sensor_visibility_exclusions
Sensor Visibility Exclusions samples
The examples within this folder focus on leveraging CrowdStrike Falcon Sensor Visibility Exclusions collection.
SVE Audit
This program will output a list of sensor visibility exclusions and their details for either the current CID or in a specific / each Child CID (Flight Control scenarios). This can be used for regular audits of sensor visibility exclusions across multiple CIDs.
Running the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
ML Exclusions
READ
Flight Control
READ
Sensor Download
READ
[!NOTE] This program can be executed using an API key that is not scoped for the Flight Control (MSSP) and Sensor Download service collections, but will be unable to lookup the current CID (Sensor Download) or access child CIDs (Flight Control).
Execution syntax
This sample leverages simple command-line arguments to implement functionality.
Basic usage
Execute the default example. This will output results to a CSV file named sensor_visibility_exclusions.txt.
python3 sve_audit.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETThis sample supports Environment Authentication, meaning you can execute any of the command lines shown below without providing credentials if you have the values
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETdefined in your environment.
python3 sve_audit.pyChange the output destination with the -o argument.
python3 sve_audit.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -o new_exclusions.txtEnable MSSP mode and audit all Flight Control children with the -m argument.
python3 sve_audit.py -k $FALCON_CLIENT_ID_PARENT -s $FALCON_CLIENT_SECRET_PARENT -mEnable MSSP mode and audit a specific Flight Control child with the -c argument.
python3 sve_audit.py -k $FALCON_CLIENT_ID_PARENT -s $FALCON_CLIENT_SECRET_PARENT -c CHILD_CIDAPI debugging can be enabled using the
-dargument.
python3 sve_audit.py -dCommand-line help
Command-line help is available via the -h argument.
usage: sve_audit.py [-h] [-d] [-m] [-c CHILD] [-o OUTPUT_FILE] [-k CLIENT_ID] [-s CLIENT_SECRET]
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy
`-------' `-------'
▄▄▄▄▄ ▄███▄ ▄ ▄▄▄▄▄ ████▄ █▄▄▄▄
█ ▀▄ █▀ ▀ █ █ ▀▄ █ █ █ ▄▀
▄ ▀▀▀▀▄ ██▄▄ ██ █ ▄ ▀▀▀▀▄ █ █ █▀▀▌
▀▄▄▄▄▀ █▄ ▄▀ █ █ █ ▀▄▄▄▄▀ ▀████ █ █
▀███▀ █ █ █ █
█ ██ ▀
▄ ▄█ ▄▄▄▄▄ ▄█ ███ ▄█ █ ▄█ ▄▄▄▄▀ ▀▄ ▄
█ ██ █ ▀▄ ██ █ █ ██ █ ██ ▀▀▀ █ █ █
█ █ ██ ▄ ▀▀▀▀▄ ██ █ ▀ ▄ ██ █ ██ █ ▀█
█ █ ▐█ ▀▄▄▄▄▀ ▐█ █ ▄▀ ▐█ ███▄ ▐█ █ █
█ █ ▐ ▐ ███ ▐ ▀ ▐ ▀ ▄▀
█▐
▐
▄▄▄ █ ▀
█▄▄ ▀▄▀ █▀▀ █ █ █ █▀▀ █ █▀█ █▀█ █▀▀
█▄▄ ▄▀▄ █▄▄ █▄ █▄█ ▄▄█ █ █▄█ █ █ ▄▄█
This script outputs the list of active sensor visibility exclusions
and their details for either the current CID or for a specific / each
Child CID (Flight Control scenarios). This can be useful for regular
audits of sensor visibility exclusions across multiple CIDs.
Developed by @Don-Swanson-Adobe
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable API debugging
-m, --mssp List exclusions in all child CIDs (MSSP parents only)
-c CHILD, --child CHILD
List exclusions in a specific child CID (MSSP parents only)
-o OUTPUT_FILE, --output_file OUTPUT_FILE
File to output results to
Required arguments:
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API key
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API secretExample source code
The source code for this example can be found here.
Last updated
Was this helpful?