downloading scheduled vulnerability reports from the CrowdStrike Spotlight API and uploading them to the Automox Manual Remediations system. The Worklet authenticates to CrowdStrike using OAuth2, retrieves the most recent execution of a specified scheduled report, downloads the vulnerability CSV containing hostname, CVE ID, and CVSS severity data, then uploads this report to Automox to create vulnerability sync action sets.

The Worklet operates in two modes controlled by the automatedRemediation parameter. When disabled, the Worklet creates action sets in your Automox console for manual review and execution. When enabled, the Worklet automatically executes remediation actions for all patchable vulnerabilities immediately after creating the action sets. The Worklet distinguishes between patchable vulnerabilities that Automox can remediate through native patch management and unmatched vulnerabilities that require custom Worklets.

The integration saves the downloaded vulnerability report to C:\Program Files (x86)\Automox\falcon_report.csv on the endpoint running the Worklet, automatically renames the 'Vulnerability ID' column to 'CVE ID' for Automox compatibility, and supports optional verbose logging to the Automox activity log.

Why integrate CrowdStrike vulnerability scanning with Automox patching

Organizations using CrowdStrike Falcon for endpoint protection and vulnerability scanning need an efficient workflow to remediate identified vulnerabilities. CrowdStrike excels at detecting vulnerabilities and tracking CVEs across your environment, while Automox specializes in automated patch deployment and configuration management. Bridging these platforms eliminates manual processes where IT teams export vulnerability reports from CrowdStrike, analyze affected endpoints, and manually schedule patches in Automox.

This integration accelerates vulnerability remediation by automatically transferring vulnerability intelligence from CrowdStrike to Automox patching workflows. Security teams gain visibility into which endpoints have patchable vulnerabilities and can track remediation progress through the Automox console. The automated workflow reduces the window between vulnerability detection and patch deployment, which is critical for addressing zero-day exploits and high-severity CVEs.

The dual-mode operation provides flexibility for organizations with different risk tolerance levels. Teams can review vulnerability action sets before execution to assess impact on production systems, or enable fully automated remediation for non-critical endpoints to achieve faster patch cycles. The Worklet also identifies unmatched vulnerabilities that require custom Worklets, helping teams understand which security gaps need manual intervention.

How CrowdStrike vulnerability synchronization works

1. Evaluation phase: The Worklet authenticates to the CrowdStrike Spotlight API using your client ID and secret, queries for the most recent execution of your specified scheduled report ID, verifies the report status is DONE, downloads the vulnerability CSV to the local endpoint, and checks if the CSV contains at least one vulnerability record beyond the header row. If vulnerabilities are found, the Worklet triggers remediation. If the report is still generating or contains no vulnerabilities, the Worklet exits without error.

2. Remediation phase: The Worklet uploads the downloaded CSV to the Automox Manual Remediations API endpoint using multipart/form-data with the crowd-strike source parameter, waits up to 10 minutes for the action set to reach a ready state, retrieves the solutions list from Automox, categorizes each solution as either automox-patch for patchable vulnerabilities or unmatched for vulnerabilities requiring custom Worklets, and optionally executes remediation actions automatically if automatedRemediation is enabled. The Worklet outputs a summary showing total vulnerabilities, patchable versus unmatched counts, and action set execution results to the Automox activity log.

CrowdStrike integration requirements

• Windows Server 2016 or later, or Windows 10/11 workstations

• CrowdStrike Falcon instance with scheduled vulnerability reports configured in Dashboards and Reports

• Scheduled report must include columns: Hostname, Vulnerability ID, CVSS severity

• CrowdStrike API credentials with Sensor Download - Read permission stored as Automox Shared Secrets: crowdstrikeClientId, crowdstrikeClientSecret, falconReportId

• CrowdStrike region code: US-1, US-2, EU-1, or US-GOV-1

• Automox platform API key generated by a global or zone administrator stored as Shared Secret: axApiKey

• Automox organization ID stored as Shared Secret: axOrgID

• Configure Worklet to run on a single designated host using Endpoint Targeting by hostname or endpoint tag

• For automated remediation mode, target endpoints must be online and in a connected state when the action set executes

Expected vulnerability remediation workflow

After successful execution, the Worklet creates a vulnerability sync action set in your Automox console under the Manual Remediations section. The action set contains all CVEs identified in the CrowdStrike report, categorized by solution type. Patchable vulnerabilities appear as automox-patch solutions ready for deployment through Automox native patching. Unmatched vulnerabilities appear separately, indicating they require custom Worklets or manual intervention.

If automated remediation is disabled, you review the action set in the Automox console and manually execute remediation for approved vulnerabilities. If automated remediation is enabled, the Worklet immediately executes all patchable vulnerability action sets and outputs execution results showing successful and failed actions. Endpoints that are offline receive remediation actions when they reconnect to Automox. The activity log displays a summary including total vulnerabilities, patchable versus unmatched counts, and automated remediation status.

Installed patches do not automatically reboot endpoints. Endpoints requiring reboot enter a Reboot Required state after patch installation. You can verify remediation results by checking the Manual Remediations section in your Automox console or reviewing the Worklet activity log, which optionally displays the full CrowdStrike vulnerability CSV when displayVulnReport is set to true.

How to validate crowdstrike automated vulnerability remediation changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for crowdstrike automated vulnerability remediation.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Secrets-Management, US-GOV, About-Automox.

4. Validate remediation effects from script operations such as Secrets-Management, US-GOV, About-Automox, then rerun evaluation for compliance.