Falcon Exposure Management - Hosts & CVEs

The CrowdStrike Falcon Exposure Management integration will download data about all hosts with CVE’s that match the provided criteria. If no “entity_type” is specified, all known entities (that have a current IP address) will be listed. If no CVE “status” or “severity” is specified, all CVE’s who’s status is NOT “closed” will be downloaded.

CrowdStrike Falcon Exposure Management relies on endpoint agents and (if configured) performs “network scans” to identify network entities and vulnerabilities. As a result, frequently downloading data from Falcon Exposure Management can provide near-realtime updates. If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings

Once downloaded, the data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the known_hosts.log, suricata_corelight.log or notice.log.

The input file will be published with any other input files from other integrations (if there are any). If “input” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.

CrowdStrike configuration settings:

crowdstrike:
  id:                               # Falcon API Client ID
  secret:                           # Falcon API Secret
  member_cid:                       # Falcon API Member_CID (multi-tenant only)
  cloud:                            # Falcon Cloud (us-1, us-2, eu-1, us-gov-1)
  host_override:
  base_path_override:
  debug: false
  interval_hours: 0
  hosts_enabled: false
  hosts_filename: hosts_data.tsv
  hosts_entity_type:                # managed, unmanaged, or unsupported. If omitted, the export will include all entity types.
  cve_enabled: false
  cve_filename: cve_data.tsv
  cve_request_limit: 5000           # max 5000
  cve_status: open,reopen           # comma separated, one or more of: open, reopen, closed, expired. If omitted, the export will include all statuses.
  cve_severity: critical            # comma separated, one or more of: critical, high, medium, low, unknown, none. If omitted, the export will include all severities.

Hosts Input file

The input file contains the following information (if it’s available):

  • IP address (required)

  • MAC address

  • Hostname

  • Host Unique ID: Provided by the 'aid' field of vulnerability data.

  • OS version

  • Endpoint status

  • Machine domain

  • Additional description

  • Customer ID

  • Endpoint information source (required)

The following is a sample input file created by this integration, using tab-separated values.

#fields  ip     mac                hostname  host_uid                             os_version    status        machine_domain  cid                               desc                 source
192.168.56.103  00-50-56-A3-B1-C2  WEF       ced83f0c26493b638086fdc7b8b2c01d     -             managed       -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
10.21.0.102     00-50-56-A1-B1-C4  DC        c53fdc3178ba36759c471d6b6655e324     -             managed       -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.56.104  00-50-56-A2-B1-C2  WIN10     abb6c27309cf3730bb73e8cfd732d838     Windows 10    managed       lab.local       e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.1.155   92-91-E0-3E-66-A8  ss2oh     9caa11e26d1f371797e73e9b9199d481     -             managed       -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.1.120   00-0C-29-AB-75-05  fleet     81f845fe72ae32168aba94707fc8a49f     -             managed       -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.12.1    -                  -         613cd0e8a671350e83dec735143db1e0     -             unsupported   -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.12.210  -                  -         5f67453d7e833b0f82ac1d7a5788142a     -             unmanaged     -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.12.222  -                  -         5abcec34b3443f3cb7fe17c4f7100e02     -             unmanaged     -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike
192.168.12.212  00-50-56-A1-1F-07  skynet    439293445449716808dec735143db1e9     Ubuntu 22.04  managed       -               e29b670f12d342e3bcc7170a288a0xxx  Exposure Management  CrowdStrike

CVE Input file

The input file contains the following information (if it’s available):

  • IP address (required)

  • Hostname

  • Host Unique ID: Provided by the 'aid' field of vulnerability data.

  • Machine domain

  • OS version

  • Endpoint information source (required)

  • Customer ID

  • CVE list

The following is a sample input file created by this integration, using tab-separated values.

#fields ip      hostname  host_uid                          machine_domain    os_version           source       cid                               cve_list
10.21.0.102     DC        fb5946b0422e4da49e4575995fb89060  windomain.local   Windows Server 2016  CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479,CVE-2020-1477
192.168.1.120   fleet     04a15f26ace249f68c583fd7be70f9db  -                 Ubuntu 20.04         CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.155   ss2oh     62c850ec617843f8959f1442843bb816  -                 Ubuntu 20.04         CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.12.212  skynet    fae3f73ce1404e0aae1626dbddfc3fe8  -                 Ubuntu 22.04         CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
192.168.56.102  DC        34a6b864b61146d6ad051a9d63a5585f  windomain.local   Windows Server 2016  CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103  WEF       c6f3d2351739482baf36cc6e4af65163  windomain.local   Windows Server 2016  CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103  WEF       0bb70f50a9a3470dbc3e09bd6eb18fc4  windomain.local   Windows Server 2016  CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479
192.168.56.104  WIN10     a71be784db1a40e5b0fd7e6b73f6c7b7  windomain.local   Windows 10           CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2021-36965,CVE-2021-43217,CVE-2022-22012,CVE-2020-9633,CVE-2021-24077
192.168.56.104  WIN10     23fac76b0e5246f8b8ba22d1bbd6bc04  windomain.local   Windows 10           CrowdStrike  e29b670f12d342e3bcc7170a288a0xxx  CVE-2022-23279,CVE-2020-1286,CVE-2021-33784,CVE-2022-23299,CVE-2020-1391

Attention

The CrowdStrike Exposure Management integrations only create Input Framework files to be loaded on sensors. Additional Zeek scripts are required to be loaded on the sensors to use this data. If you enable these integrations, Corelight-update will upload the input files to the sensor. But if the desired script isn’t available on the sensor, the input data won’t be used.

See Zeek package management for information about using Corelight-update to manage Zeek package bundles.

See Zeek package references for examples of Zeek packages that can use this data.