Ingest Third-Party Connector Endpoint Data

Objective

Endpoints are where many attacks start — from phishing attempts and ransomware attacks to lateral movement inside your network. To protect your organization effectively, you need a unified view of every asset and its exposures across your environment.

In this example, we use the Crowdstrike connector. By connecting endpoint data from CrowdStrike to Tenable Exposure Management, you break down silos between endpoint security and broader exposure management. This integration strengthens defenses at the edge, closes visibility gaps, and provides the context needed for holistic, attacker-focused risk reduction.

With endpoint data in Tenable Exposure Management, you can achieve the following key objectives:

• Unify endpoint data with vulnerability, identity, cloud, and application sources for complete asset visibility.

• Pinpoint the endpoint exposures that matter most using contextual risk prioritization.

• Turn endpoint data into faster action by providing remediation owners with relevant endpoint context so they can act quickly and confidently.

Prerequisites

• Create and apply the appropriate asset tags to the assets included in the audit (for example, "PCI-DSS-Assets" or "Region-NorthAmerica").

• Optionally, edit your remediation SLAs to better reflect your business needs. While these settings exist in the Exposure View section of the application, the SLA settings apply to the data on all dashboards and widgets.

Step 1: Connect CrowdStrike to Tenable Exposure Management

Why: Bring CrowdStrike asset and risk data into Tenable One in a structured, continuously updated way.

1. Log in to Tenable Exposure Management.

2. In the left navigation menu, click Connectors.

   The Connectors page appears.

3. In the upper-right corner, click Add new connector.

   The Connectors Library appears.

   

4. On the Crowdstrike tile, click Connect.

   The connector configuration options appear.

5. Follow the steps to configure the Crowdstrike connector. Be sure to:

   • Retrieve host, device, and tagging information from the connector

   • Set the Connector Scheduling to sync weekly to keep data fresh and relevant.

6. Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.

Step 2: Review and Normalize the Data

Why: Ensure a clean, consistent asset inventory that supports reliable downstream analytics.

1. Review your connector data:

   • Navigate to the Connectors page and monitor the connector's status.

   • View the sync logs for the connector to monitor the logs for information on the connector and its history.

   • View your connector's assets on the Assets page:

     1. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.

        The asset list updates to show only assets from the selected connector.

     2. Click on any asset to view Asset Details.

2. Match any duplicate assets using the Same Source Asset Deduplication feature.

3. Analyze the quality and completeness of asset attributes (e.g., OS, last seen, product type). Remove or flag stale or test assets to maintain data hygiene.

Step 3: Enrich Your Data with CrowdStrike Context

Why: Enrich assets with business and technical context to enable better filtering, grouping, and analysis.

CrowdStrike provides highly valuable metadata fields that can be leveraged as tags within Tenable Exposure Management:

• system_product_name: Identifies whether the asset is a workstation, server, IoT, etc.

• machine_domain: Helps group assets by domain or business structure.

To utilize this metadata for tagging purposes:

1. Create and apply asset tags to group the assets ingested from the connector:

   • Create and apply tags via the Tags page, for example:

     • Tag all product_type_desc = Server assets as Production Server for reporting and prioritization.

   • Create a query-based tag via the Assets page, using a query such as:

     • Assets HAS external_tags contains "system_product_name: Virtual Machine" AND aes > 700

Step 4: Leverage Exposure Signals to Monitor Trends

Why: Gain real-time, continuous visibility into risk related to CrowdStrike-tracked assets.

1. Use Exposure Signals to monitor trends and track exposure reduction over time.

2. Create custom exposure signals that focus on CrowdStrike-related insights:

   • Filter by domain, tag, product type, or OS.

   • Track daily changes in asset count, exposure, or critical findings.

Step 5: Use Dashboards to Highlight Key KPIs from CrowdStrike Data

Why: Use focused visualizations to drive data-driven decisions and alignment with stakeholders.

You can use Tenable Exposure Management Dashboards to visualize and track your organization’s exposure risk:

• Create custom dashboards to spotlight CrowdStrike-tagged assets.

• Quantify and track your risk posture of CrowdStrike-tagged assets over time using tracking widgets.

• Publicize dashboards for stakeholder viewing to drive program accountability and visibility.