The examples within this folder focus on leveraging CrowdStrike's Falcon Spotlight Vulnerabilities API.
- Identify hosts with vulnerabilities by CVE
- CISA Known exploited vulnerabilities
- Spotlight Quick Report
Retrieves a list of hosts with vulnerabilities matching the CVE(s) specified. Also provides remediation recommendations when available.
This sample is dependent upon the python-tabulate
library.
Tabulate can be installed using the Python Package Index:
python3 -m pip install tabulate
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
Service Collection | Scope |
---|---|
Hosts | READ |
Spotlight Vulnerabilities | READ |
The following command will retrieve a list of hosts matching the specified CVE.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c CVE-2021-22947
You do not need to prepend the
CVE-
string to your CVE ID. Both formats are accepted.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947
You can search for multiple CVEs by passing a comma delimited string for the
-c
argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c CVE-2021-22947,CVE-2021-36085
You can exclude columns from the result display using the -x
argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c CVE-2021-22947 -x cve_description
To show a progress indicator, use the -p
option.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -p
By default, results are sorted by creation date (created_on
). You can specify the column to sort by using the -o
argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -o local_ip
- cve
- score
- severity
- cve_description
- created_on
- updated_on
- hostname
- local_ip
- os_version
- service_provider
- remediation
By default, results are sorted in ascending order. You can change this behavior using the -r
argument.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -o local_ip -r
Multiple formats are supported for displaying results. You can change format using the -f
argument. Invalid selections are ignored.
python3 find_hosts_by_cve.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -c 2021-22947 -f simple
- plain
- simple
- github
- grid (Default)
- fancy_grid
- pipe
- orgtbl
- jira
- presto
- pretty
- psql
- rst
- mediawiki
- moinmoin
- youtrack
- html
- unsafehtml
- latex
- latex_raw
- latex_booktabs
- latex_longtable
- textile
- tsv
Command-line help is available via the -h
argument.
python3 find_hosts_by_cve.py -h
usage: find_hosts_by_cve.py [-h] -k CLIENT_ID -s CLIENT_SECRET [-b BASE_URL] -c CVE [-x EXCLUDE] [-f FORMAT] [-o SORT] [-r] [-p]
Retrieve hosts by CVE vulnerability.
______ __ _______ __ __ __
| |.----.-----.--.--.--.--| | __| |_.----.|__| |--.-----.
| ---|| _| _ | | | | _ |__ | _| _|| | <| -__|
|______||__| |_____|________|_____|_______|____|__| |__|__|__|_____|
_______ __ __ __ __ __
| _ .-----.-----| |_| |__.-----| |--| |_
| 1___| _ | _ | _| | | _ | | _|
|____ | __|_____|____|__|__|___ |__|__|____|
|: 1 |__| |_____|
|::.. . |
`-------' Find hosts by CVE
Creation date: 01.13.2021 - jshcodes@CrowdStrike
This solution requires the crowdstrike-falconpy (v0.8.6+) and tabulate packages.
python3 -m pip install crowdstrike-falconpy tabulate
Required API scopes
Hosts: READ
Spotlight: READ
optional arguments:
-h, --help show this help message and exit
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API key ID
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API key secret
-b BASE_URL, --base_url BASE_URL
CrowdStrike API region (us1, us2, eu1, usgov1)
NOT required unless you are using `usgov1`
-c CVE, --cve CVE CVE IDs to search for. (ex: CVE-2022-12345,CVE-2022-54321)
Delimit with a comma (no spaces). The string CVE- is not required.
-x EXCLUDE, --exclude EXCLUDE
List of columns to exclude from the display.
Delimit with a comma (no spaces).
(cve, score, severity, cve_description, created_on, updated_on,
hostname, local_ip, os_version, service_provider, remediation)
-f FORMAT, --format FORMAT
Table format to use for display.
(plain, simple, github, grid, fancy_grid, pipe, orgtbl, jira, presto,
pretty, psql, rst, mediawiki, moinmoin, youtrack, html, unsafehtml,
latext, latex_raw, latex_booktabs, latex_longtable, textile, tsv)
-o SORT, --sort SORT Sort results by display column.
(cve, score, severity, cve_description, created_on, updated_on,
hostname, local_ip, os_version, service_provider, remediation)
-r, --reverse Reverse the sort direction.
-p, --show_progress Show a progress indicator as data is retrieved.
The source code for this example can be found here.
Produce a quick report of CVE vulnerabilities discovered within your Falcon tenant.
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
Service Collection | Scope |
---|---|
Hosts | READ |
Spotlight Vulnerabilities | READ |
The following command will generate a Spotlight quick report based upon the details available within your tenant.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET
Output the results of the report to JSON format using the -o
argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -o report.json
You can consume a saved report and print the results using the -f
argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -f report.json
Specify the number of days backwards in time to check using the -d
argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -d 5
If you wish to allow duplicate matches to be present within your report, pass the -a
argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -a
If you want to debug code and quickly find errors within code --debug
argument.
python3 spotlight_quick_report.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET --debug
Command-line help is available via the -h
argument.
python3 spotlight_quick_report.py -h
usage: spotlight_quick_report.py [-h] -k CLIENT_ID -s CLIENT_SECRET [-d DAYS] [-f FILE] [-o OUTPUT] [-a]
Spotlight results quick report generator.
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy SDK
`-------' `-------'
____ __ ___ __ __
/ __/__ ___ / /_/ (_)__ _/ / / /_
_\ \/ _ \/ _ \/ __/ / / _ `/ _ \/ __/
/___/ .__/\___/\__/_/_/\_, /_//_/\__/
/_/ /___/
____ _ __ ___ __
/ __ \__ __(_)___/ /__ / _ \___ ___ ___ ____/ /_
/ /_/ / // / / __/ '_/ / , _/ -_) _ \/ _ \/ __/ __/
\___\_\_,_/_/\__/_/\_\ /_/|_|\__/ .__/\___/_/ \__/
/_/
This example requires crowdstrike-falconpy v1.2.2 or greater.
Easy Object Authentication is also demonstrated in this sample.
optional arguments:
-h, --help show this help message and exit
-d DAYS, --days DAYS Include days from X days backwards (3-45).
-f FILE, --file FILE File to import data from.
Data is queried from the API if this argument is not provided.
-o OUTPUT, --output OUTPUT
File to output results to.
Output is not performed if this argument is not provided.
-a, --allow_dupes Allow duplicates.
required arguments:
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API Client ID.
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API Client Secret.
--debug Enables code debugging
The source code for this example can be found here.