spotlight
Falcon Spotlight Vulnerabilities samples
The examples within this folder focus on leveraging CrowdStrike's Falcon Spotlight Vulnerabilities API.
Identify hosts with vulnerabilities by CVE
Retrieves a list of hosts with vulnerabilities matching the CVE(s) specified. Also provides remediation recommendations when available.
Dependencies
This sample is dependent upon the python-tabulate library.
Installing tabulate
Tabulate can be installed using the Python Package Index:
python3 -m pip install tabulateRunning the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
Hosts
READ
Spotlight Vulnerabilities
READ
Execution syntax
The following command will retrieve a list of hosts matching the specified CVE.
Basic usage
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c CVE-2021-22947You do not need to prepend the
CVE-string to your CVE ID. Both formats are accepted.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947You can search for multiple CVEs by passing a comma delimited string for the
-cargument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c CVE-2021-22947,CVE-2021-36085Excluding columns
You can exclude columns from the result display using the -x argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c CVE-2021-22947 -x cve_descriptionEnabling the progress indicator
To show a progress indicator, use the -p option.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -pChanging the sort
By default, results are sorted by creation date (created_on). You can specify the column to sort by using the -o argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -o local_ipAvailable sort columns
cve
score
severity
cve_description
created_on
updated_on
hostname
local_ip
os_version
service_provider
remediation
By default, results are sorted in ascending order. You can change this behavior using the -r argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -o local_ip -rChanging the tabular display format
Multiple formats are supported for displaying results. You can change format using the -f argument. Invalid selections are ignored.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -f simpleAvailable table formats
plain
simple
github
grid (Default)
fancy_grid
pipe
orgtbl
jira
presto
pretty
psql
rst
mediawiki
moinmoin
youtrack
html
unsafehtml
latex
latex_raw
latex_booktabs
latex_longtable
textile
tsv
Command-line help
Command-line help is available via the -h argument.
python3 find_hosts_by_cve.py -h
usage: find_hosts_by_cve.py [-h] -k CLIENT_ID -s CLIENT_SECRET [-b BASE_URL] -c CVE [-x EXCLUDE] [-f FORMAT] [-o SORT] [-r] [-p]
Retrieve hosts by CVE vulnerability.
______ __ _______ __ __ __
| |.----.-----.--.--.--.--| | __| |_.----.|__| |--.-----.
| ---|| _| _ | | | | _ |__ | _| _|| | <| -__|
|______||__| |_____|________|_____|_______|____|__| |__|__|__|_____|
_______ __ __ __ __ __
| _ .-----.-----| |_| |__.-----| |--| |_
| 1___| _ | _ | _| | | _ | | _|
|____ | __|_____|____|__|__|___ |__|__|____|
|: 1 |__| |_____|
|::.. . |
`-------' Find hosts by CVE
Creation date: 01.13.2021 - jshcodes@CrowdStrike
This solution requires the crowdstrike-falconpy (v0.8.6+) and tabulate packages.
python3 -m pip install crowdstrike-falconpy tabulate
Required API scopes
Hosts: READ
Spotlight: READ
optional arguments:
-h, --help show this help message and exit
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API key ID
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API key secret
-b BASE_URL, --base_url BASE_URL
CrowdStrike API region (us1, us2, eu1, usgov1)
NOT required unless you are using `usgov1`
-c CVE, --cve CVE CVE IDs to search for. (ex: CVE-2022-12345,CVE-2022-54321)
Delimit with a comma (no spaces). The string CVE- is not required.
-x EXCLUDE, --exclude EXCLUDE
List of columns to exclude from the display.
Delimit with a comma (no spaces).
(cve, score, severity, cve_description, created_on, updated_on,
hostname, local_ip, os_version, service_provider, remediation)
-f FORMAT, --format FORMAT
Table format to use for display.
(plain, simple, github, grid, fancy_grid, pipe, orgtbl, jira, presto,
pretty, psql, rst, mediawiki, moinmoin, youtrack, html, unsafehtml,
latext, latex_raw, latex_booktabs, latex_longtable, textile, tsv)
-o SORT, --sort SORT Sort results by display column.
(cve, score, severity, cve_description, created_on, updated_on,
hostname, local_ip, os_version, service_provider, remediation)
-r, --reverse Reverse the sort direction.
-p, --show_progress Show a progress indicator as data is retrieved.Example source code
The source code for this example can be found here.
Spotlight Quick Report
Produce a quick report of CVE vulnerabilities discovered within your Falcon tenant.
Running the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
Hosts
READ
Spotlight Vulnerabilities
READ
Execution syntax
The following command will generate a Spotlight quick report based upon the details available within your tenant.
Basic usage
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETSaving results
Output the results of the report to JSON format using the -o argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -o report.jsonReviewing saved results
You can consume a saved report and print the results using the -f argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -f report.jsonAdjusting the date range
Specify the number of days backwards in time for hosts last seen using the -d argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -d 5Duplicates
If you wish to allow duplicate matches to be present within your report, pass the -a argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -aDebugging
If you want to debug code and quickly find errors within code --debug argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET --debugCommand-line help
Command-line help is available via the -h argument.
python3 spotlight_quick_report.py -h
usage: spotlight_quick_report.py [-h] -k CLIENT_ID -s CLIENT_SECRET [-d DAYS] [-f FILE] [-o OUTPUT] [-a]
Spotlight results quick report generator.
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy SDK
`-------' `-------'
____ __ ___ __ __
/ __/__ ___ / /_/ (_)__ _/ / / /_
_\ \/ _ \/ _ \/ __/ / / _ `/ _ \/ __/
/___/ .__/\___/\__/_/_/\_, /_//_/\__/
/_/ /___/
____ _ __ ___ __
/ __ \__ __(_)___/ /__ / _ \___ ___ ___ ____/ /_
/ /_/ / // / / __/ '_/ / , _/ -_) _ \/ _ \/ __/ __/
\___\_\_,_/_/\__/_/\_\ /_/|_|\__/ .__/\___/_/ \__/
/_/
This example requires crowdstrike-falconpy v1.2.2 or greater.
Easy Object Authentication is also demonstrated in this sample.
optional arguments:
-h, --help show this help message and exit
-d DAYS, --days DAYS Include days from X days backwards (3-45).
-f FILE, --file FILE File to import data from.
Data is queried from the API if this argument is not provided.
-o OUTPUT, --output OUTPUT
File to output results to.
Output is not performed if this argument is not provided.
-a, --allow_dupes Allow duplicates.
required arguments:
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API Client ID.
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API Client Secret.
--debug Enables code debugging Example source code
The source code for this example can be found here.
Last updated
Was this helpful?